Medium: docker

Issue Overview:

A command injection flaw was discovered in Docker during the docker build command. By providing a specially crafted path argument for the container to build, it is possible to inject command options to the git fetch/git checkout commands that are executed by Docker and to execute code with the privileges of the user running Docker. A local attacker who can run docker build with a controlled build path, or a remote attacker who has control over the docker build path, could elevate their privileges or execute code.(CVE-2019-13139)

In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.(CVE-2019-13509)

Affected Packages:

docker

Issue Correction:
Run yum update docker to update your system.

New Packages:

src:  
    docker-18.09.9ce-2.52.amzn1.src  
  
x86_64:  
    docker-debuginfo-18.09.9ce-2.52.amzn1.x86_64  
    docker-18.09.9ce-2.52.amzn1.x86_64  

Additional References

Red Hat: CVE-2019-13139, CVE-2019-13509

Mitre: CVE-2019-13139, CVE-2019-13509