{"id": "FEDORA:2AFC360CEC41", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 24 Update: docker-latest-1.12.6-1.git51ef5a8.fc24", "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. Docker containers can encapsulate any payload, and will run consistently on and between virtually any server. The same container that a developer builds and tests on a laptop will run at scale, in production*, on VMs, bare-metal servers, OpenStack clusters, public instances, or combinations of the above. ", "published": "2017-01-20T18:20:16", "modified": "2017-01-20T18:20:16", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2016-9962"], "lastseen": "2020-12-21T08:17:53", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9962"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310872273", "OPENVAS:1361412562310872265", "OPENVAS:1361412562310872253", "OPENVAS:1361412562310140120", "OPENVAS:1361412562310872281", "OPENVAS:1361412562310873199"]}, {"type": "redhat", "idList": ["RHSA-2020:2653", "RHSA-2017:0116", "RHSA-2017:0123", "RHSA-2017:0127"]}, {"type": "amazon", "idList": ["ALAS-2017-783"]}, {"type": "threatpost", "idList": ["THREATPOST:717BF6C671998F904552A36059657FEE"]}, {"type": "nessus", "idList": ["FEDORA_2017-FCD02E2C2D.NASL", "OPENSUSE-2017-181.NASL", "FEDORA_2017-DBC2B618EB.NASL", "FEDORA_2017-20CDB2063A.NASL", "FEDORA_2017-C2C2D1BE16.NASL", "FEDORA_2017-0200646669.NASL", "REDHAT-RHSA-2017-0116.NASL", "ALA_ALAS-2017-783.NASL", "GENTOO_GLSA-201701-34.NASL", "REDHAT-RHSA-2017-0127.NASL"]}, {"type": "gentoo", "idList": ["GLSA-201701-34"]}, {"type": "archlinux", "idList": ["ASA-201805-11", "ASA-201701-19"]}, {"type": "fedora", "idList": ["FEDORA:A83E2604CD61", "FEDORA:D1CAA6075DB3", "FEDORA:7DD07607A1B7", "FEDORA:489B2606870D"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-3511", "ELSA-2020-0348", "ELSA-2019-4540"]}], "modified": "2020-12-21T08:17:53", "rev": 2}, "score": {"value": 4.9, "vector": "NONE", "modified": "2020-12-21T08:17:53", "rev": 2}, "vulnersScore": 4.9}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "24", "arch": "any", "packageName": "docker-latest", "packageVersion": "1.12.6", "packageFilename": "UNKNOWN", "operator": "lt"}]}

{"cve": [{"lastseen": "2021-02-02T06:28:14", "description": "RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.", "edition": 6, "cvss3": {"exploitabilityScore": 0.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.4, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-31T22:59:00", "title": "CVE-2016-9962", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9962"], "modified": "2018-10-09T20:01:00", "cpe": [], "id": "CVE-2016-9962", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9962", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "openvas": [{"lastseen": "2019-05-29T18:34:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "description": "Docker is prone to a local privilege-escalation vulnerability.", "modified": "2018-10-26T00:00:00", "published": "2017-01-11T00:00:00", "id": "OPENVAS:1361412562310140120", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140120", "type": "openvas", "title": "Docker Local Privilege Escalation Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_docker_95361.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Docker Local Privilege Escalation Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:docker:docker\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140120\");\n script_bugtraq_id(95361);\n script_cve_id(\"CVE-2016-9962\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_name(\"Docker Local Privilege Escalation Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/95361\");\n script_xref(name:\"URL\", value:\"https://www.docker.com/\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2017/Jan/21\");\n\n script_tag(name:\"impact\", value:\"A local attacker can exploit this issue to gain elevated privileges.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Update to 1.12.6 or newer\");\n script_tag(name:\"summary\", value:\"Docker is prone to a local privilege-escalation vulnerability.\");\n script_tag(name:\"affected\", value:\"Versions prior to Docker 1.12.6 are vulnerable.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-11 17:15:30 +0100 (Wed, 11 Jan 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_docker_remote_detect.nasl\", \"gb_docker_service_detection_lsc.nasl\");\n script_mandatory_keys(\"docker/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE, nofork:TRUE ) ) exit( 0 );\n\nif( version_is_less( version:version, test_version:\"1.12.6\" ) )\n{\n report = report_fixed_ver( installed_version:version, fixed_version:\"1.12.6\" );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-01-21T00:00:00", "id": "OPENVAS:1361412562310872281", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872281", "type": "openvas", "title": "Fedora Update for docker-latest FEDORA-2017-c2c2d1be16", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for docker-latest FEDORA-2017-c2c2d1be16\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872281\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-21 05:44:02 +0100 (Sat, 21 Jan 2017)\");\n script_cve_id(\"CVE-2016-9962\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for docker-latest FEDORA-2017-c2c2d1be16\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'docker-latest'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"docker-latest on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-c2c2d1be16\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FINGBFMIXBG6B6ZWYH3TMRP5V3PDBNXR\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"docker-latest\", rpm:\"docker-latest~1.12.6~1.git51ef5a8.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-01-16T00:00:00", "id": "OPENVAS:1361412562310872265", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872265", "type": "openvas", "title": "Fedora Update for docker-latest FEDORA-2017-fcd02e2c2d", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for docker-latest FEDORA-2017-fcd02e2c2d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872265\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-16 05:41:00 +0100 (Mon, 16 Jan 2017)\");\n script_cve_id(\"CVE-2016-9962\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for docker-latest FEDORA-2017-fcd02e2c2d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'docker-latest'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"docker-latest on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-fcd02e2c2d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WUQ3MQNEL5IBZZLMLR72Q4YDCL2SCKRK\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"docker-latest\", rpm:\"docker-latest~1.12.6~2.git51ef5a8.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-01-20T00:00:00", "id": "OPENVAS:1361412562310872273", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872273", "type": "openvas", "title": "Fedora Update for runc FEDORA-2017-0200646669", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for runc FEDORA-2017-0200646669\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872273\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-20 05:43:49 +0100 (Fri, 20 Jan 2017)\");\n script_cve_id(\"CVE-2016-9962\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for runc FEDORA-2017-0200646669\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'runc'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"runc on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-0200646669\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVM7FCOQMPKOFLDTUYSS4ES76DDM56VP\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"runc\", rpm:\"runc~1.0.0~3.rc2.gitc91b5be.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-01-13T00:00:00", "id": "OPENVAS:1361412562310872253", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872253", "type": "openvas", "title": "Fedora Update for docker FEDORA-2017-dbc2b618eb", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for docker FEDORA-2017-dbc2b618eb\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872253\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-13 05:44:00 +0100 (Fri, 13 Jan 2017)\");\n script_cve_id(\"CVE-2016-9962\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for docker FEDORA-2017-dbc2b618eb\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'docker'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"docker on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-dbc2b618eb\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAXJMMLRU7DD2IMG47SR2K4BOFFG7FZ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"docker\", rpm:\"docker~1.12.6~3.git51ef5a8.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-08-04T00:00:00", "id": "OPENVAS:1361412562310873199", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873199", "type": "openvas", "title": "Fedora Update for runc FEDORA-2017-20cdb2063a", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_20cdb2063a_runc_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for runc FEDORA-2017-20cdb2063a\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873199\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-04 12:46:25 +0530 (Fri, 04 Aug 2017)\");\n script_cve_id(\"CVE-2016-9962\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for runc FEDORA-2017-20cdb2063a\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'runc'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"runc on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-20cdb2063a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AHKPPEG6SLWGRWLR2YBCBNHUM6JNUI5A\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"runc\", rpm:\"runc~1.0.1~1.gitc5ec254.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:37:22", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "description": "**Issue Overview:**\n\nIt was discovered that runC allowed additional container processes via `runc exec` to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file descriptors of these new processes during the initialization, which can lead to container escapes or modification of runC state before the process is fully placed inside the container.\n\n \n**Affected Packages:** \n\n\ndocker\n\n \n**Issue Correction:** \nRun _yum update docker_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n docker-devel-1.12.6-1.17.amzn1.noarch \n docker-pkg-devel-1.12.6-1.17.amzn1.noarch \n \n src: \n docker-1.12.6-1.17.amzn1.src \n \n x86_64: \n docker-1.12.6-1.17.amzn1.x86_64 \n docker-debuginfo-1.12.6-1.17.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2017-01-10T18:00:00", "published": "2017-01-10T18:00:00", "id": "ALAS-2017-783", "href": "https://alas.aws.amazon.com/ALAS-2017-783.html", "title": "Important: docker", "type": "amazon", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "description": "Arch Linux Security Advisory ASA-201805-11\n==========================================\n\nSeverity: High\nDate : 2018-05-16\nCVE-ID : CVE-2016-9962\nPackage : runc\nType : privilege escalation\nRemote : No\nLink : https://security.archlinux.org/AVG-134\n\nSummary\n=======\n\nThe package runc before version 1.0.0rc5+19+g69663f0b-1 is vulnerable\nto privilege escalation.\n\nResolution\n==========\n\nUpgrade to 1.0.0rc5+19+g69663f0b-1.\n\n# pacman -Syu \"runc>=1.0.0rc5+19+g69663f0b-1\"\n\nThe problem has been fixed upstream in version 1.0.0rc5.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nThe runc component used by `docker exec` feature of docker allowed\nadditional container processes to be ptraced by the pid 1 of the\ncontainer. This allows the main processes of the container, if running\nas root, to gain low-level access to these new processes during\ninitialization. An attacker can, depending on the nature of the\nincoming process, leverage this to elevate access to the host. This\nranges from accessing host content through the file descriptors of the\nincoming process to, potentially, a complete container escape by\nleveraging memory access or syscall interception.\n\nImpact\n======\n\nA local attacker is able to break out of the container or modify host\nfiles via a crafted docker exec call.\n\nReferences\n==========\n\nhttps://github.com/opencontainers/runc/commit/5d93fed3d27f1e2bab58bad13b180a7a81d0b378\nhttps://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5\nhttps://bugzilla.suse.com/show_bug.cgi?id=1012568\nhttps://github.com/docker/docker/compare/v1.12.5...v1.12.6\nhttps://www.mail-archive.com/fulldisclosure@seclists.org/msg04165.html\nhttps://security.archlinux.org/CVE-2016-9962", "modified": "2018-05-16T00:00:00", "published": "2018-05-16T00:00:00", "id": "ASA-201805-11", "href": "https://security.archlinux.org/ASA-201805-11", "type": "archlinux", "title": "[ASA-201805-11] runc: privilege escalation", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "description": "Arch Linux Security Advisory ASA-201701-19\n==========================================\n\nSeverity: High\nDate : 2017-01-13\nCVE-ID : CVE-2016-9962\nPackage : docker\nType : privilege escalation\nRemote : No\nLink : https://security.archlinux.org/AVG-133\n\nSummary\n=======\n\nThe package docker before version 1:1.12.6-1 is vulnerable to privilege\nescalation.\n\nResolution\n==========\n\nUpgrade to 1:1.12.6-1.\n\n# pacman -Syu \"docker>=1:1.12.6-1\"\n\nThe problem has been fixed upstream in version 1.12.6.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nThe runc component used by `docker exec` feature of docker allowed\nadditional container processes via to be ptraced by the pid 1 of the\ncontainer. This allows the main processes of the container, if running\nas root, to gain low-level access to these new processes during\ninitialization. An attacker can, depending on the nature of the\nincoming process, leverage this to elevate access to the host. This\nranges from accessing host content through the file descriptors of the\nincoming process to, potentially, a complete container escape by\nleveraging memory access or syscall interception.\n\nImpact\n======\n\nA local unprivileged attacker when running as root inside a docker\ncontainer is able to access the host filesystem leading to privilege\nescalation.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/52493\nhttps://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5\nhttps://bugzilla.suse.com/show_bug.cgi?id=1012568\nhttps://github.com/docker/docker/compare/v1.12.5...v1.12.6\nhttps://www.mail-archive.com/fulldisclosure@seclists.org/msg04165.html\nhttps://security.archlinux.org/CVE-2016-9962", "modified": "2017-01-13T00:00:00", "published": "2017-01-13T00:00:00", "id": "ASA-201701-19", "href": "https://security.archlinux.org/ASA-201701-19", "type": "archlinux", "title": "[ASA-201701-19] docker: privilege escalation", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "description": "The runc command can be used to start containers which are packaged in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. ", "modified": "2017-01-19T05:57:23", "published": "2017-01-19T05:57:23", "id": "FEDORA:D1CAA6075DB3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: runc-1.0.0-3.rc2.gitc91b5be.fc25", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "description": "The runc command can be used to start containers which are packaged in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. ", "modified": "2017-07-31T20:21:19", "published": "2017-07-31T20:21:19", "id": "FEDORA:A83E2604CD61", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: runc-1.0.1-1.gitc5ec254.fc25", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. Docker containers can encapsulate any payload, and will run consistently on and between virtually any server. The same container that a developer builds and tests on a laptop will run at scale, in production*, on VMs, bare-metal servers, OpenStack clusters, public instances, or combinations of the above. ", "modified": "2017-01-13T02:25:44", "published": "2017-01-13T02:25:44", "id": "FEDORA:489B2606870D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: docker-1.12.6-3.git51ef5a8.fc25", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. Docker containers can encapsulate any payload, and will run consistently on and between virtually any server. The same container that a developer builds and tests on a laptop will run at scale, in production*, on VMs, bare-metal servers, OpenStack clusters, public instances, or combinations of the above. ", "modified": "2017-01-15T07:52:30", "published": "2017-01-15T07:52:30", "id": "FEDORA:7DD07607A1B7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: docker-latest-1.12.6-2.git51ef5a8.fc25", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-07T10:14:09", "description": "Fix [CVE-2016-9962] Insecure opening of file-descriptor allows\nprivilege Fix BZ#1412148 - containerd: container did not start before\nthe specified timeout\n\n----\n\nuse container-selinux >= 2:2.0-2\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 6.4, "vector": "AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-13T00:00:00", "title": "Fedora 25 : 2:docker (2017-dbc2b618eb)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "modified": "2017-01-13T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:2:docker"], "id": "FEDORA_2017-DBC2B618EB.NASL", "href": "https://www.tenable.com/plugins/nessus/96469", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-dbc2b618eb.