ID FEDORA:D861E608A21C Type fedora Reporter Fedora Modified 2016-11-19T21:38:41
Description
Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. Docker containers can encapsulate any payload, and will run consistently on and between virtually any server. The same container that a developer builds and tests on a laptop will run at scale, in production*, on VMs, bare-metal servers, OpenStack clusters, public instances, or combinations of the above.
{"id": "FEDORA:D861E608A21C", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 25 Update: docker-1.12.3-2.git91ae1d1.fc25", "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. Docker containers can encapsulate any payload, and will run consistently on and between virtually any server. The same container that a developer builds and tests on a laptop will run at scale, in production*, on VMs, bare-metal servers, OpenStack clusters, public instances, or combinations of the above. ", "published": "2016-11-19T21:38:41", "modified": "2016-11-19T21:38:41", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2016-8867"], "lastseen": "2020-12-21T08:17:53", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-8867"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310872001", "OPENVAS:1361412562310872084"]}, {"type": "nessus", "idList": ["OPENSUSE-2016-1400.NASL", "ORACLELINUX_ELSA-2017-3511.NASL", "REDHAT-RHSA-2020-2653.NASL"]}, {"type": "fedora", "idList": ["FEDORA:6FF236101A4A"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-3511"]}, {"type": "redhat", "idList": ["RHSA-2020:2653"]}], "modified": "2020-12-21T08:17:53", "rev": 2}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-12-21T08:17:53", "rev": 2}, "vulnersScore": 5.0}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "25", "arch": "any", "packageName": "docker", "packageVersion": "1.12.3", "packageFilename": "UNKNOWN", "operator": "lt"}]}
{"cve": [{"lastseen": "2020-10-03T12:10:51", "description": "Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-10-28T15:59:00", "title": "CVE-2016-8867", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8867"], "modified": "2017-07-28T01:29:00", "cpe": ["cpe:/a:docker:docker:1.12.2"], "id": "CVE-2016-8867", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8867", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:docker:docker:1.12.2:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8867"], "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. Docker containers can encapsulate any payload, and will run consistently on and between virtually any server. The same container that a developer builds and tests on a laptop will run at scale, in production*, on VMs, bare-metal servers, OpenStack clusters, public instances, or combinations of the above. ", "modified": "2016-11-19T22:12:15", "published": "2016-11-19T22:12:15", "id": "FEDORA:6FF236101A4A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: docker-1.12.3-6.git9a594b9.fc25", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:35:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8867"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-07T00:00:00", "id": "OPENVAS:1361412562310872084", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872084", "type": "openvas", "title": "Fedora Update for docker FEDORA-2016-15cf686c8d", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for docker FEDORA-2016-15cf686c8d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872084\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:27:06 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-8867\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for docker FEDORA-2016-15cf686c8d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'docker'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"docker on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-15cf686c8d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ILROKC7K3OL5MILWACM6AKLVJ6EZVTB\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"docker\", rpm:\"docker~1.12.3~6.git9a594b9.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:35:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8867"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-07T00:00:00", "id": "OPENVAS:1361412562310872001", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872001", "type": "openvas", "title": "Fedora Update for docker FEDORA-2016-8e1558d1c6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for docker FEDORA-2016-8e1558d1c6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872001\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:23:53 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-8867\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for docker FEDORA-2016-8e1558d1c6\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'docker'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"docker on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-8e1558d1c6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7AKJI6ML6GT2HZTPXGLOFFOUWBAIZCDA\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"docker\", rpm:\"docker~1.12.3~2.git91ae1d1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-01-20T12:29:38", "description": "This update for containerd, docker, runc fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2016-8867: Fix ambient capability usage in\n containers (bsc#1007249).