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96469);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-9962\");\n script_xref(name:\"FEDORA\", value:\"2017-dbc2b618eb\");\n\n script_name(english:\"Fedora 25 : 2:docker (2017-dbc2b618eb)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix [CVE-2016-9962] Insecure opening of file-descriptor allows\nprivilege Fix BZ#1412148 - containerd: container did not start before\nthe specified timeout\n\n----\n\nuse container-selinux >= 2:2.0-2\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-dbc2b618eb\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 2:docker package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"docker-1.12.6-3.git51ef5a8.fc25\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:docker\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:15:21", "description": "Fix CVE-2016-9962 - Insecure opening of file-descriptor allows\nprivilege escalation\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 6009905\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 97974ae\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 7b5044b\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 6.4, "vector": "AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-16T00:00:00", "title": "Fedora 25 : 2:docker-latest (2017-fcd02e2c2d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "modified": "2017-01-16T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:2:docker-latest"], "id": "FEDORA_2017-FCD02E2C2D.NASL", "href": "https://www.tenable.com/plugins/nessus/96509", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-fcd02e2c2d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96509);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-9962\");\n script_xref(name:\"FEDORA\", value:\"2017-fcd02e2c2d\");\n\n script_name(english:\"Fedora 25 : 2:docker-latest (2017-fcd02e2c2d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix CVE-2016-9962 - Insecure opening of file-descriptor allows\nprivilege escalation\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 6009905\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 97974ae\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 7b5044b\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-fcd02e2c2d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 2:docker-latest package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:docker-latest\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"docker-latest-1.12.6-2.git51ef5a8.fc25\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:docker-latest\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:31:59", "description": "This update for\n\n - containerd,\n\n - docker to version 1.12.6 and\n\n - runc fixes several issues.\n\nThis security issues was fixed :\n\n - CVE-2016-9962: container escape vulnerability\n (bsc#1012568).\n\nThsese non-security issues were fixed :\n\n - boo#1019251: Add a delay when starting docker service \n\n - Fixed bash-completion\n\n - boo#1015661: add the /usr/bin/docker-run symlink \n\nFor additional details please see the changelog.", "edition": 20, "cvss3": {"score": 6.4, "vector": "AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-02-01T00:00:00", "title": "openSUSE Security Update : containerd / docker / runc (openSUSE-2017-181)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "modified": "2017-02-01T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:containerd", "p-cpe:/a:novell:opensuse:runc-debuginfo", "p-cpe:/a:novell:opensuse:docker-debugsource", "p-cpe:/a:novell:opensuse:runc-test", "p-cpe:/a:novell:opensuse:docker", "p-cpe:/a:novell:opensuse:docker-test", "p-cpe:/a:novell:opensuse:runc-debugsource", "p-cpe:/a:novell:opensuse:containerd-debugsource", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:runc", "p-cpe:/a:novell:opensuse:containerd-ctr", "p-cpe:/a:novell:opensuse:docker-test-debuginfo", "p-cpe:/a:novell:opensuse:docker-zsh-completion", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:containerd-debuginfo", "p-cpe:/a:novell:opensuse:containerd-test", "p-cpe:/a:novell:opensuse:containerd-ctr-debuginfo", "p-cpe:/a:novell:opensuse:docker-debuginfo", "p-cpe:/a:novell:opensuse:docker-bash-completion"], "id": "OPENSUSE-2017-181.NASL", "href": "https://www.tenable.com/plugins/nessus/96918", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-181.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96918);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-9962\");\n\n script_name(english:\"openSUSE Security Update : containerd / docker / runc (openSUSE-2017-181)\");\n script_summary(english:\"Check for the openSUSE-2017-181 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for\n\n - containerd,\n\n - docker to version 1.12.6 and\n\n - runc fixes several issues.\n\nThis security issues was fixed :\n\n - CVE-2016-9962: container escape vulnerability\n (bsc#1012568).\n\nThsese non-security issues were fixed :\n\n - boo#1019251: Add a delay when starting docker service \n\n - Fixed bash-completion\n\n - boo#1015661: add the /usr/bin/docker-run symlink \n\nFor additional details please see the changelog.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1004490\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1009961\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1012568\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1015661\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016307\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1019251\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=988408\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected containerd / docker / runc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-ctr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-ctr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-zsh-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:runc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:runc-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:runc-test\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1|SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1 / 42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-0.2.5+gitr569_2a5e70c-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-ctr-0.2.5+gitr569_2a5e70c-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-ctr-debuginfo-0.2.5+gitr569_2a5e70c-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-debuginfo-0.2.5+gitr569_2a5e70c-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-debugsource-0.2.5+gitr569_2a5e70c-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-test-0.2.5+gitr569_2a5e70c-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"docker-bash-completion-1.12.6-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"docker-zsh-completion-1.12.6-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"runc-0.1.1+gitr2819_50a19c6-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"runc-debuginfo-0.1.1+gitr2819_50a19c6-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"runc-debugsource-0.1.1+gitr2819_50a19c6-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"runc-test-0.1.1+gitr2819_50a19c6-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"docker-1.12.6-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"docker-debuginfo-1.12.6-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"docker-debugsource-1.12.6-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"docker-test-1.12.6-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"docker-test-debuginfo-1.12.6-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"containerd-test-0.2.5+gitr569_2a5e70c-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"docker-bash-completion-1.12.6-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"docker-zsh-completion-1.12.6-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"runc-test-0.1.1+gitr2819_50a19c6-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"containerd-0.2.5+gitr569_2a5e70c-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"containerd-ctr-0.2.5+gitr569_2a5e70c-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"containerd-ctr-debuginfo-0.2.5+gitr569_2a5e70c-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"containerd-debuginfo-0.2.5+gitr569_2a5e70c-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"containerd-debugsource-0.2.5+gitr569_2a5e70c-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"docker-1.12.6-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"docker-debuginfo-1.12.6-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"docker-debugsource-1.12.6-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"docker-test-1.12.6-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"docker-test-debuginfo-1.12.6-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"runc-0.1.1+gitr2819_50a19c6-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"runc-debuginfo-0.1.1+gitr2819_50a19c6-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"runc-debugsource-0.1.1+gitr2819_50a19c6-8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"containerd / containerd-ctr / containerd-ctr-debuginfo / etc\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:13:23", "description": "Fix CVE-2016-9962 - Insecure opening of file-descriptor allows\nprivilege escalation\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 6009905\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 97974ae\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 7b5044b\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 6.4, "vector": "AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-23T00:00:00", "title": "Fedora 24 : 2:docker-latest (2017-c2c2d1be16)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "modified": "2017-01-23T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:24", "p-cpe:/a:fedoraproject:fedora:2:docker-latest"], "id": "FEDORA_2017-C2C2D1BE16.NASL", "href": "https://www.tenable.com/plugins/nessus/96678", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-c2c2d1be16.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96678);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-9962\");\n script_xref(name:\"FEDORA\", value:\"2017-c2c2d1be16\");\n\n script_name(english:\"Fedora 24 : 2:docker-latest (2017-c2c2d1be16)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix CVE-2016-9962 - Insecure opening of file-descriptor allows\nprivilege escalation\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 6009905\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 97974ae\n\n----\n\nbuilt docker @projectatomic/docker-1.12 commit 7b5044b\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2c2d1be16\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 2:docker-latest package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:docker-latest\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"docker-latest-1.12.6-1.git51ef5a8.fc24\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:docker-latest\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:15:06", "description": "Resolves: #1412238 - *CVE-2016-9962* - set init processes as\nnon-dumpable,\n\n----\n\npatch to enable seccomp\n\n----\n\nbump to 1.0.0 rc2\n\n----\n\nResolves: #1342707 - bump to v1.0.0-rc1\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 6.4, "vector": "AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-19T00:00:00", "title": "Fedora 25 : 1:runc (2017-0200646669)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "modified": "2017-01-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:1:runc"], "id": "FEDORA_2017-0200646669.NASL", "href": "https://www.tenable.com/plugins/nessus/96616", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0200646669.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96616);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9962\");\n script_xref(name:\"FEDORA\", value:\"2017-0200646669\");\n\n script_name(english:\"Fedora 25 : 1:runc (2017-0200646669)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Resolves: #1412238 - *CVE-2016-9962* - set init processes as\nnon-dumpable,\n\n----\n\npatch to enable seccomp\n\n----\n\nbump to 1.0.0 rc2\n\n----\n\nResolves: #1342707 - bump to v1.0.0-rc1\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0200646669\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 1:runc package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"runc-1.0.0-3.rc2.gitc91b5be.fc25\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:runc\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T11:05:38", "description": "The remote host is affected by the vulnerability described in GLSA-201701-34\n(runC: Privilege escalation)\n\n A vulnerability was discovered in runC that allows additional container\n processes via &lsquo;runc exec&rsquo; to be ptraced by the pid 1 of the\n container. This allows the main processes of the container, if running\n as root, to gain access to file-descriptors of these new processes.\n \nImpact :\n\n An attacker, who is able to successfully escape the container or modify\n runC&rsquo;s state before process initialization, could escalate privileges.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 26, "cvss3": {"score": 6.4, "vector": "AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-13T00:00:00", "title": "GLSA-201701-34 : runC: Privilege escalation", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "modified": "2017-01-13T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:runc"], "id": "GENTOO_GLSA-201701-34.NASL", "href": "https://www.tenable.com/plugins/nessus/96475", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201701-34.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96475);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9962\");\n script_xref(name:\"GLSA\", value:\"201701-34\");\n\n script_name(english:\"GLSA-201701-34 : runC: Privilege escalation\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201701-34\n(runC: Privilege escalation)\n\n A vulnerability was discovered in runC that allows additional container\n processes via &lsquo;runc exec&rsquo; to be ptraced by the pid 1 of the\n container. This allows the main processes of the container, if running\n as root, to gain access to file-descriptors of these new processes.\n \nImpact :\n\n An attacker, who is able to successfully escape the container or modify\n runC&rsquo;s state before process initialization, could escalate privileges.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201701-34\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All runC users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-emulation/runc-1.0.0_rc2-r2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-emulation/runc\", unaffected:make_list(\"ge 1.0.0_rc2-r2\"), vulnerable:make_list(\"lt 1.0.0_rc2-r2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"runC\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:15:26", "description": "V1.0 final release\n\n----\n\nbump runc commit\n\n----\n\nUpdate to latest release candidate\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 6.4, "vector": "AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-01T00:00:00", "title": "Fedora 25 : 1:runc (2017-20cdb2063a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "modified": "2017-08-01T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:1:runc"], "id": "FEDORA_2017-20CDB2063A.NASL", "href": "https://www.tenable.com/plugins/nessus/102086", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-20cdb2063a.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102086);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9962\");\n script_xref(name:\"FEDORA\", value:\"2017-20cdb2063a\");\n\n script_name(english:\"Fedora 25 : 1:runc (2017-20cdb2063a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"V1.0 final release\n\n----\n\nbump runc commit\n\n----\n\nUpdate to latest release candidate\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-20cdb2063a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 1:runc package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"runc-1.0.1-1.gitc5ec254.fc25\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:runc\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T01:22:41", "description": "It was discovered that runC allowed additional container processes via\n`runc exec` to be ptraced by the pid 1 of the container. This allows\nthe main processes of the container, if running as root, to gain\naccess to file descriptors of these new processes during the\ninitialization, which can lead to container escapes or modification of\nrunC state before the process is fully placed inside the container.", "edition": 28, "cvss3": {"score": 6.4, "vector": "AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-11T00:00:00", "title": "Amazon Linux AMI : docker (ALAS-2017-783)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:docker", "p-cpe:/a:amazon:linux:docker-devel", "p-cpe:/a:amazon:linux:docker-debuginfo", "p-cpe:/a:amazon:linux:docker-pkg-devel", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2017-783.NASL", "href": "https://www.tenable.com/plugins/nessus/96394", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-783.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96394);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2016-9962\");\n script_xref(name:\"ALAS\", value:\"2017-783\");\n\n script_name(english:\"Amazon Linux AMI : docker (ALAS-2017-783)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that runC allowed additional container processes via\n`runc exec` to be ptraced by the pid 1 of the container. This allows\nthe main processes of the container, if running as root, to gain\naccess to file descriptors of these new processes during the\ninitialization, which can lead to container escapes or modification of\nrunC state before the process is fully placed inside the container.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-783.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update docker' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:docker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:docker-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:docker-pkg-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"docker-1.12.6-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"docker-debuginfo-1.12.6-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"docker-devel-1.12.6-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"docker-pkg-devel-1.12.6-1.17.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker / docker-debuginfo / docker-devel / docker-pkg-devel\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T05:38:39", "description": "An update for docker is now available for Red Hat Enterprise Linux 7\nExtras.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nDocker is an open source engine that automates the deployment of any\napplication as a lightweight, portable, self-sufficient container that\nwill run virtually anywhere.\n\nThe following packages have been upgraded to a newer upstream version:\ndocker (1.12.5). (BZ#1404298)\n\nSecurity Fix(es) :\n\n* The runc component used by `docker exec` feature of docker allowed\nadditional container processes via to be ptraced by the pid 1 of the\ncontainer. This allows the main processes of the container, if running\nas root, to gain low-level access to these new processes during\ninitialization. An attacker can, depending on the nature of the\nincoming process, leverage this to elevate access to the host. This\nranges from accessing host content through the file descriptors of the\nincoming process to, potentially, a complete container escape by\nleveraging memory access or syscall interception. (CVE-2016-9962)\n\nRed Hat would like to thank the Docker project for reporting this\nissue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi\n(Docker) as the original reporters.\n\nBug Fix(es) :\n\n* The docker containers and images did not read proxy variables from\nthe environment when contacting registries. As a consequence, a user\ncould not pull image when the system was configured to use a proxy.\nThe containers and images have been fixed to read proxy variables from\nthe environment, and pulling images now from a system with a proxy\nworks correctly. (BZ# 1393816)\n\n* Occasionally the docker-storage-setup service could start before a\nthin pool is ready which caused it to failed. As a consequence, the\ndocker daemon also failed. This bug has been fixed and now\ndocker-storage-setup waits for a thin pool to be created for 60\nseconds. This default time can be configured. As a result, docker and\ndocker-storage-setup start correctly upon reboot. (BZ#1316786)\n\n* Previously, the docker daemon's unit file was not supplying the\nuserspace proxy path. As a consequence, containers that exposed ports\ncould not be started. To fix this bug, the unit file was updated to\ninclude the userspace proxy path option to the daemon start command,\nalong with several other minor packaging fixes. As a result,\ncontainers that expose ports can now be started as expected.\n(BZ#1406460)\n\n* Previously, the system CA (Certificate Authority) pool was excluded\nwhen the registry CA is used from the /etc/docker/certs.d/ directory.\nAs a consequence, pulling images failed with the following error :\n\nFailed to push image: x509: certificate signed by unknown authority\n\nThis bug has been fixed and docker now reads the system CA pool\ncorrectly and pulling images now work correctly. (BZ#1400372)\n\n* Previously, the docker daemon option did not handle correctly the\n'--block-registry docker.io' option. As a consequence, docker allowed\npulling images from docker.io even when the '--block-registry\ndocker.io' option was enabled. This update fixed the handling of the\noption, and now using '--block-registry docker.io' correctly blocks\nimage pulling. (BZ# 1395401)", "edition": 32, "cvss3": {"score": 6.4, "vector": "AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-18T00:00:00", "title": "RHEL 7 : docker (RHSA-2017:0116)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:docker", "p-cpe:/a:redhat:enterprise_linux:docker-lvm-plugin", "p-cpe:/a:redhat:enterprise_linux:docker-common", "p-cpe:/a:redhat:enterprise_linux:docker-logrotate", "p-cpe:/a:redhat:enterprise_linux:docker-rhel-push-plugin", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:container-selinux", "p-cpe:/a:redhat:enterprise_linux:docker-client", "p-cpe:/a:redhat:enterprise_linux:docker-novolume-plugin", "p-cpe:/a:redhat:enterprise_linux:docker-v1.10-migrator"], "id": "REDHAT-RHSA-2017-0116.NASL", "href": "https://www.tenable.com/plugins/nessus/96596", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0116. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96596);\n script_version(\"3.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-9962\");\n script_xref(name:\"RHSA\", value:\"2017:0116\");\n\n script_name(english:\"RHEL 7 : docker (RHSA-2017:0116)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for docker is now available for Red Hat Enterprise Linux 7\nExtras.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nDocker is an open source engine that automates the deployment of any\napplication as a lightweight, portable, self-sufficient container that\nwill run virtually anywhere.\n\nThe following packages have been upgraded to a newer upstream version:\ndocker (1.12.5). (BZ#1404298)\n\nSecurity Fix(es) :\n\n* The runc component used by `docker exec` feature of docker allowed\nadditional container processes via to be ptraced by the pid 1 of the\ncontainer. This allows the main processes of the container, if running\nas root, to gain low-level access to these new processes during\ninitialization. An attacker can, depending on the nature of the\nincoming process, leverage this to elevate access to the host. This\nranges from accessing host content through the file descriptors of the\nincoming process to, potentially, a complete container escape by\nleveraging memory access or syscall interception. (CVE-2016-9962)\n\nRed Hat would like to thank the Docker project for reporting this\nissue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi\n(Docker) as the original reporters.\n\nBug Fix(es) :\n\n* The docker containers and images did not read proxy variables from\nthe environment when contacting registries. As a consequence, a user\ncould not pull image when the system was configured to use a proxy.\nThe containers and images have been fixed to read proxy variables from\nthe environment, and pulling images now from a system with a proxy\nworks correctly. (BZ# 1393816)\n\n* Occasionally the docker-storage-setup service could start before a\nthin pool is ready which caused it to failed. As a consequence, the\ndocker daemon also failed. This bug has been fixed and now\ndocker-storage-setup waits for a thin pool to be created for 60\nseconds. This default time can be configured. As a result, docker and\ndocker-storage-setup start correctly upon reboot. (BZ#1316786)\n\n* Previously, the docker daemon's unit file was not supplying the\nuserspace proxy path. As a consequence, containers that exposed ports\ncould not be started. To fix this bug, the unit file was updated to\ninclude the userspace proxy path option to the daemon start command,\nalong with several other minor packaging fixes. As a result,\ncontainers that expose ports can now be started as expected.\n(BZ#1406460)\n\n* Previously, the system CA (Certificate Authority) pool was excluded\nwhen the registry CA is used from the /etc/docker/certs.d/ directory.\nAs a consequence, pulling images failed with the following error :\n\nFailed to push image: x509: certificate signed by unknown authority\n\nThis bug has been fixed and docker now reads the system CA pool\ncorrectly and pulling images now work correctly. (BZ#1400372)\n\n* Previously, the docker daemon option did not handle correctly the\n'--block-registry docker.io' option. As a consequence, docker allowed\npulling images from docker.io even when the '--block-registry\ndocker.io' option was enabled. This update fixed the handling of the\noption, and now using '--block-registry docker.io' correctly blocks\nimage pulling. (BZ# 1395401)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/cve-2016-9962\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:0116\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9962\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-logrotate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-lvm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-novolume-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-rhel-push-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-v1.10-migrator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:0116\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"container-selinux-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-client-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-common-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-logrotate-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-lvm-plugin-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-novolume-plugin-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-rhel-push-plugin-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-v1.10-migrator-1.12.5-14.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"container-selinux / docker / docker-client / docker-common / etc\");\n }\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T05:38:39", "description": "An update for docker-latest is now available for Red Hat Enterprise\nLinux 7 Extras.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nDocker is an open source engine that automates the deployment of any\napplication as a lightweight, portable, and self-sufficient container\nthat will run virtually anywhere.\n\nThe following packages have been upgraded to a newer upstream version:\ndocker-latest (1.12.5). (BZ#1404309)\n\nSecurity Fix(es) :\n\n* The runc component used by `docker exec` feature of docker allowed\nadditional container processes via to be ptraced by the pid 1 of the\ncontainer. This allows the main processes of the container, if running\nas root, to gain low-level access to these new processes during\ninitialization. An attacker can, depending on the nature of the\nincoming process, leverage this to elevate access to the host. This\nranges from accessing host content through the file descriptors of the\nincoming process to, potentially, a complete container escape by\nleveraging memory access or syscall interception. (CVE-2016-9962)\n\nRed Hat would like to thank the Docker project for reporting this\nissue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi\n(Docker) as the original reporters.", "edition": 31, "cvss3": {"score": 6.4, "vector": "AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-18T00:00:00", "title": "RHEL 7 : docker-latest (RHSA-2017:0123)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9962"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:docker-latest-v1.10-migrator", "p-cpe:/a:redhat:enterprise_linux:docker-latest-logrotate", "p-cpe:/a:redhat:enterprise_linux:docker-client-latest", "p-cpe:/a:redhat:enterprise_linux:docker-latest"], "id": "REDHAT-RHSA-2017-0123.NASL", "href": "https://www.tenable.com/plugins/nessus/96597", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0123. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96597);\n script_version(\"3.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-9962\");\n script_xref(name:\"RHSA\", value:\"2017:0123\");\n\n script_name(english:\"RHEL 7 : docker-latest (RHSA-2017:0123)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for docker-latest is now available for Red Hat Enterprise\nLinux 7 Extras.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nDocker is an open source engine that automates the deployment of any\napplication as a lightweight, portable, and self-sufficient container\nthat will run virtually anywhere.