\n\nBugfixes :\n\n - boo#1006368: Fixed broken docker/containerd installation\n when installed by SuSE Studio in an appliance.\n\n - boo#1004490: Update docker to 1.12.2\n\n - boo#977394: Fix go version to 1.5.\n\n - boo#999582: Change the internal mountpoint name to not\n use ':' as that character can be considered a special\n character by other tools.\n\n - Update docker to 1.12.3\n\n - https://github.com/docker/docker/releases/tag/v1.12.3\nThis update changes the runc versioning scheme to prevent version downgrades\n (boo#1009961).", "edition": 19, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2016-12-06T00:00:00", "title": "openSUSE Security Update : containerd / docker / runc (openSUSE-2016-1400)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8867"], "modified": "2016-12-06T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:containerd", "p-cpe:/a:novell:opensuse:runc-debuginfo", "p-cpe:/a:novell:opensuse:docker-debugsource", "p-cpe:/a:novell:opensuse:runc-test", "p-cpe:/a:novell:opensuse:docker", "p-cpe:/a:novell:opensuse:docker-test", "p-cpe:/a:novell:opensuse:runc-debugsource", "p-cpe:/a:novell:opensuse:containerd-debugsource", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:runc", "p-cpe:/a:novell:opensuse:containerd-ctr", "p-cpe:/a:novell:opensuse:docker-test-debuginfo", "p-cpe:/a:novell:opensuse:docker-zsh-completion", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:containerd-debuginfo", "p-cpe:/a:novell:opensuse:containerd-test", "p-cpe:/a:novell:opensuse:containerd-ctr-debuginfo", "p-cpe:/a:novell:opensuse:docker-debuginfo", "p-cpe:/a:novell:opensuse:docker-bash-completion"], "id": "OPENSUSE-2016-1400.NASL", "href": "https://www.tenable.com/plugins/nessus/95554", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1400.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95554);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-8867\");\n\n script_name(english:\"openSUSE Security Update : containerd / docker / runc (openSUSE-2016-1400)\");\n script_summary(english:\"Check for the openSUSE-2016-1400 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for containerd, docker, runc fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2016-8867: Fix ambient capability usage in\n containers (bsc#1007249).\n\nBugfixes :\n\n - boo#1006368: Fixed broken docker/containerd installation\n when installed by SuSE Studio in an appliance.\n\n - boo#1004490: Update docker to 1.12.2\n\n - boo#977394: Fix go version to 1.5.\n\n - boo#999582: Change the internal mountpoint name to not\n use ':' as that character can be considered a special\n character by other tools.\n\n - Update docker to 1.12.3\n\n - https://github.com/docker/docker/releases/tag/v1.12.3\nThis update changes the runc versioning scheme to prevent version downgrades\n (boo#1009961).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1004490\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1006368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1007249\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1009961\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=977394\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=999582\"\n );\n # https://github.com/docker/docker/releases/tag/v1.12.3\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/moby/moby/releases/tag/v1.12.3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected containerd / docker / runc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-ctr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-ctr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-zsh-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:runc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:runc-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:runc-test\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1|SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1 / 42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-0.2.4+gitr565_0366d7e-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-ctr-0.2.4+gitr565_0366d7e-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-ctr-debuginfo-0.2.4+gitr565_0366d7e-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-debuginfo-0.2.4+gitr565_0366d7e-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-debugsource-0.2.4+gitr565_0366d7e-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"containerd-test-0.2.4+gitr565_0366d7e-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"docker-bash-completion-1.12.3-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"docker-zsh-completion-1.12.3-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"runc-0.1.1+gitr2816_02f8fa7-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"runc-debuginfo-0.1.1+gitr2816_02f8fa7-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"runc-debugsource-0.1.1+gitr2816_02f8fa7-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"runc-test-0.1.1+gitr2816_02f8fa7-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"docker-1.12.3-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"docker-debuginfo-1.12.3-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"docker-debugsource-1.12.3-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"docker-test-1.12.3-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"docker-test-debuginfo-1.12.3-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"containerd-test-0.2.4+gitr565_0366d7e-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"docker-bash-completion-1.12.3-22.