\n\nThe following packages have been upgraded to a newer upstream version:\ndocker-latest (1.12.5). (BZ#1404309)\n\nSecurity Fix(es) :\n\n* The runc component used by `docker exec` feature of docker allowed\nadditional container processes via to be ptraced by the pid 1 of the\ncontainer. This allows the main processes of the container, if running\nas root, to gain low-level access to these new processes during\ninitialization. An attacker can, depending on the nature of the\nincoming process, leverage this to elevate access to the host. This\nranges from accessing host content through the file descriptors of the\nincoming process to, potentially, a complete container escape by\nleveraging memory access or syscall interception. (CVE-2016-9962)\n\nRed Hat would like to thank the Docker project for reporting this\nissue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi\n(Docker) as the original reporters.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/cve-2016-9962\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:0123\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9962\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-client-latest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-latest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-latest-logrotate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-latest-v1.10-migrator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:0123\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-client-latest-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-latest-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-latest-logrotate-1.12.5-14.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-latest-v1.10-migrator-1.12.5-14.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker-client-latest / docker-latest / docker-latest-logrotate / etc\");\n }\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:12", "bulletinFamily": "info", "cvelist": ["CVE-2016-9962"], "description": "Docker has patched a privilege escalation vulnerability (CVE-2016-9962) that could lead to container escapes, allowing a hacker to affect operations of a host from inside a container.\n\nThe vulnerability is [rated high severity](<https://security.archlinux.org/CVE-2016-9962>) by some Linux distributions such as Arch Linux, which traces the problem to a bug found in the \u201copencontainers\u2019 runc\u201d code, used by several container engines.\n\nAccording to Aqua Security, the vulnerability is exploited when running an exec command inside an already running container. Exec is a Unix command where one exec command replaces the current shell process without creating a new process.\n\n\u201cWhen that happens, a malicious process inside the container can access a \u2018forgotten\u2019 file descriptor of a directory that resides on the host. This in turn can be used to perform directory traversal to the host\u2019s file system, thus facilitating a nasty and easy escape,\u201d [wrote Sagie Dulce](<http://blog.aquasec.com/cve-2016-9962-run-container-run>), senior researcher at Aqua Security.\n\nDocker released an update, [Docker Engine 1.12.6](<https://github.com/docker/docker/releases/tag/v1.12.6>), last week that patches the flaw. It rates the vulnerability as minor and [describes it as an](<https://www.docker.com/docker-cve-database>) \u201cinsecure opening of file-descriptor\u201d which allows for privilege escalation.\n\nRed Hat rated the [vulnerability as medium](<https://bugzilla.redhat.com/show_bug.cgi?id=1409531>) after first describing the problem in a blog post titled \u201c[Docker 0-Day Stopped Cold by SELinux](<http://webcache.googleusercontent.com/search?q=cache:obVpQ58t7nQJ:rhelblog.redhat.com/2017/01/13/docker-0-day-stopped-cold-by-selinux/+&cd=1&hl=en&ct=clnk&gl=us>)\u201d which was later changed to \u201c[SELinux Mitigates container Vulnerability](<http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/>).\u201d Red Hat had argued that SELinux would have better protected against CVE-2016-9962. Red Hat also alerted its users to [patch the vulnerability](<https://access.redhat.com/security/cve/CVE-2016-9962>) and said running SELinux would not fully protect against the vulnerability.\n\n\u201cSELinux is the only thing that protects the host file system from attacks from inside of the container. If the processes inside of the container get access to a host file and attempt to read and write the content, SELinux will check the access,\u201d [wrote Dan Walsh](<http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/>), consulting engineer at Red Hat.\n\nAqua Security\u2019s Dulce believes the open file descriptor issue is part of a larger problem tied to exec commands inside a running container. In the case of CVE-2016-9962, there is a small window of opportunity \u201cbefore the runc init process execs the command inside the container, where the container has access to the runc init process on the host.\u201d\n\nThe timing of the process allows the runc init process to enter the namespace of the container before it execs the final command, Dulce said. \u201cThis window could enable a container, for example, to list file descriptors on the host process, which can then lead it to the host\u2019s file system.\u201d\n\nAleksa Sarai with SUSE and T\u00f5nis Tiigi with Docker are credited for disclosing the vulnerability on Jan. 2.\n", "modified": "2017-01-18T19:27:40", "published": "2017-01-18T14:26:35", "id": "THREATPOST:717BF6C671998F904552A36059657FEE", "href": "https://threatpost.com/docker-patches-container-escape-vulnerability/123161/", "type": "threatpost", "title": "Docker Patches Privilege Escalation Vulnerability", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2019-08-13T18:45:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "description": "The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides container runtime.\n\nSecurity Fix(es):\n\n* The runc component used by `docker exec` feature of docker allowed additional container processes via to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process, leverage this to elevate access to the host. This ranges from accessing host content through the file descriptors of the incoming process to, potentially, a complete container escape by leveraging memory access or syscall interception. (CVE-2016-9962)\n\nRed Hat would like to thank the Docker project for reporting this issue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the original reporters.", "modified": "2017-01-18T01:37:49", "published": "2017-01-18T01:35:12", "id": "RHSA-2017:0127", "href": "https://access.redhat.com/errata/RHSA-2017:0127", "type": "redhat", "title": "(RHSA-2017:0127) Moderate: runc security and bug fix update", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, and self-sufficient container that will run virtually anywhere.\n\nThe following packages have been upgraded to a newer upstream version: docker-latest (1.12.5). (BZ#1404309)\n\nSecurity Fix(es):\n\n* The runc component used by `docker exec` feature of docker allowed additional container processes via to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process, leverage this to elevate access to the host. This ranges from accessing host content through the file descriptors of the incoming process to, potentially, a complete container escape by leveraging memory access or syscall interception. (CVE-2016-9962)\n\nRed Hat would like to thank the Docker project for reporting this issue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the original reporters.", "modified": "2017-01-18T01:37:49", "published": "2017-01-18T01:35:03", "id": "RHSA-2017:0123", "href": "https://access.redhat.com/errata/RHSA-2017:0123", "type": "redhat", "title": "(RHSA-2017:0123) Moderate: docker-latest security, bug fix, and enhancement update", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:44:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere.\n\nThe following packages have been upgraded to a newer upstream version: docker (1.12.5). (BZ#1404298)\n\nSecurity Fix(es):\n\n* The runc component used by `docker exec` feature of docker allowed additional container processes via to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process, leverage this to elevate access to the host. This ranges from accessing host content through the file descriptors of the incoming process to, potentially, a complete container escape by leveraging memory access or syscall interception. (CVE-2016-9962)\n\nRed Hat would like to thank the Docker project for reporting this issue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the original reporters.\n\nBug Fix(es):\n\n* The docker containers and images did not read proxy variables from the environment when contacting registries. As a consequence, a user could not pull image when the system was configured to use a proxy. The containers and images have been fixed to read proxy variables from the environment, and pulling images now from a system with a proxy works correctly. (BZ#1393816)\n\n* Occasionally the docker-storage-setup service could start before a thin pool is ready which caused it to failed. As a consequence, the docker daemon also failed. This bug has been fixed and now docker-storage-setup waits for a thin pool to be created for 60 seconds. This default time can be configured. As a result, docker and docker-storage-setup start correctly upon reboot. (BZ#1316786)\n\n* Previously, the docker daemon's unit file was not supplying the userspace proxy path. As a consequence, containers that exposed ports could not be started. To fix this bug, the unit file was updated to include the userspace proxy path option to the daemon start command, along with several other minor packaging fixes. As a result, containers that expose ports can now be started as expected. (BZ#1406460)\n\n* Previously, the system CA (Certificate Authority) pool was excluded when the registry CA is used from the /etc/docker/certs.d/ directory. As a consequence, pulling images failed with the following error:\n\n Failed to push image: x509: certificate signed by unknown authority\n\nThis bug has been fixed and docker now reads the system CA pool correctly and pulling images now work correctly. (BZ#1400372)\n\n* Previously, the docker daemon option did not handle correctly the \"--block-registry docker.io\" option. As a consequence, docker allowed pulling images from docker.io even when the \"--block-registry docker.io\" option was enabled. This update fixed the handling of the option, and now using \"--block-registry docker.io\" correctly blocks image pulling. (BZ#1395401)", "modified": "2017-01-18T01:37:49", "published": "2017-01-18T01:34:47", "id": "RHSA-2017:0116", "href": "https://access.redhat.com/errata/RHSA-2017:0116", "type": "redhat", "title": "(RHSA-2017:0116) Moderate: docker security, bug fix, and enhancement update", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-23T19:55:15", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8867", "CVE-2016-9962", "CVE-2019-5736", "CVE-2020-14298", "CVE-2020-14300"], "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere. \n\nSecurity Fix(es):\n\n* docker: Ambient capability usage in containers (CVE-2016-8867)\n\n* docker: Security regression of CVE-2019-5736 due to inclusion of vulnerable runc (CVE-2020-14298)\n\n* docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc (CVE-2020-14300)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-06-23T23:38:01", "published": "2020-06-23T23:31:12", "id": "RHSA-2020:2653", "href": "https://access.redhat.com/errata/RHSA-2020:2653", "type": "redhat", "title": "(RHSA-2020:2653) Important: docker security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2017-01-13T01:48:16", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962"], "edition": 1, "description": "### Background\n\nRunC is a CLI tool for spawning and running containers according to the OCI specification. \n\n### Description\n\nA vulnerability was discovered in runC that allows additional container processes via \u2018runc exec\u2019 to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes. \n\n### Impact\n\nAn attacker, who is able to successfully escape the container or modify runC\u2019s state before process initialization, could escalate privileges. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll runC users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/runc-1.0.0_rc2-r2\"", "modified": "2017-01-12T00:00:00", "published": "2017-01-12T00:00:00", "href": "https://security.gentoo.org/glsa/201701-34", "id": "GLSA-201701-34", "title": "runC: Privilege escalation", "type": "gentoo", "cvss": {"score": 0.0, "vector": "NONE"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:37", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9962", "CVE-2019-5736"], "description": "[1.0.0-19.rc5.git4bb1fe4.0.3.el7]\n- Apply patch for CVE-2019-5736 (Wiekus Beukes)\n[1.0.0-19.rc5.git4bb1fe4.0.2.el7]\n- update Go version to 1.10.8, fix version string (Laszlo (Laca) Peter)\n[1.0.0-19.rc5.git4bb1fe4.0.1.el7]\n- Tuning .spec file\n[2:1.0.0-19.rc5.git4bb1fe4]\n- release v1.0.0~rc5\n[2:1.0.0-17.rc4.git9f9c962.1]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild\n[2:1.0.0-17.rc4.git9f9c962]\n- Bump to the latest from upstream\n[2:1.0.0-16.rc4.gite6516b3]\n- install bash completion to correct location\n- remove shebang from bash completion gh#1679\n- correct rpmlint issues\n[2:1.0.0-15.rc4.gite6516b3]\n- built commit e6516b3\n[2:1.0.0-14.rc4.gitdb093f6]\n- Lots of fixes for libcontainer\n- support unbindable,runbindable for rootfs propagation\n[2:1.0.0-13.rc4.git1d3ab6d]\n- Many Stability fixes\n- Many fixes for rootless containers\n- Many fixes for static builds\n[2:1.0.0-12.rc4.gitaea4f21]\n- Add container-selinux prerequires to make sure runc is labeled correctly\n[2:1.0.0-11.rc4.gitaea4f21]\n- disable devel package and %check - makes life easier for module building\n[2:1.0.0-10.rc4.gitaea4f21]\n- bump Epoch to 2 since bump to v1.0.1 was in error\n- bump to v1.0.0-rc4\n- built commit aea4f21\n[1.0.1-4.rc.gitaea4f21]\n- Rebuilt from master, with requierements needed for CRI-O\n[1:1.0.1-3.gitc5ec254]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild\n[1:1.0.1-2.gitc5ec254]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[1.0.1-1.gitc5ec25487]\n- v1.0.0-rc5 release of runc\n[1.0.0-9.git6394544]\n- Just make the criu dependency optional (https://bugzilla.redhat.com/show_bug.cgi?id=1460148)\n[1.0.0-8.git6394544.1]\n- Do not build for ix86: there is no criu on ix86\n[1:1.0.0-7.git6394544.1]\n- rebuilt\n[1:1.0.0-6.git75f8da7]\n- bump to v1.0.0-rc3\n- built opencontainers/v1.0.0-rc3 commit 75f8da7\n[1:1.0.0-5.rc2.gitc91b5be.1]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild\n[1:1.0.0-5.rc2]\n- depend on criu for checkpoint/restore\n[1:1.0.0-4.rc2]\n- enable aarch64\n[1:1.0.0-3.rc2]\n- Resolves: #1412238 - *CVE-2016-9962* - set init processes as non-dumpable,\nrunc patch from Michael Crosby \n[1:1.0.0-2.rc2.git47ea5c7]\n- patch to enable seccomp\n- Pass to the compiler in cases where we don't have to define\ngobuild for ourselves.\n- From: Nalin Dahyabhai \n[1:1.0.0-1.rc2.git47ea5c7]\n- bump to 1.0.0 rc2\n- built commit 47ea5c7\n- build with bundled sources for now (some new dependencies need to be packaged)\n[1:1.0.0-1.rc1.git04f275d]\n- Resolves: #1342707 - bump to v1.0.0-rc1\n- built commit 04f275d\n- cosmetic changes to make rpmlint happy\n[1:0.1.1-4.git57b9972]\n- https://fedoraproject.org/wiki/Changes/golang1.7\n[1:0.1.1-3.git57b9972]\n- Add bash completion\n resolves: #1340119\n[1:0.1.1-2.gitbaf6536]\n- add selinux to BUILDTAGS in addition to the default seccomp tag\n[1:0.1.1-0.1.gitbaf6536]\n- Update to v0.1.1\n resolves: #1330378\n[1:0.0.9-0.3.git94dc520]\n- Ship man pages too\n resolves: #1326115\n[1:0.0.9-0.2.git94dc520]\n- Extend supported architectures to golang_arches\n Disable failing test\n related: #1290943\n[1:0.0.9-0.1.git94dc520]\n- Update to 0.0.9\n resolves: #1290943\n[1:0.0.8-0.1.git1a124e9]\n- Update to 0.0.8\n[1:0.0.5-0.4.git97bc9a7]\n- https://fedoraproject.org/wiki/Changes/golang1.6\n[1:0.0.5-0.3.git97bc9a7]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild\n[1:0.0.5-0.2.git97bc9a7]\n- unit-test-devel subpackage requires devel with correct epoch\n[1:0.0.5-0.1.git97bc9a7]\n- Update to 0.0.5, introduce Epoch for Fedora due to 0.2 version instead of 0.0.2\n resolves: #1286114\n[0.2-0.2.git90e6d37]\n- First package for Fedora\n resolves: #1255179", "edition": 3, "modified": "2019-02-11T00:00:00", "published": "2019-02-11T00:00:00", "id": "ELSA-2019-4540", "href": "http://linux.oracle.com/errata/ELSA-2019-4540.html", "title": "runc security update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:10", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8867", "CVE-2016-9962"], "description": "[1.12.6-1.0.1]\n- Enable configuration of Docker daemon via sysconfig [orabug 21804877]\n- Require UEK4 for docker 1.9 [orabug 22235639 22235645]\n- Add docker.conf for prelink [orabug 25147708]\n[1.12.6]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present).\n- Fix runC privilege escalation (CVE-2016-9962)\n[1.12.5]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present).\n- Fix race on sending stdin close event [#29424](https://github.com/docker/docker/pull/29424)\n- Fix panic in docker network ls when a network was created with --ipv6 and no ipv6 --subnet in older docker versions [#29416](https://github.com/docker/docker/pull/29416)\n- Fix compilation on Darwin [#29370](https://github.com/docker/docker/pull/29370)\n[1.12.4]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present).\n- Fix issue where volume metadata was not removed [#29083](https://github.com/docker/docker/pull/29083)\n- Asynchronously close streams to prevent holding container lock [#29050](https://github.com/docker/docker/pull/29050)\n- Fix selinux labels for newly created container volumes [#29050](https://github.com/docker/docker/pull/29050)\n- Remove hostname validation [#28990](https://github.com/docker/docker/pull/28990)\n- Fix deadlocks caused by IO races [#29095](https://github.com/docker/docker/pull/29095) [#29141](https://github.com/docker/docker/pull/29141)\n- Return an empty stats if the container is restarting [#29150](https://github.com/docker/docker/pull/29150)\n- Fix volume store locking [#29151](https://github.com/docker/docker/pull/29151)\n- Ensure consistent status code in API [#29150](https://github.com/docker/docker/pull/29150)\n- Fix incorrect opaque directory permission in overlay2 [#29093](https://github.com/docker/docker/pull/29093)\n- Detect plugin content and error out on docker pull [#29297](https://github.com/docker/docker/pull/29297)\n- Update Swarmkit [#29047](https://github.com/docker/docker/pull/29047)\n- orchestrator/global: Fix deadlock on updates [docker/swarmkit#1760](https://github.com/docker/swarmkit/pull/1760)\n- on leader switchover preserve the vxlan id for existing networks [docker/swarmkit#1773](https://github.com/docker/swarmkit/pull/1773)\n- Refuse swarm spec not named 'default' [#29152](https://github.com/docker/docker/pull/29152)\n- Update libnetwork [#29004](https://github.com/docker/docker/pull/29004) [#29146](https://github.com/docker/docker/pull/29146)\n- Fix panic in embedded DNS [docker/libnetwork#1561](https://github.com/docker/libnetwork/pull/1561)\n- Fix unmarhalling panic when passing --link-local-ip on global scope network [docker/libnetwork#1564](https://github.com/docker/libnetwork/pull/1564)\n- Fix panic when network plugin returns nil StaticRoutes [docker/libnetwork#1563](https://github.com/docker/libnetwork/pull/1563)\n- Fix panic in osl.(*networkNamespace).DeleteNeighbor [docker/libnetwork#1555](https://github.com/docker/libnetwork/pull/1555)\n- Fix panic in swarm networking concurrent map read/write [docker/libnetwork#1570](https://github.com/docker/libnetwork/pull/1570)\n- Allow encrypted networks when running docker inside a container [docker/libnetwork#1502](https://github.com/docker/libnetwork/pull/1502)\n- Do not block autoallocation of IPv6 pool [docker/libnetwork#1538](https://github.com/docker/libnetwork/pull/1538)\n- Set timeout for netlink calls [docker/libnetwork#1557](https://github.com/docker/libnetwork/pull/1557)\n- Increase networking local store timeout to one minute [docker/libkv#140](https://github.com/docker/libkv/pull/140)\n- Fix a panic in libnetwork.(*sandbox).execFunc [docker/libnetwork#1556](https://github.com/docker/libnetwork/pull/1556)\n- Honor icc=false for internal networks [docker/libnetwork#1525](https://github.com/docker/libnetwork/pull/1525)\n- Update syslog log driver [#29150](https://github.com/docker/docker/pull/29150)\n- Run 'dnf upgrade' before installing in fedora [#29150](https://github.com/docker/docker/pull/29150)\n- Add build-date back to RPM packages [#29150](https://github.com/docker/docker/pull/29150)\n- deb package filename changed to include distro to distinguish between distro code names [#27829](https://github.com/docker/docker/pull/27829)\n[1.12.3]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present).\n- Fix ambient capability usage in containers (CVE-2016-8867) [#27610](https://github.com/docker/docker/pull/27610)\n- Prevent a deadlock in libcontainerd for Windows [#27136](https://github.com/docker/docker/pull/27136)\n- Fix error reporting in CopyFileWithTar [#27075](https://github.com/docker/docker/pull/27075)\n- Reset health status to starting when a container is restarted [#27387](https://github.com/docker/docker/pull/27387)\n- Properly handle shared mount propagation in storage directory [#27609](https://github.com/docker/docker/pull/27609)\n- Fix docker exec [#27610](https://github.com/docker/docker/pull/27610)\n- Fix backward compatibility with containerds events log [#27693](https://github.com/docker/docker/pull/27693)\n- Fix conversion of restart-policy [#27062](https://github.com/docker/docker/pull/27062)\n- Update Swarmkit [#27554](https://github.com/docker/docker/pull/27554)\n- Avoid restarting a task that has already been restarted [docker/swarmkit#1305](https://github.com/docker/swarmkit/pull/1305)\n- Allow duplicate published ports when they use different protocols [docker/swarmkit#1632](https://github.com/docker/swarmkit/pull/1632)\n- Allow multiple randomly assigned published ports on service [docker/swarmkit#1657](https://github.com/docker/swarmkit/pull/1657)\n- Fix panic when allocations happen at init time [docker/swarmkit#1651](https://github.com/docker/swarmkit/pull/1651)\n- Update libnetwork [#27559](https://github.com/docker/docker/pull/27559)\n- Fix race in serializing sandbox to string [docker/libnetwork#1495](https://github.com/docker/libnetwork/pull/1495)\n- Fix race during deletion [docker/libnetwork#1503](https://github.com/docker/libnetwork/pull/1503)\n- Reset endpoint port info on connectivity revoke in bridge driver [docker/libnetwork#1504](https://github.com/docker/libnetwork/pull/1504)\n- Fix a deadlock in networking code [docker/libnetwork#1507](https://github.com/docker/libnetwork/pull/1507)\n- Fix a race in load balancer state [docker/libnetwork#1512](https://github.com/docker/libnetwork/pull/1512)\n- Update fluent-logger-golang to v1.2.1 [#27474](https://github.com/docker/docker/pull/27474)\n- Update buildtags for armhf ubuntu-trusty [#27327](https://github.com/docker/docker/pull/27327)\n- Add AppArmor to runc buildtags for armhf [#27421](https://github.com/docker/docker/pull/27421)", "edition": 4, "modified": "2017-01-13T00:00:00", "published": "2017-01-13T00:00:00", "id": "ELSA-2017-3511", "href": "http://linux.oracle.com/errata/ELSA-2017-3511.html", "title": "docker-engine docker-engine-selinux security and bugfix update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-30T19:26:47", "bulletinFamily": "unix", "cvelist": ["CVE-2019-16884", "CVE-2020-7039", "CVE-2019-9512", "CVE-2016-9962", "CVE-2019-14378", "CVE-2019-5736", "CVE-2019-10214", "CVE-2019-9514", "CVE-2019-18466"], "description": "buildah\n[1.11.6-4.0.1]\n- Fixes troubles with oracle registry login [Orabug: 29937283]\n[1.11.6-4]\n- compile in FIPS mode\n- Related: RHELPLAN-25138\n[1.11.6-3]\n- be sure to use golang >= 1.12.12-4\n- Related: RHELPLAN-25138\n[1.11.6-2]\n- fix chroot: unmount with MNT_DETACH instead of UnmountMountpoints()\n- bug reference 1772179\n- Related: RHELPLAN-25138\n[1.11.6-1]\n- update to buildah 1.11.6\n- Related: RHELPLAN-25138\n[1.11.5-1]\n- update to buildah 1.11.5\n- Related: RHELPLAN-25138\n[1.11.4-2]\n- fix %gobuild macro to not to ignore BUILDTAGS\n[1.11.4-1]\n- update to 1.11.4\n[1.9.0-5]\n- Use autosetup macro again.\n[1.9.0-4]\n- Fix CVE-2019-10214 (#1734653).\n[1.9.0-3]\n- Resolves: #1721247 - enable fips mode\n[1.9.0-2]\n- Resolves: #1720654 - tests subpackage depends on golang explicitly\n[1.9.0-1]\n- Resolves: #1720654 - rebase to v1.9.0\n[1.8.3-1]\n- Resolves: #1720654 - rebase to v1.8.3\n[1.8-0.git021d607]\n- package system tests\n[1.5-3.gite94b4f9]\n- re-enable debuginfo\n[1.5-2.gite94b4f9]\n- go toolset not in scl anymore\n[1.5-1.gite94b4f9]\n- rebase\n[1.4-3.git608fa84]\n- fedora-like go compiler macro in buildrequires is enough\n[1.4-2.git608fa84]\n- rebase\n[1.3-3.git4888163]\n- Resolves: #1615611 - rebuild with gobuild tag 'no_openssl'\n[1.3-2.git4888163]\n- Resolves: #1614009 - built with updated scl-ized go-toolset dep\n- build with %gobuild\n[1.3-1]\n- Bump to v1.3\n- Vendor in lates containers/image\n- build-using-dockerfile: let -t include transports again\n- Block use of /proc/acpi and /proc/keys from inside containers\n- Fix handling of --registries-conf\n- Fix becoming a maintainer link\n- add optional CI test fo darwin\n- Don't pass a nil error to errors.Wrapf()\n- image filter test: use kubernetes/pause as a 'since'\n- Add --cidfile option to from\n- vendor: update containers/storage\n- Contributors need to find the CONTRIBUTOR.md file easier\n- Add a --loglevel option to build-with-dockerfile\n- Create Development plan\n- cmd: Code improvement\n- allow buildah cross compile for a darwin target\n- Add unused function param lint check\n- docs: Follow man-pages(7) suggestions for SYNOPSIS\n- Start using github.com/seccomp/containers-golang\n- umount: add all option to umount all mounted containers\n- runConfigureNetwork(): remove an unused parameter\n- Update github.com/opencontainers/selinux\n- Fix buildah bud --layers\n- Force ownership of /etc/hosts and /etc/resolv.conf to 0:0\n- main: if unprivileged, reexec in a user namespace\n- Vendor in latest imagebuilder\n- Reduce the complexity of the buildah.Run function\n- mount: output it before replacing lastError\n- Vendor in latest selinux-go code\n- Implement basic recognition of the '--isolation' option\n- Run(): try to resolve non-absolute paths using /usr/local/bin:/bin:/usr/bin\n- Run(): don't include any default environment variables\n- build without seccomp\n- vendor in latest runtime-tools\n- bind/mount_unsupported.go: remove import errors\n- Update github.com/opencontainers/runc\n- Add Capabilities lists to BuilderInfo\n- Tweaks for commit tests\n- commit: recognize committing to second storage locations\n- Fix ARGS parsing for run commands\n- Add info on registries.conf to from manpage\n- Switch from using docker to podman for testing in .papr\n- buildah: set the HTTP User-Agent\n- ONBUILD tutorial\n- Add information about the configuration files to the install docs\n- Makefile: add uninstall\n- Add tilde info for push to troubleshooting\n- mount: support multiple inputs\n- Use the right formatting when adding entries to /etc/hosts\n- Vendor in latest go-selinux bindings\n- Allow --userns-uid-map/--userns-gid-map to be global options\n- bind: factor out UnmountMountpoints\n- Run(): simplify runCopyStdio()\n- Run(): handle POLLNVAL results\n- Run(): tweak terminal mode handling\n- Run(): rename 'copyStdio' to 'copyPipes'\n- Run(): don't set a Pdeathsig for the runtime\n- Run(): add options for adding and removing capabilities\n- Run(): don't use a callback when a slice will do\n- setupSeccomp(): refactor\n- Change RunOptions.Stdin/Stdout/Stderr to just be Reader/Writers\n- Escape use of '_' in .md docs\n- Break out getProcIDMappings()\n- Break out SetupIntermediateMountNamespace()\n- Add Multi From Demo\n- Use the c/image conversion code instead of converting configs manually\n- Don't throw away the manifest MIME type and guess again\n- Consolidate loading manifest and config in initConfig\n- Pass a types.Image to Builder.initConfig\n- Require an image ID in importBuilderDataFromImage\n- Use c/image/manifest.GuessMIMEType instead of a custom heuristic\n- Do not ignore any parsing errors in initConfig\n- Explicitly handle 'from scratch' images in Builder.initConfig\n- Fix parsing of OCI images\n- Simplify dead but dangerous-looking error handling\n- Don't ignore v2s1 history if docker_version is not set\n- Add --rm and --force-rm to buildah bud\n- Add --all,-a flag to buildah images\n- Separate stdio buffering from writing\n- Remove tty check from images --format\n- Add environment variable BUILDAH_RUNTIME\n- Add --layers and --no-cache to buildah bud\n- Touch up images man\n- version.md: fix DESCRIPTION\n- tests: add containers test\n- tests: add images test\n- images: fix usage\n- fix make clean error\n- Change 'registries' to 'container registries' in man\n- add commit test\n- Add(): learn to record hashes of what we add\n- Minor update to buildah config documentation for entrypoint\n- Bump to v1.2-dev\n- Add registries.conf link to a few man pages\n[1.2-3]\n- do not depend on btrfs-progs for rhel8\n[1.2-2]\n- buildah does not require ostree\n[1.2-1]\n- Vendor in latest containers/image\n- build-using-dockerfile: let -t include transports again\n- Block use of /proc/acpi and /proc/keys from inside containers\n- Fix handling of --registries-conf\n- Fix becoming a maintainer link\n- add optional CI test fo darwin\n- Don't pass a nil error to errors.Wrapf()\n- image filter test: use kubernetes/pause as a 'since'\n- Add --cidfile option to from\n- vendor: update containers/storage\n- Contributors need to find the CONTRIBUTOR.md file easier\n- Add a --loglevel option to build-with-dockerfile\n- Create Development plan\n- cmd: Code improvement\n- allow buildah cross compile for a darwin target\n- Add unused function param lint check\n- docs: Follow man-pages(7) suggestions for SYNOPSIS\n- Start using github.com/seccomp/containers-golang\n- umount: add all option to umount all mounted containers\n- runConfigureNetwork(): remove an unused parameter\n- Update github.com/opencontainers/selinux\n- Fix buildah bud --layers\n- Force ownership of /etc/hosts and /etc/resolv.conf to 0:0\n- main: if unprivileged, reexec in a user namespace\n- Vendor in latest imagebuilder\n- Reduce the complexity of the buildah.Run function\n- mount: output it before replacing lastError\n- Vendor in latest selinux-go code\n- Implement basic recognition of the '--isolation' option\n- Run(): try to resolve non-absolute paths using /usr/local/bin:/bin:/usr/bin\n- Run(): don't include any default environment variables\n- build without seccomp\n- vendor in latest runtime-tools\n- bind/mount_unsupported.go: remove import errors\n- Update github.com/opencontainers/runc\n- Add Capabilities lists to BuilderInfo\n- Tweaks for commit tests\n- commit: recognize committing to second storage locations\n- Fix ARGS parsing for run commands\n- Add info on registries.conf to from manpage\n- Switch from using docker to podman for testing in .papr\n- buildah: set the HTTP User-Agent\n- ONBUILD tutorial\n- Add information about the configuration files to the install docs\n- Makefile: add uninstall\n- Add tilde info for push to troubleshooting\n- mount: support multiple inputs\n- Use the right formatting when adding entries to /etc/hosts\n- Vendor in latest go-selinux bindings\n- Allow --userns-uid-map/--userns-gid-map to be global options\n- bind: factor out UnmountMountpoints\n- Run(): simplify runCopyStdio()\n- Run(): handle POLLNVAL results\n- Run(): tweak terminal mode handling\n- Run(): rename 'copyStdio' to 'copyPipes'\n- Run(): don't set a Pdeathsig