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"docker-zsh-completion-1.12.3-22.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"runc-test-0.1.1+gitr2816_02f8fa7-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"containerd-0.2.4+gitr565_0366d7e-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"containerd-ctr-0.2.4+gitr565_0366d7e-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"containerd-ctr-debuginfo-0.2.4+gitr565_0366d7e-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"containerd-debuginfo-0.2.4+gitr565_0366d7e-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"containerd-debugsource-0.2.4+gitr565_0366d7e-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"docker-1.12.3-22.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"docker-debuginfo-1.12.3-22.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"docker-debugsource-1.12.3-22.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"docker-test-1.12.3-22.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"docker-test-debuginfo-1.12.3-22.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"runc-0.1.1+gitr2816_02f8fa7-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"runc-debuginfo-0.1.1+gitr2816_02f8fa7-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"runc-debugsource-0.1.1+gitr2816_02f8fa7-5.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"containerd / containerd-ctr / containerd-ctr-debuginfo / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-17T12:51:56", "description": "Description of changes:\n\ndocker-engine\n[1.12.6-1.0.1]\n- Enable configuration of Docker daemon via sysconfig [orabug 21804877]\n- Require UEK4 for docker 1.9 [orabug 22235639 22235645]\n- Add docker.conf for prelink [orabug 25147708]\n\n[1.12.6]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) \ncontains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the \nExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the \n/usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit \nfile, and in any drop-in files present).\n- Fix runC privilege escalation (CVE-2016-9962)\n\n[1.12.5]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) \ncontains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the \nExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the \n/usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit \nfile, and in any drop-in files present).\n- Fix race on sending stdin close event \n[#29424](https://github.com/docker/docker/pull/29424)\n- Fix panic in docker network ls when a network was created with --ipv6 \nand no ipv6 --subnet in older docker versions \n[#29416](https://github.com/docker/docker/pull/29416)\n- Fix compilation on Darwin \n[#29370](https://github.com/docker/docker/pull/29370)\n\n[1.12.4]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) \ncontains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the \nExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the \n/usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit \nfile, and in any drop-in files present).\n- Fix issue where volume metadata was not removed \n[#29083](https://github.com/docker/docker/pull/29083)\n- Asynchronously close streams to prevent holding container lock \n[#29050](https://github.com/docker/docker/pull/29050)\n- Fix selinux labels for newly created container volumes \n[#29050](https://github.com/docker/docker/pull/29050)\n- Remove hostname validation \n[#28990](https://github.com/docker/docker/pull/28990)\n- Fix deadlocks caused by IO races \n[#29095](https://github.com/docker/docker/pull/29095) \n[#29141](https://github.com/docker/docker/pull/29141)\n- Return an empty stats if the container is restarting \n[#29150](https://github.com/docker/docker/pull/29150)\n- Fix volume store locking \n[#29151](https://github.com/docker/docker/pull/29151)\n- Ensure consistent status code in API \n[#29150](https://github.com/docker/docker/pull/29150)\n- Fix incorrect opaque directory permission in overlay2 \n[#29093](https://github.com/docker/docker/pull/29093)\n- Detect plugin content and error out on docker pull \n[#29297](https://github.com/docker/docker/pull/29297)\n- Update Swarmkit [#29047](https://github.com/docker/docker/pull/29047)\n- orchestrator/global: Fix deadlock on updates \n[docker/swarmkit#1760](https://github.com/docker/swarmkit/pull/1760)\n- on leader switchover preserve the vxlan id for existing networks \n[docker/swarmkit#1773](https://github.com/docker/swarmkit/pull/1773)\n- Refuse swarm spec not named 'default' \n[#29152](https://github.com/docker/docker/pull/29152)\n- Update libnetwork \n[#29004](https://github.com/docker/docker/pull/29004) \n[#29146](https://github.com/docker/docker/pull/29146)\n- Fix panic in embedded DNS \n[docker/libnetwork#1561](https://github.com/docker/libnetwork/pull/1561)\n- Fix unmarhalling panic when passing --link-local-ip on global scope \nnetwork \n[docker/libnetwork#1564](https://github.com/docker/libnetwork/pull/1564)\n- Fix panic when network plugin returns nil StaticRoutes \n[docker/libnetwork#1563](https://github.com/docker/libnetwork/pull/1563)\n- Fix panic in osl.