for the runtime\n- Run(): add options for adding and removing capabilities\n- Run(): don't use a callback when a slice will do\n- setupSeccomp(): refactor\n- Change RunOptions.Stdin/Stdout/Stderr to just be Reader/Writers\n- Escape use of '_' in .md docs\n- Break out getProcIDMappings()\n- Break out SetupIntermediateMountNamespace()\n- Add Multi From Demo\n- Use the c/image conversion code instead of converting configs manually\n- Don't throw away the manifest MIME type and guess again\n- Consolidate loading manifest and config in initConfig\n- Pass a types.Image to Builder.initConfig\n- Require an image ID in importBuilderDataFromImage\n- Use c/image/manifest.GuessMIMEType instead of a custom heuristic\n- Do not ignore any parsing errors in initConfig\n- Explicitly handle 'from scratch' images in Builder.initConfig\n- Fix parsing of OCI images\n- Simplify dead but dangerous-looking error handling\n- Don't ignore v2s1 history if docker_version is not set\n- Add --rm and --force-rm to buildah bud\n- Add --all,-a flag to buildah images\n- Separate stdio buffering from writing\n- Remove tty check from images --format\n- Add environment variable BUILDAH_RUNTIME\n- Add --layers and --no-cache to buildah bud\n- Touch up images man\n- version.md: fix DESCRIPTION\n- tests: add containers test\n- tests: add images test\n- images: fix usage\n- fix make clean error\n- Change 'registries' to 'container registries' in man\n- add commit test\n- Add(): learn to record hashes of what we add\n- Minor update to buildah config documentation for entrypoint\n- Add registries.conf link to a few man pages\n[1.1-1]\n- Drop capabilities if running container processes as non root\n- Print Warning message if cmd will not be used based on entrypoint\n- Update 01-intro.md\n- Shouldn't add insecure registries to list of search registries\n- Report errors on bad transports specification when pushing images\n- Move parsing code out of common for namespaces and into pkg/parse.go\n- Add disable-content-trust noop flag to bud\n- Change freenode chan to buildah\n- runCopyStdio(): don't close stdin unless we saw POLLHUP\n- Add registry errors for pull\n- runCollectOutput(): just read until the pipes are closed on us\n- Run(): provide redirection for stdio\n- rmi, rm: add test\n- add mount test\n- Add parameter judgment for commands that do not require parameters\n- Add context dir to bud command in baseline test\n- run.bats: check that we can run with symlinks in the bundle path\n- Give better messages to users when image can not be found\n- use absolute path for bundlePath\n- Add environment variable to buildah --format\n- rm: add validation to args and all option\n- Accept json array input for config entrypoint\n- Run(): process RunOptions.Mounts, and its flags\n- Run(): only collect error output from stdio pipes if we created some\n- Add OnBuild support for Dockerfiles\n- Quick fix on demo readme\n- run: fix validate flags\n- buildah bud should require a context directory or URL\n- Touchup tutorial for run changes\n- Validate common bud and from flags\n- images: Error if the specified imagename does not exist\n- inspect: Increase err judgments to avoid panic\n- add test to inspect\n- buildah bud picks up ENV from base image\n- Extend the amount of time travis_wait should wait\n- Add a make target for Installing CNI plugins\n- Add tests for namespace control flags\n- copy.bats: check ownerships in the container\n- Fix SELinux test errors when SELinux is enabled\n- Add example CNI configurations\n- Run: set supplemental group IDs\n- Run: use a temporary mount namespace\n- Use CNI to configure container networks\n- add/secrets/commit: Use mappings when setting permissions on added content\n- Add CLI options for specifying namespace and cgroup setup\n- Always set mappings when using user namespaces\n- Run(): break out creation of stdio pipe descriptors\n- Read UID/GID mapping information from containers and images\n- Additional bud CI tests\n- Run integration tests under travis_wait in Travis\n- build-using-dockerfile: add --annotation\n- Implement --squash for build-using-dockerfile and commit\n- Vendor in latest container/storage for devicemapper support\n- add test to inspect\n- Vendor github.com/onsi/ginkgo and github.com/onsi/gomega\n- Test with Go 1.10, too\n- Add console syntax highlighting to troubleshooting page\n- bud.bats: print '' before checking its contents\n- Manage 'Run' containers more closely\n- Break Builder.Run()'s 'run runc' bits out\n- util.ResolveName(): handle completion for tagged/digested image names\n- Handle /etc/hosts and /etc/resolv.conf properly in container\n- Documentation fixes\n- Make it easier to parse our temporary directory as an image name\n- Makefile: list new pkg/ subdirectoris as dependencies for buildah\n- containerImageSource: return more-correct errors\n- API cleanup: PullPolicy and TerminalPolicy should be types\n- Make 'run --terminal' and 'run -t' aliases for 'run --tty'\n- Vendor github.com/containernetworking/cni v0.6.0\n- Update github.com/containers/storage\n- Update github.com/projectatomic/libpod\n- Add support for buildah bud --label\n- buildah push/from can push and pull images with no reference\n- Vendor in latest containers/image\n- Update gometalinter to fix install.tools error\n- Update troubleshooting with new run workaround\n- Added a bud demo and tidied up\n- Attempt to download file from url, if fails assume Dockerfile\n- Add buildah bud CI tests for ENV variables\n- Re-enable rpm .spec version check and new commit test\n- Update buildah scratch demo to support el7\n- Added Docker compatibility demo\n- Update to F28 and new run format in baseline test\n- Touchup man page short options across man pages\n- Added demo dir and a demo. chged distrorlease\n- builder-inspect: fix format option\n- Add cpu-shares short flag (-c) and cpu-shares CI tests\n- Minor fixes to formatting in rpm spec changelog\n- Fix rpm .spec changelog formatting\n- CI tests and minor fix for cache related noop flags\n- buildah-from: add effective value to mount propagation\n[1.0-1]\n- Remove buildah run cmd and entrypoint execution\n- Add Files section with registries.conf to pertinent man pages\n- Force 'localhost' as a default registry\n- Add --compress, --rm, --squash flags as a noop for bud\n- Add FIPS mode secret to buildah run and bud\n- Add config --comment/--domainname/--history-comment/--hostname\n- Add support for --iidfile to bud and commit\n- Add /bin/sh -c to entrypoint in config\n- buildah images and podman images are listing different sizes\n- Remove tarball as an option from buildah push --help\n- Update entrypoint behaviour to match docker\n- Display imageId after commit\n- config: add support for StopSignal\n- Allow referencing stages as index and names\n- Add multi-stage builds support\n- Vendor in latest imagebuilder, to get mixed case AS support\n- Allow umount to have multi-containers\n- Update buildah push doc\n- buildah bud walks symlinks\n- Imagename is required for commit atm, update manpage\n[0.16-3.git532e267]\n- Resolves: #1573681\n- built commit 532e267\n[0.16.0-2.git6f7d05b]\n- built commit 6f7d05b\n[0.16-1]\n- Add support for shell\n- Vendor in latest containers/image\n- \t docker-archive generates docker legacy compatible images\n-\t Do not create subdirectories for layers with no configs\n- \t Ensure the layer IDs in legacy docker/tarfile metadata are unique\n-\t docker-archive: repeated layers are symlinked in the tar file\n-\t sysregistries: remove all trailing slashes\n-\t Improve docker/* error messages\n-\t Fix failure to make auth directory\n-\t Create a new slice in Schema1.UpdateLayerInfos\n-\t Drop unused storageImageDestination.{image,systemContext}\n-\t Load a *storage.Image only once in storageImageSource\n-\t Support gzip for docker-archive files\n-\t Remove .tar extension from blob and config file names\n-\t ostree, src: support copy of compressed layers\n-\t ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size\n-\t image: fix docker schema v1 -> OCI conversion\n-\t Add /etc/containers/certs.d as default certs directory\n- Change image time to locale, add troubleshooting.md, add logo to other mds\n- Allow --cmd parameter to have commands as values\n- Document the mounts.conf file\n- Fix man pages to format correctly\n- buildah from now supports pulling images using the following transports:\n- docker-archive, oci-archive, and dir.\n- If the user overrides the storage driver, the options should be dropped\n- Show Config/Manifest as JSON string in inspect when format is not set\n- Adds feature to pull compressed docker-archive files\n[0.15-1]\n- Fix handling of buildah run command options\n[0.14-1]\n- If commonOpts do not exist, we should return rather then segfault\n- Display full error string instead of just status\n- Implement --volume and --shm-size for bud and from\n- Fix secrets patch for buildah bud\n- Fixes the naming issue of blobs and config for the dir transport by removing the .tar extension\n[0.13-1.git99066e0]\n- use correct version\n[0.12-4.git99066e0]\n- enable debuginfo\n[0.12-3.git99066e0]\n- BR: libseccomp-devel\n[0.12-2.git99066e0]\n- Resolves: #1548535\n- built commit 99066e0\n[0.12-1]\n- Added handing for simpler error message for Unknown Dockerfile instructions.\n- Change default certs directory to /etc/containers/certs.dir\n- Vendor in latest containers/image\n- Vendor in latest containers/storage\n- build-using-dockerfile: set the 'author' field for MAINTAINER\n- Return exit code 1 when buildah-rmi fails\n- Trim the image reference to just its name before calling getImageName\n- Touch up rmi -f usage statement\n- Add --format and --filter to buildah containers\n- Add --prune,-p option to rmi command\n- Add authfile param to commit\n- Fix --runtime-flag for buildah run and bud\n- format should override quiet for images\n- Allow all auth params to work with bud\n- Do not overwrite directory permissions on --chown\n- Unescape HTML characters output into the terminal\n- Fix: setting the container name to the image\n- Prompt for un/pwd if not supplied with --creds\n- Make bud be really quiet\n- Return a better error message when failed to resolve an image\n- Update auth tests and fix bud man page\n[0.11-3.git49095a8]\n- Resolves: #1542236 - add ostree and bump runc dep\n[0.11-2.git49095a8]\n- rebased to 49095a83f8622cf69532352d183337635562e261\n[0.11-1]\n- Add --all to remove containers\n- Add --all functionality to rmi\n- Show ctrid when doing rm -all\n- Ignore sequential duplicate layers when reading v2s1\n- Lots of minor bug fixes\n- Vendor in latest containers/image and containers/storage\n[0.10-2]\n- Fix checkin\n[0.10-1]\n- Display Config and Manifest as strings\n- Bump containers/image\n- Use configured registries to resolve image names\n- Update to work with newer image library\n- Add --chown option to add/copy commands\n[0.9-2.git04ea079]\n- build for all arches\n[0.9-1]\n- Allow push to use the image id\n- Make sure builtin volumes have the correct label\n[0.8-1]\n- Buildah bud was failing on SELinux machines, this fixes this\n- Block access to certain kernel file systems inside of the container\n[0.7-1]\n- Ignore errors when trying to read containers buildah.json for loading SELinux reservations\n- Use credentials from kpod login for buildah\n- Adds support for converting manifest types when using the dir transport\n- Rework how we do UID resolution in images\n- Bump github.com/vbatts/tar-split\n- Set option.terminal appropriately in run\n[0.5-5.gitf7dc659]\n- revert building for s390x, it is intended for rhel 7.5\n[0.5-4]\n- Add requires for container-selinux\n[0.5-3.gitf7dc659]\n- build for s390x, https://bugzilla.redhat.com/show_bug.cgi?id=1482234\n[0.5-2]\n- Bump github.com/vbatts/tar-split\n- Fixes CVE That could allow a container image to cause a DOS\n[0.5-1]\n- Add secrets patch to buildah\n- Add proper SELinux labeling to buildah run\n- Add tls-verify to bud command\n- Make filtering by date use the image's date\n- images: don't list unnamed images twice\n- Fix timeout issue\n- Add further tty verbiage to buildah run\n- Make inspect try an image on failure if type not specified\n- Add support for \n- Tons of bug fixes and code cleanup\n[0.4-2.git01db066]\n- bump to latest version\n- set GIT_COMMIT at build-time\n[0.4-1.git9cbccf88c]\n- Add default transport to push if not provided\n- Avoid trying to print a nil ImageReference\n- Add authentication to commit and push\n- Add information on buildah from man page on transports\n- Remove --transport flag\n- Run: do not complain about missing volume locations\n- Add credentials to buildah from\n- Remove export command\n- Run(): create the right working directory\n- Improve 'from' behavior with unnamed references\n- Avoid parsing image metadata for dates and layers\n- Read the image's creation date from public API\n- Bump containers/storage and containers/image\n- Don't panic if an image's ID can't be parsed\n- Turn on --enable-gc when running gometalinter\n- rmi: handle truncated image IDs\n[0.4-1.git9cbccf8]\n- bump to v0.4\n[0.3-4.gitb9b2a8a]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild\n[0.3-3.gitb9b2a8a]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[0.3-2.gitb9b2a8a7e]\n- Bump for inclusion of OCI 1.0 Runtime and Image Spec\n[0.2.0-1.gitac2aad6]\n- buildah run: Add support for -- ending options parsing\n- buildah Add/Copy support for glob syntax\n- buildah commit: Add flag to remove containers on commit\n- buildah push: Improve man page and help information\n- buildah run: add a way to disable PTY allocation\n- Buildah docs: clarify --runtime-flag of run command\n- Update to match newer storage and image-spec APIs\n- Update containers/storage and containers/image versions\n- buildah export: add support\n- buildah images: update commands\n- buildah images: Add JSON output option\n- buildah rmi: update commands\n- buildah containers: Add JSON output option\n- buildah version: add command\n- buildah run: Handle run without an explicit command correctly\n- Ensure volume points get created, and with perms\n- buildah containers: Add a -a/--all option\n[0.1.0-2.git597d2ab9]\n- Release Candidate 1\n- All features have now been implemented.\n[0.0.1-1.git7a0a5333]\n- First package for Fedora\ncockpit-podman\n[11-1]\n- Fix Alert notification in Image Search Modal\n- Allow more than a single Error Notification for Container action errors\n- Various Alert cleanups\n- Translation updates\n- Related: RHELPLAN-25138\n[10-1]\n- Support for user containers\n- Show list of containers that use given image\n- Show placeholder while loading containers and images\n- Fix setting memory limit - bug 1732713\n- Add container Terminal - bug 1703245\n- Related: RHELPLAN-25138\nconmon\n[2:2.0.6-1]\n- update to 2.0.6\n- Related: RHELPLAN-25138\n[2:2.0.5-1]\n- update to 2.0.5\n- Related: RHELPLAN-25138\n[2:2.0.4-1]\n- update to 2.0.4 bugfix release\n- Related: RHELPLAN-25138\n[2:2.0.3-2.giteb5fa88]\n- BR: systemd-devel\n- Related: RHELPLAN-25138\n[2:2.0.3-1.giteb5fa88]\n- update to 2.0.3\n[2:2.0.2-0.1.dev.git422ce21]\n- build latest upstream master\n[2:2.0.0-2]\n- remove BR: go-md2man since no manpages yet\n[2:2.0.0-1]\ncontainer-selinux\n[2:2.124.0-1]\n- update to 2.124.0\n- Related: RHELPLAN-25138\n[2:2.123.0-2]\n- implement spec file refactoring by Zdenek Pytela, namely:\n Change the uninstall command in the %postun section of the specfile\n to use the %selinux_modules_uninstall macro which uses priority 200.\n Change the install command in the %post section if the specfile\n to use the %selinux_modules_install macro.\n Replace relabel commands with using the %selinux_relabel_pre and\n %selinux_relabel_post macros.\n Change formatting so that the lines are vertically aligned\n in the %postun section.