(*networkNamespace).DeleteNeighbor \n[docker/libnetwork#1555](https://github.com/docker/libnetwork/pull/1555)\n- Fix panic in swarm networking concurrent map read/write \n[docker/libnetwork#1570](https://github.com/docker/libnetwork/pull/1570)\n- Allow encrypted networks when running docker inside a container \n[docker/libnetwork#1502](https://github.com/docker/libnetwork/pull/1502)\n- Do not block autoallocation of IPv6 pool \n[docker/libnetwork#1538](https://github.com/docker/libnetwork/pull/1538)\n- Set timeout for netlink calls \n[docker/libnetwork#1557](https://github.com/docker/libnetwork/pull/1557)\n- Increase networking local store timeout to one minute \n[docker/libkv#140](https://github.com/docker/libkv/pull/140)\n- Fix a panic in libnetwork.(*sandbox).execFunc \n[docker/libnetwork#1556](https://github.com/docker/libnetwork/pull/1556)\n- Honor icc=false for internal networks \n[docker/libnetwork#1525](https://github.com/docker/libnetwork/pull/1525)\n- Update syslog log driver \n[#29150](https://github.com/docker/docker/pull/29150)\n- Run 'dnf upgrade' before installing in fedora \n[#29150](https://github.com/docker/docker/pull/29150)\n- Add build-date back to RPM packages \n[#29150](https://github.com/docker/docker/pull/29150)\n- deb package filename changed to include distro to distinguish between \ndistro code names [#27829](https://github.com/docker/docker/pull/27829)\n\n[1.12.3]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) \ncontains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the \nExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the \n/usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit \nfile, and in any drop-in files present).\n- Fix ambient capability usage in containers (CVE-2016-8867) \n[#27610](https://github.com/docker/docker/pull/27610)\n- Prevent a deadlock in libcontainerd for Windows \n[#27136](https://github.com/docker/docker/pull/27136)\n- Fix error reporting in CopyFileWithTar \n[#27075](https://github.com/docker/docker/pull/27075)\n- Reset health status to starting when a container is restarted \n[#27387](https://github.com/docker/docker/pull/27387)\n- Properly handle shared mount propagation in storage directory \n[#27609](https://github.com/docker/docker/pull/27609)\n- Fix docker exec [#27610](https://github.com/docker/docker/pull/27610)\n- Fix backward compatibility with containerd&rsquo s events log \n[#27693](https://github.com/docker/docker/pull/27693)\n- Fix conversion of restart-policy \n[#27062](https://github.com/docker/docker/pull/27062)\n- Update Swarmkit [#27554](https://github.com/docker/docker/pull/27554)\n- Avoid restarting a task that has already been restarted \n[docker/swarmkit#1305](https://github.com/docker/swarmkit/pull/1305)\n- Allow duplicate published ports when they use different protocols \n[docker/swarmkit#1632](https://github.com/docker/swarmkit/pull/1632)\n- Allow multiple randomly assigned published ports on service \n[docker/swarmkit#1657](https://github.com/docker/swarmkit/pull/1657)\n- Fix panic when allocations happen at init time \n[docker/swarmkit#1651](https://github.com/docker/swarmkit/pull/1651)\n- Update libnetwork [#27559](https://github.com/docker/docker/pull/27559)\n- Fix race in serializing sandbox to string \n[docker/libnetwork#1495](https://github.com/docker/libnetwork/pull/1495)\n- Fix race during deletion \n[docker/libnetwork#1503](https://github.com/docker/libnetwork/pull/1503)\n- Reset endpoint port info on connectivity revoke in bridge driver \n[docker/libnetwork#1504](https://github.com/docker/libnetwork/pull/1504)\n- Fix a deadlock in networking code \n[docker/libnetwork#1507](https://github.com/docker/libnetwork/pull/1507)\n- Fix a race in load balancer state \n[docker/libnetwork#1512](https://github.com/docker/libnetwork/pull/1512)\n- Update fluent-logger-golang to v1.2.1 \n[#27474](https://github.com/docker/docker/pull/27474)\n- Update buildtags for armhf ubuntu-trusty \n[#27327](https://github.com/docker/docker/pull/27327)\n- Add AppArmor to runc buildtags for armhf \n[#27421](https://github.com/docker/docker/pull/27421)", "edition": 24, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-01-18T00:00:00", "title": "Oracle Linux 6 / 7 : docker-engine / docker-engine-selinux (ELSA-2017-3511)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8867", "CVE-2016-9962"], "modified": "2017-01-18T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:docker-engine-selinux", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:docker-engine"], "id": "ORACLELINUX_ELSA-2017-3511.NASL", "href": "https://www.tenable.com/plugins/nessus/96589", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2017-3511.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96589);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-8867\", \"CVE-2016-9962\");\n\n script_name(english:\"Oracle Linux 6 / 7 : docker-engine / docker-engine-selinux (ELSA-2017-3511)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\ndocker-engine\n[1.12.6-1.0.1]\n- Enable configuration of Docker daemon via sysconfig [orabug 21804877]\n- Require UEK4 for docker 1.9 [orabug 22235639 22235645]\n- Add docker.conf for prelink [orabug 25147708]\n\n[1.12.6]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) \ncontains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the \nExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the \n/usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit \nfile, and in any drop-in files present).\n- Fix runC privilege escalation (CVE-2016-9962)\n\n[1.12.5]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) \ncontains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the \nExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the \n/usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit \nfile, and in any drop-in files present).\n- Fix race on sending stdin close event \n[#29424](https://github.com/docker/docker/pull/29424)\n- Fix panic in docker network ls when a network was created with --ipv6 \nand no ipv6 --subnet in older docker versions \n[#29416](https://github.com/docker/docker/pull/29416)\n- Fix compilation on Darwin \n[#29370](https://github.com/docker/docker/pull/29370)\n\n[1.12.4]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) \ncontains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the \nExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the \n/usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit \nfile, and in any drop-in files present).\n- Fix issue where volume metadata was not removed \n[#29083](https://github.com/docker/docker/pull/29083)\n- Asynchronously close streams to prevent holding container lock \n[#29050](https://github.com/docker/docker/pull/29050)\n- Fix selinux labels for newly created container volumes \n[#29050](https://github.com/docker/docker/pull/29050)\n- Remove hostname validation \n[#28990](https://github.com/docker/docker/pull/28990)\n- Fix deadlocks caused by IO races \n[#29095](https://github.com/docker/docker/pull/29095) \n[#29141](https://github.com/docker/docker/pull/29141)\n- Return an empty stats if the container is restarting \n[#29150](https://github.com/docker/docker/pull/29150)\n- Fix volume store locking \n[#29151](https://github.com/docker/docker/pull/29151)\n- Ensure consistent status code in API \n[#29150](https://github.com/docker/docker/pull/29150)\n- Fix incorrect opaque directory permission in overlay2 \n[#29093](https://github.com/docker/docker/pull/29093)\n- Detect plugin content and error out on docker pull \n[#29297](https://github.com/docker/docker/pull/29297)\n- Update Swarmkit [#29047](https://github.com/docker/docker/pull/29047)\n- orchestrator/global: Fix deadlock on updates \n[docker/swarmkit#1760](https://github.com/docker/swarmkit/pull/1760)\n- on leader switchover preserve the vxlan id for existing networks \n[docker/swarmkit#1773](https://github.com/docker/swarmkit/pull/1773)\n- Refuse swarm spec not named 'default' \n[#29152](https://github.com/docker/docker/pull/29152)\n- Update libnetwork \n[#29004](https://github.com/docker/docker/pull/29004) \n[#29146](https://github.com/docker/docker/pull/29146)\n- Fix panic in embedded DNS \n[docker/libnetwork#1561](https://github.com/docker/libnetwork/pull/1561)\n- Fix unmarhalling panic when passing --link-local-ip on global scope \nnetwork \n[docker/libnetwork#1564](https://github.com/docker/libnetwork/pull/1564)\n- Fix panic when network plugin returns nil StaticRoutes \n[docker/libnetwork#1563](https://github.com/docker/libnetwork/pull/1563)\n- Fix panic in osl.(*networkNamespace).DeleteNeighbor \n[docker/libnetwork#1555](https://github.com/docker/libnetwork/pull/1555)\n- Fix panic in swarm networking concurrent map read/write \n[docker/libnetwork#1570](https://github.com/docker/libnetwork/pull/1570)\n- Allow encrypted networks when running docker inside a container \n[docker/libnetwork#1502](https://github.com/docker/libnetwork/pull/1502)\n- Do not block autoallocation of IPv6 pool \n[docker/libnetwork#1538](https://github.com/docker/libnetwork/pull/1538)\n- Set timeout for netlink calls \n[docker/libnetwork#1557](https://github.com/docker/libnetwork/pull/1557)\n- Increase networking local store timeout to one minute \n[docker/libkv#140](https://github.com/docker/libkv/pull/140)\n- Fix a panic in libnetwork.