\n (https://github.com/containers/container-selinux/pull/85)\n- Related: RHELPLAN-25138\n[2:2.123.0-1]\n- update to 2.123.0\n- Related: RHELPLAN-25138\n[2:2.122.0-1]\n- update to 2.122.0\n[2:2.119.0-3.gita233788]\n- update to master container-selinux - bug 1769469\n[2:2.119.0-2]\n- fix post scriptlet - fail if semodule fails - bug 1729272\n[2:2.119.0-1]\n- update to 2.119.0\n[2:2.116-1]\n- update to 2.116, bug 1748519\n[2:2.107-2]\n- Use at least selinux policy 3.14.3-9.el8,\n Resolves: #1728700\n[2:2.107-1]\n- Resolves: #1720654 - rebase to v2.107\n[2:2.89-1.git2521d0d]\n- bump to v2.89\n[2:2.75-1.git99e2cfd]\n- bump to v2.75\n- built commit 99e2cfd\n[2:2.74-1]\n- Resolves: #1641655 - bump to v2.74\n- built commit a62c2db\n[2:2.73-3]\n- tweak macro for fedora - applies to rhel8 as well\n[2:2.73-2]\n- moved changelog entries:\n- Define spc_t as a container_domain, so that container_runtime will transition\nto spc_t even when setup with nosuid.\n- Allow container_runtimes to setattr on callers fifo_files\n- Fix restorecon to not error on missing directory\n[2.69-3]\n- Make sure we pull in the latest selinux-policy\n[2.69-2]\n- Add map support to container-selinux for RHEL 7.5\n- Dontudit attempts to write to kernel_sysctl_t\n[2.68-1]\n- Add label for /var/lib/origin\n- Add customizable_file_t to customizable_types\n[2.67-1]\n- Add policy for container_logreader_t\n[2.66-1]\n- Allow dnsmasq to dbus chat with spc_t\n[2.64-1]\n- Allow containers to create all socket classes\n[2.62-1]\n- Label overlay directories under /var/lib/containers/ correctly\n[2.61-1]\n- Allow spc_t to load kernel modules from inside of container\n[2.60-1]\n- Allow containers to list cgroup directories\n- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t.\n[2.58-2]\n- Run restorecon /usr/bin/podman in postinstall\n[2.58-1]\n- Add labels to allow podman to be run from a systemd unit file\n[2.57-1]\n- Set the version of SELinux policy required to the latest to fix build issues.\n[2.56-1]\n- Allow container_runtime_t to transition to spc_t over unlabeled files\n[2.55-1]\nAllow iptables to read container state\n Dontaudit attempts from containers to write to /proc/self\n Allow spc_t to change attributes on container_runtime_t fifo files\n[2.52-1]\n- Add better support for writing custom selinux policy for customer container domains.\n[2.51-1]\n- Allow shell_exec_t as a container_runtime_t entrypoint\n[2.50-1]\n- Allow bin_t as a container_runtime_t entrypoint\n[2.49-1]\n- Add support for MLS running container runtimes\n- Add missing allow rules for running systemd in a container\n[2.48-1]\n- Update policy to match master branch\n- Remove typebounds and replace with nnp_transition and nosuid_transition calls\n[2.41-1]\n- Add support to nnp_transition for container domains\n- Eliminates need for typebounds.\n[2.40-1]\n- Allow container_runtime_t to use user ttys\n- Fixes bounds check for container_t\n[2.39-1]\n- Allow container runtimes to use interited terminals. This helps\nsatisfy the bounds check of container_t versus container_runtime_t.\n[2.38-1]\n- Allow container runtimes to mmap container_file_t devices\n- Add labeling for rhel push plugin\n[2.37-1]\n- Allow containers to use inherited ttys\n- Allow ostree to handle labels under /var/lib/containers/ostree\n[2.36-1]\n- Allow containers to relabelto/from all file types to container_file_t\n[2.35-1]\n- Allow container to map chr_files labeled container_file_t\n[2.34-1]\n- Dontaudit container processes getattr on kernel file systems\n[2.33-1]\n- Allow containers to read /etc/resolv.conf and /etc/hosts if volume\n- mounted into container.\n[2.32-1]\n- Make sure users creating content in /var/lib with right labels\n[2.31-1]\n- Allow the container runtime to dbus chat with dnsmasq\n- add dontaudit rules for container trying to write to /proc\n[2.29-1]\n- Add support for lxcd\n- Add support for labeling of tmpfs storage created within a container.\n[2.28-1]\n- Allow a container to umount a container_file_t filesystem\n[2.27-1]\n- Allow container runtimes to work with the netfilter sockets\n- Allow container_file_t to be an entrypoint for VM's\n- Allow spc_t domains to transition to svirt_t\n[2.24-1]\n- Make sure container_runtime_t has all access of container_t\n[2.23-1]\n- Allow container runtimes to create sockets in tmp dirs\n[2.22-1]\n- Add additonal support for crio labeling.\n[2.21-3]\n- Fixup spec file conditionals\n[2:2.21-2]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[2.21-1]\n- Allow containers to execmod on container_share_t files.\n[2.20-2]\n- Relabel runc and crio executables\n[2.20-1]\n- Allow container processes to getsession\n[2:2.19-2.1]\n- update release tag to isolate from 7.3\n[2:2.19-1]\n- Fix mcs transition problem on stdin/stdout/stderr\n- Add labels for CRI-O\n- Allow containers to use tunnel sockets\n[2:2.15-1.1]\n- Resolves: #1451289\n- rebase to v2.15\n- built @origin/RHEL-1.12 commit 583ca40\n[2:2.10-2.1]\n- Make sure we have a late enough version of policycoreutils\n[2:2.10-1]\n- Update to the latest container-selinux patch from upstream\n- Label files under /usr/libexec/lxc as container_runtime_exec_t\n- Give container_t access to XFRM sockets\n- Allow spc_t to dbus chat with init system\n- Allow containers to read cgroup configuration mounted into a container\n[2:2.9-4]\n- Resolves: #1425574\n- built commit 79a6d70\n[2:2.9-3]\n- Resolves: #1420591\n- built @origin/RHEL-1.12 commit 8f876c4\n[2:2.9-2]\n- built @origin/RHEL-1.12 commit 33cb78b\n[2:2.8-2]\n-\n[2:2.7-1]\n- built origin/RHEL-1.12 commit 21dd37b\n[2:2.4-2]\n- correct version-release in changelog entries\n[2:2.4-1]\n- Add typebounds statement for container_t from container_runtime_t\n- We should only label runc not runc*\n[2:2.3-1]\n- Fix labeling on /usr/bin/runc.*\n- Add sandbox_net_domain access to container.te\n- Remove containers ability to look at /etc content\n[2:2.2-4]\n- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7\n[2:2.2-3]\n- properly disable docker module in %post\n[2:2.2-2]\n- depend on selinux-policy-targeted\n- relabel docker-latest* files as well\n[2:2.2-1]\n- bump to v2.2\n- additional labeling for ocid\n[2:2.0-2]\n- install policy at level 200\n- From: Dan Walsh \n[2:2.0-1]\n- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a\nstandalone package)\n- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel\n[2:1.12.4-29]\n- new package (separated from docker)\ncontainernetworking-plugins\n[0.8.3-4.0.1]\n- Disable debuginfo\n[0.8.3-4]\n- compile with no_openssl\n- Related: RHELPLAN-25138\n[0.8.3-3]\n- compile in FIPS mode\n- Related: RHELPLAN-25138\n[0.8.3-2]\n- be sure to use golang >= 1.12.12-4\n- Related: RHELPLAN-25138\n[0.8.3-1]\n- update to 0.8.3\n- Related: RHELPLAN-25138\n[0.8.1-2]\n- backport https://github.com/coreos/go-iptables/pull/62\n from Michael Cambria\n- Resolves: #1627561\n[0.8.1-1]\n- Resolves: #1720319 - bump to v0.8.1\n[0.7.5-1]\n- Resolves: #1616063\n- bump to v0.7.5\n[0.7.4-3.git9ebe139]\n- re-enable debuginfo\n[0.7.4-2.git9ebe139]\n- rebase, removed patch that is already upstream\n[0.7.3-7.git19f2f28]\n- go tools not in scl anymore\n[0.7.3-6.git19f2f28]\n- correct tag specification format in %gobuild macro\n[0.7.3-5.git19f2f28]\n- Resolves: #1616062 - patch to revert coreos/go-iptables bump\n[0.7.3-4.git19f2f28]\n- Resolves:#1603012\n- fix versioning, upstream got it wrong at 7.2\n[0.7.2-3.git19f2f28]\n- disable i686 temporarily for appstream builds\n- update golang deps and gobuild definition\n[0.7.2-2.git19f2f28]\n- rebase\n[0.7.0-103.gitdd8ff8a]\n- enable scl with the toolset\n[0.7.0-102.gitdd8ff8a]\n- remove devel and unittest subpackages\n- use new go-toolset deps\n[0.7.0-101]\n- rebase\n- patches already upstream, removed\n[0.6.0-6]\n- Imported from Fedora\n- Renamed CNI -> plugins\n[0.6.0-4]\n- Own the libexec cni directory\n[0.6.0-3]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild\n[0.6.0-2]\n- skip settling IPv4 addresses\n[0.6.0-1]\n- rebased to 7480240de9749f9a0a5c8614b17f1f03e0c06ab9\n[0.5.2-7]\n- do not install to /opt (against Fedora Guidelines)\n[0.5.2-6]\n- Enable devel subpackage\n[0.5.2-5]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild\n[0.5.2-4]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[0.5.2-3]\n- excludearch: ppc64 as it's not in goarches anymore\n- re-enable s390x\n[0.5.2-2]\n- upstream moved to github.com/containernetworking/plugins\n- built commit dcf7368\n- provides: containernetworking-plugins\n- use vendored deps because they're a lot less of a PITA\n- excludearch: s390x for now (rhbz#1466865)\n[0.5.2-1]\n- Update to 0.5.2\n- Softlink to default /opt/cni/bin directories\n[0.5.1-1]\n- Initial package\nfuse-overlayfs\n[0.7.2-1]\n- update to 0.7.2\n- Related: RHELPLAN-25138\n[0.7-1]\n- update to 0.7\n- apply patch to fix build on RHEL-8\n- Related: RHELPLAN-25138\n[0.4.1-1]\n- Resolves: #1720654 - rebase to v0.4.1\n[0.3-2]\n- rebase\n- Resolves:#1666510\n[0.1-7.dev.git50c7a50]\n- Resolves: #1640232\n- built commit 50c7a50\n[0.1-6.dev.git1c72a1a]\n- Resolves: #1614856 - add manpage\n- built commit 1c72a1a\n- add BR: go-md2man\n[0.1-5.dev.gitd40ac75]\n- built commit d40ac75\n- remove fedora bz ids\n- Exclude ix86 and ppc64\n[0.1-4.dev.git79c70fd]\n- Resolves: #1609598 - initial upload to Fedora\n- bundled gnulib\n[0.1-3.dev.git79c70fd]\n- correct license field\n[0.1-2.dev.git79c70fd]\n- fix license\n[0.1-1.dev.git13575b6]\n- First package for Fedora\npodman\n[1.6.4-2.0.1]\n- delivering fix for [Orabug: 29874238] by Nikita Gerasimov \n[1.6.4-2]\n- apply fix for bug 1757845\n- Related: RHELPLAN-25138\n[1.6.4-1]\n- update to 1.6.4\n- Related: RHELPLAN-25138\n[1.6.3-6]\n- remove BR: device-mapper-devel, minor spec file changes\n- Related: RHELPLAN-25138\n[1.6.3-5]\n- Ensure volumes reacquire locks on state refresh (thanks Matt Heon)\n- Related: RHELPLAN-25138\n[1.6.3-4]\n- use the file events logger backend if systemd isn't available\n (thanks to Giuseppe Scrivano)\n- Related: RHELPLAN-25138\n[1.6.3-3]\n- require slirp4netns >= 0.4.0-1\n- Related: RHELPLAN-25138\n[1.6.3-2]\n- apply fix to not to fail gating tests:\n don't parse the config for cgroup-manager default\n- don't hang while on podman run --rm - bug 1767663\n[1.6.3-1]\n- update to podman 1.6.3\n- addresses CVE-2019-18466\n[1.6.2-6]\n- fix %gobuild macro to not to ignore BUILDTAGS\n[1.6.2-5]\n- use btrfs_noversion to really disable BTRFS support\n- amend/reuse BUILDTAGS\n- still keep device-mapper-devel BR otherwise build fails\n despite dm support being disabled (build scripting invokes\n pkg-config for devmapper which is shipped by the dm-devel\n package)\n[1.6.2-4]\n- disable BTRFS support\n[1.6.2-3]\n- split podman and conmon packages\n- drop BR: device-mapper-devel and update BRs in general\n[1.6.2-2]\n- drop oci-systemd-hook requirement\n- drop upstreamed CVE-2019-10214 patch\n[1.6.2-1]\n- update to podman 1.6.2\n[1.4.2-6]\n- fix build with --nocheck (#1721394)\n- escape commented out macros\n[1.4.2-5]\n- Fix CVE-2019-10214 (#1734649).\n[1.4.2-4]\n- update to latest conmon (Resolves: #1743685)\n[1.4.2-3]\n- update to v1.4.2-stable1\n- Resolves: #1741157\n[1.4.2-2]\n- Resolves: #1669197, #1705763, #1737077, #1671622, #1723879, #1730281,\n- Resolves: #1731117\n- built libpod v1.4.2-stable1\n[1.4.2-1]\n- Resolves: #1721638\n- bump to v1.4.2\n[1.4.1-4]\n- Resolves: #1720654 - update dep on libvarlink\n- Resolves: #1721247 - enable fips mode\n[1.4.1-3]\n- Resolves: #1720654 - podman requires podman-manpages\n- update dep on cni plugins >= 0.8.1-1\n[1.4.1-2]\n- Resolves: #1720654 - podman-manpages obsoletes podman < 1.4.1-2\n[1.4.1-1]\n- Resolves: #1720654 - bump to v1.4.1\n- bump conmon to v0.3.0\n[1.4.0-1]\n- Resolves: #1720654 - bump to v1.4.0\n[1.3.2-2]\n- Resolves: #1683217 - tests subpackage requires slirp4netns\n[1.3.2-1]\n- Resolves: #1707220 - bump to v1.3.2\n- built conmon v0.2.0\n[1.2.0-1.git3bd528e5]\n- package system tests, zsh completion. Update CI tests to use new -tests pkg\n[1.1.0-1.git006206a]\n- bump to v1.1.0\n[1.0.1-1.git2c74edd]\n- bump to v1.0.1\n[1.0.0-2.git921f98f]\n- rebase\n[1.0.0-1.git82e8011]\n- rebase to v1, yay!\n- rebase conmon to 9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2\n- Resolves:#1623282\n- python interface removed, moved to https://github.com/containers/python-podman/\n[0.12.1.2-4.git9551f6b]\n- re-enable debuginfo\n[0.12.1.2-3.git9551f6b]\n- python libraries added\n- resolves: #1657180\n[0.12.1.2-2.git9551f6b]\n- rebase\n[0.11.1.1-3.git594495d]\n- go tools not in scl anymore\n[0.11.1.1-2.git594495d]\n- fedora-like buildrequires go toolset\n[0.11.1.1-1.git594495d]\n- Resolves: #1636230 - build with FIPS enabled golang toolchain\n- bump to v0.11.1.1\n- built commit 594495d\n[0.11.1-3.gita4adfe5]\n- podman-docker provides docker\n- Resolves: #1650355\n[0.11.1-2.gita4adfe5]\n- Require platform-python-setuptools instead of python3-setuptools\n- Resolves: rhbz#1650144\n[0.11.1-1.gita4adfe5]\n- bump to v0.11.1\n- built libpod commit a4adfe5\n- built conmon from cri-o commit 464dba6\n[0.10.1.3-5.gitdb08685]\n- Resolves: #1625384 - keep BR: device-mapper-devel but don't build with it\n- not having device-mapper-devel seems to have brew not recognize %{_unitdir}\n[0.10.1.3-4.gitdb08685]\n- Resolves: #1625384 - correctly add buildtags to remove devmapper\n[0.10.1.3-3.gitdb08685]\n- Resolves: #1625384 - build without device-mapper-devel (no podman support) and lvm2\n[0.10.1.3-2.gitdb08685]\n- Resolves: #1625384 - depend on lvm2\n[0.10.1.3-1.gitdb08685]\n- Resolves: #1640298 - update vendored buildah to allow building when there are\nrunning containers\n- bump to v0.10.1.3\n- built podman commit db08685\n[0.10.1.2-1.git2b4f8d1]\n- Resolves: #1625378\n- bump to v0.10.1.2\n- built podman commit 2b4f8d1\n[0.10.1.1-1.git4bea3e9]\n- bump to v0.10.1.1\n- built podman commit 4bea3e9\n[0.10.1-1.gite4a1553]\n- bump podman to v0.10.1\n- built podman commit e4a1553\n- built conmon from cri-o commit a30f93c\n[0.9.3.1-4.git1cd906d]\n- rebased cri-o to 1.11.6\n[0.9.3.1-3.git1cd906d]\n- rebase\n[0.9.2-2.git37a2afe]\n- rebase to podman 0.9.2\n- rebase to cri-o 0.11.4\n[0.9.1.1-2.git123de30]\n- rebase\n[0.8.4-1.git9f9b8cf]\n- bump to v0.8.4\n- built commit 9f9b8cf\n- upstream username changed from projectatomic to containers\n- use containernetworking-plugins >= 0.7.3-5\n[0.8.2.1-2.git7a526bb]\n- Resolves: #1615607 - rebuild with gobuild tag 'no_openssl'\n[0.8.2.1-1.git7a526bb]\n- Upstream 0.8.2.1 release\n- Add support for podman-docker\nResolves: rhbz#1615104\n[0.8.2-1.dev.git8b2d38e]\n- Resolves: #1614710 - podman search name includes registry\n- bump to v0.8.2-dev\n- built libpod commit 8b2d38e\n- built conmon from cri-o commit acc0ee7\n[0.8.1-2.git6b4ab2a]\n- Add recommends for slirp4netns and container-selinux\n[0.8.1-2.git6b4ab2a]\n- bump to v0.8.1\n- use %go{build,generate} instead of go build and go generate\n- update go deps to use scl-ized builds\n- No need for Makefile patch for python installs\n[0.8.1-1.git6b4ab2a]\n- Bump to v0.8.1\n[0.7.4-2.git079121]\n- podman should not require atomic-registries\n[0.7.4-1.dev.git9a18681]\n- bump to v0.7.4-dev\n- built commit 9a18681\n[0.7.3-2.git079121]\n- Turn on ostree support\n- Upstream 0.7.3\n[0.7.2-2.git4ca4c5f]\n- Upstream 0.7.2 release\n[0.7.1-3.git84cfdb2]\n- rebuilt\n[0.7.1-2.git84cfdb2]\n- rebase to 84cfdb2\n[0.7.1-1.git802d4f2]\n- Upstream 0.7.1 release\n[0.6.4-2.gitd5beb2f]\n- disable devel and unittest subpackages\n- include conditionals for rhel-8.0\n[0.6.4-1.gitd5beb2f]\n- do not compress debuginfo with dwz to support delve debugger\n[0.6.1-3.git3e0ff12]\n- do not compress debuginfo with dwz to support delve debugger\n[0.6.1-2.git3e0ff12]\n- bash completion shouldn't have shebang\n[0.6.1-1.git3e0ff12]\n- Resolves: #1584429 - drop capabilities when running a container as non-root\n- bump to v0.6.1\n- built podman commit 3e0ff12\n- built conmon from cri-o commit 1c0c3b0\n- drop containernetworking-plugins subpackage, it's now split out into a standalone\npackage\n[0.4.1-4.gitb51d327]\n- Resolves: #1572538 - build host-device and portmap plugins\n[0.4.1-3.gitb51d327]\n- correct dep on containernetworking-plugins\n[0.4.1-2.gitb51d327]\n- add containernetworking-plugins v0.7.0 as a subpackage (podman dep)\n- release tag for the containernetworking-plugins is actually gotten from\npodman release tag.\n[0.4.1-1.gitb51d327]\n- bump to v0.4.1\n- built commit b51d327\n[0.3.3-1.dev.gitbc358eb]\n- built podman commit bc358eb\n- built conmon from cri-o commit 712f3b8\n[0.3.2-1.gitf79a39a]\n- Release 0.3.2-1\n[0.3.1-2.git98b95ff]\n- Correct RPM version\n[0.3.1-1-gitc187538]\n- Release 0.3.1-1\n[0.2.2-2.git525e3b1]\n- Build on ARMv7 too (Fedora supports containers on that arch too)\n[0.2.2-1.git525e3b1]\n- Release 0.2.2\n[0.2.1-1.git3d0100b]\n- Release 0.2.1\n[0.2-3.git3d0100b]\n- Add dep for atomic-registries\n[0.2-2.git3d0100b]\n- Add more 64bit arches\n- Add containernetworking-cni dependancy\n- Add iptables dependancy\n[0-2.1.git3d0100]\n- Release 0.2\n[0-0.3.git367213a]\n- Resolves: #1541554 - first official build\n- built commit 367213a\n[0-0.2.git0387f69]\n- built commit 0387f69\n[0-0.1.gitc1b2278]\n- First package for Fedora\npython-podman-api\n[1.2.0-0.2.gitd0a45fe]\n- revert update to 1.6.0 due to new python3-pbr dependency which\n is not in RHEL\n- Related: RHELPLAN-25138\n[1.2.0-0.1.gitd0a45fe]\n- Initial package\nrunc\n[1.0.0-64.rc9]\n- use no_openssl in BUILDTAGS (no vendored crypto in runc)\n- Related: RHELPLAN-25138\n[1.0.0-63.rc9]\n- be sure to use golang >= 1.12.12-4\n- Related: RHELPLAN-25138\n[1.0.0-62.rc9]\n- rebuild because of CVE-2019-9512 and CVE-2019-9514\n- Related: RHELPLAN-25138\n[1.0.0-61.rc9]\n- update to runc 1.0.0-rc9 release\n- amend golang deps\n- fixes CVE-2019-16884\n[1.0.0-60.rc8]\n- Resolves: #1721247 - enable fips mode\n[1.0.0-59.rc8]\n- Resolves: #1720654 - rebase to v1.0.0-rc8\n[1.0.0-57.rc5.dev.git2abd837]\n- Resolves: #1693424 - podman rootless: cannot specify gid= mount options\n[1.0.0-56.rc5.dev.git2abd837]\n- change-default-root patch not needed as there's no docker on rhel8\n[1.0.0-55.rc5.dev.git2abd837]\n- Resolves: CVE-2019-5736\n[1.0.0-54.rc5.dev.git2abd837]\n- re-enable debuginfo\n[1.0.0-53.rc5.dev.git2abd837]\n- go toolset not in scl anymore\n[1.0.0-52.rc5.dev.git2abd837]\n- rebase\n[2:1.0.0-51.dev.gitfdd8055]\n- Fix handling of tmpcopyup\n[2:1.0.0-49.rc5.dev.gitb4e2ecb]\n- %gobuild uses no_openssl\n- remove unused devel and unit-test subpackages\n[2:1.0.0-48.rc5.dev.gitad0f525]\n- build with %gobuild\n- exlude i686 temporarily because of go-toolset issues\n[1.0.0-47.dev.gitb4e2ecb]\n- Rebuild with fixed binutils\n[2:1.0.0-46.dev.gitb4e2ecb]\n- Add patch https://github.com/opencontainers/runc/pull/1807 to allow\n- runc and podman to work with sd_notify\n[2:1.0.0-40.rc5.dev.gitad0f525]\n- Remove sysclt handling, not needed in RHEL8\n- Make sure package built with seccomp flags\n- Remove rectty\n- Add completions\n[2:1.0.0-36.rc5.dev.gitad0f525]\n- Better handling of user namespace\n[2:1.0.0-31.rc5.git0cbfd83]\n- Fix issues between SELinux and UserNamespace\n[1.0.0-27.rc5.dev.git4bb1fe4]\n- rebuilt, placed missing changelog entry back\n[2:1.0.0-26.rc5.git4bb1fe4]\n- release v1.0.0~rc5\n[1.0.0-26.rc4.git9f9c962]\n- Bump to the latest from upstream\n[1.0.0-25.rc4.gite6516b3]\n- built commit e6516b3\n[1.0.0-24.rc4.dev.gitc6e4a1e.1]\n- rebase to c6e4a1ebeb1a72b529c6f1b6ee2b1ae5b868b14f\n- https://github.com/opencontainers/runc/pull/1651\n[1.0.0-23.rc4.git1d3ab6d]\n- Resolves: #1524654\n[1.0.0-22.rc4.git1d3ab6d]\n- Many Stability fixes\n- Many fixes for rootless containers\n- Many fixes for static builds\n[1.0.0-21.rc4.dev.gitaea4f21]\n- enable debuginfo and include -buildmode=pie for go build\n[1.0.0-20.rc4.dev.gitaea4f21]\n- use Makefile\n[1.0.0-19.rc4.dev.gitaea4f21]\n- disable debuginfo temporarily\n[1.0.0-18.rc4.dev.gitaea4f21]\n- enable debuginfo\n[1.0.0-17.rc4.gitaea4f21]\n- Add container-selinux prerequires to make sure runc is labeled correctly\n[1.0.0-16.rc4.dev.gitaea4f21]\n- correct the release tag 'rc4dev' -> 'rc4.dev' cause I'm OCD\n[1.0.0-15.rc4dev.gitaea4f21]\n- Use the same checkout as Fedora for lates CRI-O\n[1.0.0-14.rc4dev.git84a082b]\n- rebase to 84a082bfef6f932de921437815355186db37aeb1\n[1.0.0-13.rc3.gitd40db12]\n- Resolves: #1479489\n- built commit d40db12\n[1.0.0-12.1.gitf8ce01d]\n- disable s390x temporarily because of indefinite wait times on brew\n[1.0.0-11.1.gitf8ce01d]\n- correct previous bogus date :\n[1.0.0-10.1.gitf8ce01d]\n- Resolves: #1441737 - run sysctl_apply for sysctl knob\n[1.0.0-9.1.gitf8ce01d]\n- Resolves: #1447078 - change default root path\n- add commit e800860 from runc @projectatomic/change-root-path\n[1.0.0-8.1.gitf8ce01d]\n- Resolves: #1441737 - enable kernel sysctl knob /proc/sys/fs/may_detach_mounts\n[1.0.0-7.1.gitf8ce01d]\n- Resolves: #1429675\n- built @opencontainers/master commit f8ce01d\n[1.0.0-4.1.gitee992e5]\n- built @projectatomic/master commit ee992e5\n[1.0.0-3.rc2]\n- Resolves: #1426674\n- built projectatomic/runc_rhel_7 commit 5d93f81\n[1.0.0-2.rc2]\n- Resolves: #1419702 - rebase to latest upstream master\n- built commit b263a43\n[1.0.0-1.rc2]\n- Resolves: #1412239 - *CVE-2016-9962* - set init processes as non-dumpable,\nrunc patch from Michael Crosby \n[0.1.1-6]\n- Resolves: #1373980 - rebuild for 7.3.0\n[0.1.1-5]\n- build with golang >= 1.6.2\n[0.1.1-4]\n- release tags were inconsistent in the previous build\n[0.1.1-1]\n- Resolves: #1341267 - rebase runc to v0.1.1\n[0.1.0-3]\n- add selinux build tag\n- add BR: libseccomp-devel\n[0.1.0-2]\n- Resolves: #1328970 - add seccomp buildtag\n[0.1.0-1]\n- Resolves: rhbz#1328616 - rebase to v0.1.0\n[0.0.8-1.git4155b68]\n- Resolves: rhbz#1277245 - bump to 0.0.8\n- Resolves: rhbz#1302363 - criu is a runtime dep\n- Resolves: rhbz#1302348 - libseccomp-golang is bundled in Godeps\n- manpages included\n[1:0.0.5-0.1.git97bc9a7]\n- Update to 0.0.5, introduce Epoch for Fedora due to 0.2 version instead of 0.0.2\n[0.2-0.2.git90e6d37]\n- First package for Fedora\n resolves: #1255179\nskopeo\n[0.1.40-8.0.1]\n- Add oracle registry into the conf file [Orabug: 29845934]\n- Fix oracle registry login issues [Orabug: 29937192]\n[1:0.1.40-8]\n- change the search order of registries and remove quay.io (#1784267)\n[1:0.1.40-7]\n- compile in FIPS mode\n- Related: RHELPLAN-25138\n[1:0.1.40-6]\n- be sure to use golang >= 1.12.12-4\n- Related: RHELPLAN-25138\n[1:0.1.40-5]\n- fix file list\n- Related: RHELPLAN-25138\n[1:0.1.40-4]\n- add missing source files to git\n- Related: RHELPLAN-25138\n[1:0.1.40-3]\n- rebuild because of CVE-2019-9512 and CVE-2019-9514\n- Related: RHELPLAN-25138\n[1:0.1.40-2]\n- comment out mountopt option in order to fix gating tests\n see bug 1769769\n[1:0.1.40-1]\n- update to 0.1.40\n[1:0.1.37-5]\n- Fix CVE-2019-10214 (#1734651).\n[1:0.1.37-4]\n- fix permissions of rhel/secrets\n Resolves: #1691543\n[1:0.1.37-3]\n- Resolves: #1719994 - add registry.access.redhat.com to registries.conf\n[1:0.1.37-2]\n- Resolves: #1721247 - enable fips mode\n[1:0.1.37-1]\n- Resolves: #1720654 - rebase to v0.1.37\n[1:0.1.36-1.git6307635]\n- built upstream tag v0.1.36, including system tests\n[1:0.1.32-4.git1715c90]\n- Fixes @openshift/machine-config-operator#669\n- install /etc/containers/oci/hooks.d and /etc/containers/certs.d\n[1:0.1.32-3.git1715c90]\n- rebase\n[1:0.1.32-2.git1715c90]\n- re-enable debuginfo\n[1:0.1.31-12.gitb0b750d]\n- go tools not in scl anymore\n[1:0.1.31-11.gitb0b750d]\n- Resolves: #1615609\n- built upstream tag v0.1.31\n[1:0.1.31-10.git0144aa8]\n- Resolves: #1616069 - correct order of registries\n[1:0.1.31-9.git0144aa8]\n- Resolves: #1615609 - rebuild with gobuild tag 'no_openssl'\n[1:0.1.31-8.git0144aa8]\n- Resolves: #1614934 - containers-common soft dep on slirp4netns and\nfuse-overlayfs\n[1:0.1.31-7.git0144aa8]\n- build with %gobuild\n- use scl-ized go-toolset as dep\n- disable i686 builds temporarily because of go-toolset issues\n[1:0.1.31-6.git0144aa8]\n- add statx to seccomp.json to containers-config\n- add seccomp.json to containers-config\n[1:0.1.31-4.git0144aa8]\n- Resolves: #1597629 - handle dependency issue for skopeo-containers\n- rename skopeo-containers to containers-common as in Fedora\n[1:0.1.31-3.git0144aa8]\n- Resolves: #1583762 - btrfs dep removal needs exclude_graphdriver_btrfs\nbuildtag\n[1:0.1.31-2.git0144aa8]\n- correct bz in previous changelog\n[1:0.1.31-1.git0144aa8]\n- Resolves: #1580938 - resolve FTBFS\n- Resolves: #1583762 - remove dependency on btrfs-progs-devel\n- bump to v0.1.31 (from master)\n- built commit ca3bff6\n- use go-toolset deps for rhel8\n[0.1.29-5.git7add6fc]\n- Fix small typo in registries.conf\n[0.1.29-4.git]\n- Add policy.json.5\n[0.1.29-3.git]\n- Add registries.conf\n[0.1.29-2.git]\n- Add registries.conf man page\n[0.1.29-1.git]\n- bump to 0.1.29-1\n- Updated containers/image\n docker-archive generates docker legacy compatible images\n Do not create subdirectories for layers with no configs\n Ensure the layer IDs in legacy docker/tarfile metadata are unique\n docker-archive: repeated layers are symlinked in the tar file\n sysregistries: remove all trailing slashes\n Improve docker/* error messages\n Fix failure to make auth directory\n Create a new slice in Schema1.UpdateLayerInfos\n Drop unused storageImageDestination.{image,systemContext}\n Load a *storage.Image only once in storageImageSource\n Support gzip for docker-archive files\n Remove .tar extension from blob and config file names\n ostree, src: support copy of compressed layers\n ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size\n image: fix docker schema v1 -> OCI conversion\n Add /etc/containers/certs.d as default certs directory\n[0.1.28-2.git0270e56]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild\n[0.1.28-1.git]\n- Vendor in fixed libraries in containers/image and containers/storage\n[0.1.27-1.git]\n- Fix Conflicts to Obsoletes\n- Add better docs to man pages.\n- Use credentials from authfile for skopeo commands\n- Support storage='' in /etc/containers/storage.conf\n- Add global --override-arch and --override-os options\n[0.1.25-2.git2e8377a7]\n- Add manifest type conversion to skopeo copy\n- User can select from 3 manifest types: oci, v2s1, or v2s2\n- e.g skopeo copy --format v2s1 --compress-blobs docker-archive:alp.tar dir:my-directory\n[0.1.25-2.git7fd6f66b]\n- Force storage.conf to default to overlay\n[0.1.25-1.git7fd6f66b]\n- Fix CVE in tar-split\n- copy: add shared blob directory support for OCI sources/destinations\n- Aligning Docker version between containers/image and skopeo\n- Update image-tools, and remove the duplicate Sirupsen/logrus vendor\n- makefile: use -buildmode=pie\n[0.1.24-8.git28d4e08a]\n- Add /usr/share/containers/mounts.conf\n[0.1.24-7.git28d4e08a]\n- Bug fixes\n- Update to release\n[0.1.24-6.dev.git28d4e08]\n- skopeo-containers conflicts with docker-rhsubscription <= 2:1.13.1-31\n[0.1.24-5.dev.git28d4e08]\n- Add rhel subscription secrets data to skopeo-containers\n[0.1.24-4.dev.git28d4e08]\n- Update container/storage.conf and containers-storage.conf man page\n- Default override to true so it is consistent with RHEL.\n[0.1.24-3.dev.git28d4e08]\n- built commit 28d4e08\n[0.1.24-2.dev.git875dd2e]\n- built commit 875dd2e\n- Resolves: gh#416\n[0.1.24-1.dev.gita41cd0]\n- bump to 0.1.24-dev\n- correct a prior bogus date\n- fix macro in comment warning\n[0.1.23-6.dev.git1bbd87]\n- Change name of storage.conf.5 man page to containers-storage.conf.5, since\nit conflicts with inn package\n- Also remove default to 'overalay' in the configuration, since we should\n- allow containers storage to pick the best default for the platform.\n[0.1.23-5.git1bbd87f]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild\n[0.1.23-4.git1bbd87f]\n- Rebuild with binutils fix for ppc64le (#1475636)\n[0.1.23-3.git1bbd87f]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[0.1.23-2.dev.git1bbd87]\n- Fix storage.conf man page to be storage.conf.5.gz so that it works.\n[0.1.23-1.dev.git1bbd87]\n- Support for OCI V1.0 Images\n- Update to image-spec v1.0.0 and revendor\n- Fixes for authentication\n[0.1.22-2.dev.git5d24b67]\n- Epoch: 1 for CentOS as CentOS Extras' build already has epoch set to 1\n[0.1.22-1.dev.git5d24b67]\n- Give more useful help when explaining usage\n- Also specify container-storage as a valid transport\n- Remove docker reference wherever possible\n- vendor in ostree fixes\n[0.1.21-1.dev.git0b73154]\n- Add support for storage.conf and storage-config.5.md from github container storage package\n- Bump to the latest version of skopeo\n- vendor.conf: add ostree-go\n- it is used by containers/image for pulling images to the OSTree storage.\n- fail early when image os does not match host os\n- Improve documentation on what to do with containers/image failures in test-skopeo\n- We now have the docker-archive: transport\n- Integration tests with built registries also exist\n- Support /etc/docker/certs.d\n- update image-spec to v1.0.0-rc6\n[0.1.20-1.dev.git0224d8c]\n- BZ #1380078 - New release\n[0.1.19-2.dev.git0224d8c]\n- No golang support for ppc64. Adding exclude arch. BZ #1445490\n[0.1.19-1.dev.git0224d8c]\n- bump to v0.1.19-dev\n- built commit 0224d8c\n[0.1.17-3.dev.git2b3af4a]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild\n[0.1.17-2.dev.git2b3af4a]\n- Rebuild for gpgme 1.18\n[0.1.17-1.dev.git2b3af4a]\n- bump to 0.1.17-dev\n[0.1.14-6.git550a480]\n- Fix BZ#1391932\n[0.1.14-5.git550a480]\n- Conflicts with atomic in skopeo-containers\n[0.1.14-4.git550a480]\n- built skopeo-containers\n[0.1.14-3.gitd830391]\n- built mtrmac/integrate-all-the-things commit d830391\n[0.1.14-2.git362bfc5]\n- built commit 362bfc5\n[0.1.14-1.gitffe92ed]\n- build origin/master commit ffe92ed\n[0.1.13-6]\n- https://fedoraproject.org/wiki/Changes/golang1.7\n[0.1.13-5]\n- include go-srpm-macros and compiler(go-compiler) in fedora conditionals\n- define %gobuild if not already\n- add patch to build with older version of golang\n[0.1.13-4]\n- update to v0.1.12\n[0.1.12-3]\n- fix go build source path\n[0.1.12-2]\n- update to v0.1.12\n[0.1.11-1]\n- update to v0.1.11\n[0.1.10-1]\n- update to v0.1.10\n- change runcom -> projectatomic\n[0.1.9-1]\n- update to v0.1.9\n[0.1.8-1]\n- update to v0.1.8\n[0.1.4-2]\n- https://fedoraproject.org/wiki/Changes/golang1.6\n[0.1.4]\n- First package for Fedora\nslirp4netns\n[0.4.2-2.git21fdece]\n- Fix CVE-2020-7039.\n- Related: RHELPLAN-25138\n[0.4.2-1.git21fdece]\n- update to latest 0.4.2, fixes bug 1763454\n- Related: RHELPLAN-25138\n[0.4.0-2]\n- add new BR: libseccomp-devel\n[0.4.0-1]\n- update to v.0.4.0\n- sync with fedora spec\n- drop applied CVE-2019-14378 patch\n[0.3.0-4]\n- Fix CVE-2019-14378 (#1755595).\n[0.3.0-3]\n- Resolves: #1683217 - BR: glib2-devel\n[0.3.0-2]\n- Resolves: #1683217 - bump slirp4netns to v0.3.0\n[0.3.0-1.alpha.2.git30883b5]\n- bump to v0.3.0-alpha.2\n[0.1-2.dev.gitc4e1bc5]\n- changed summary\n[0.1-1.dev.gitc4e1bc5]\n- First package for RHEL 8\n- import from Fedora rawhide\n- Exclude ix86 and ppc64\ntoolbox\n[0.0.4-1.el8]\n- Update for rhel8.1 container-tools module\n[0.0.4-1.rhaos4.2.el8]\n- Add help switch per RHBZ#1684258\n- Spec fixes found by rpmlint\n[0.0.3-1.rhaos4.1.el8]\n- Use rhel8/support-tools\n[0.0.2-1.rhaos4.1.el8]\n- Add runlabel options and fix default image\n[0.0.1-1.rhaos4.1.el8]\n- Initial Specfile for Red Hat CoreOS Toolbox\nudica\n[0.2.1-2]\n- initial import to container-tools 8.2.0\n- Related: RHELPLAN-25139\n[0.2.1-1]\n- New rebase https://github.com/containers/udica/releases/tag/v0.2.0\nResolves: rhbz#1757693\n[0.2.0-1]\n- New rebase https://github.com/containers/udica/releases/tag/v0.2.0\nResolves: rhbz#1757693", "edition": 2, "modified": "2020-02-17T00:00:00", "published": "2020-02-17T00:00:00", "id": "ELSA-2020-0348", "href": "http://linux.oracle.com/errata/ELSA-2020-0348.html", "title": "container-tools:ol8 security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}