(*sandbox).execFunc \n[docker/libnetwork#1556](https://github.com/docker/libnetwork/pull/1556)\n- Honor icc=false for internal networks \n[docker/libnetwork#1525](https://github.com/docker/libnetwork/pull/1525)\n- Update syslog log driver \n[#29150](https://github.com/docker/docker/pull/29150)\n- Run 'dnf upgrade' before installing in fedora \n[#29150](https://github.com/docker/docker/pull/29150)\n- Add build-date back to RPM packages \n[#29150](https://github.com/docker/docker/pull/29150)\n- deb package filename changed to include distro to distinguish between \ndistro code names [#27829](https://github.com/docker/docker/pull/27829)\n\n[1.12.3]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) \ncontains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the \nExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the \n/usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit \nfile, and in any drop-in files present).\n- Fix ambient capability usage in containers (CVE-2016-8867) \n[#27610](https://github.com/docker/docker/pull/27610)\n- Prevent a deadlock in libcontainerd for Windows \n[#27136](https://github.com/docker/docker/pull/27136)\n- Fix error reporting in CopyFileWithTar \n[#27075](https://github.com/docker/docker/pull/27075)\n- Reset health status to starting when a container is restarted \n[#27387](https://github.com/docker/docker/pull/27387)\n- Properly handle shared mount propagation in storage directory \n[#27609](https://github.com/docker/docker/pull/27609)\n- Fix docker exec [#27610](https://github.com/docker/docker/pull/27610)\n- Fix backward compatibility with containerd&rsquo s events log \n[#27693](https://github.com/docker/docker/pull/27693)\n- Fix conversion of restart-policy \n[#27062](https://github.com/docker/docker/pull/27062)\n- Update Swarmkit [#27554](https://github.com/docker/docker/pull/27554)\n- Avoid restarting a task that has already been restarted \n[docker/swarmkit#1305](https://github.com/docker/swarmkit/pull/1305)\n- Allow duplicate published ports when they use different protocols \n[docker/swarmkit#1632](https://github.com/docker/swarmkit/pull/1632)\n- Allow multiple randomly assigned published ports on service \n[docker/swarmkit#1657](https://github.com/docker/swarmkit/pull/1657)\n- Fix panic when allocations happen at init time \n[docker/swarmkit#1651](https://github.com/docker/swarmkit/pull/1651)\n- Update libnetwork [#27559](https://github.com/docker/docker/pull/27559)\n- Fix race in serializing sandbox to string \n[docker/libnetwork#1495](https://github.com/docker/libnetwork/pull/1495)\n- Fix race during deletion \n[docker/libnetwork#1503](https://github.com/docker/libnetwork/pull/1503)\n- Reset endpoint port info on connectivity revoke in bridge driver \n[docker/libnetwork#1504](https://github.com/docker/libnetwork/pull/1504)\n- Fix a deadlock in networking code \n[docker/libnetwork#1507](https://github.com/docker/libnetwork/pull/1507)\n- Fix a race in load balancer state \n[docker/libnetwork#1512](https://github.com/docker/libnetwork/pull/1512)\n- Update fluent-logger-golang to v1.2.1 \n[#27474](https://github.com/docker/docker/pull/27474)\n- Update buildtags for armhf ubuntu-trusty \n[#27327](https://github.com/docker/docker/pull/27327)\n- Add AppArmor to runc buildtags for armhf \n[#27421](https://github.com/docker/docker/pull/27421)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-January/006647.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-January/006648.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected docker-engine and / or docker-engine-selinux\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:docker-engine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:docker-engine-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"docker-engine-1.12.6-1.0.1.el6\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"docker-engine-1.12.6-1.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"docker-engine-selinux-1.12.6-1.0.1.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker-engine / docker-engine-selinux\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-11-21T06:01:44", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2653 advisory.\n\n - docker: Ambient capability usage in containers (CVE-2016-8867)\n\n - docker: Security regression of CVE-2019-5736 due to inclusion of vulnerable runc (CVE-2020-14298)\n\n - docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc (CVE-2020-14300)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2020-06-24T00:00:00", "title": "RHEL 7 : docker (RHSA-2020:2653)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14298", "CVE-2016-8867", "CVE-2016-9962", "CVE-2019-5736", "CVE-2020-14300"], "modified": "2020-06-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:docker", "p-cpe:/a:redhat:enterprise_linux:docker-lvm-plugin", "p-cpe:/a:redhat:enterprise_linux:docker-common", "p-cpe:/a:redhat:enterprise_linux:docker-logrotate", "p-cpe:/a:redhat:enterprise_linux:docker-rhel-push-plugin", "cpe:/o:redhat:enterprise_linux:7", "cpe:/a:redhat:rhel_extras_other:7", "p-cpe:/a:redhat:enterprise_linux:docker-client", "p-cpe:/a:redhat:enterprise_linux:docker-novolume-plugin", "p-cpe:/a:redhat:enterprise_linux:docker-v1.10-migrator"], "id": "REDHAT-RHSA-2020-2653.NASL", "href": "https://www.tenable.com/plugins/nessus/137755", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:2653. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137755);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/19\");\n\n script_cve_id(\"CVE-2016-8867\", \"CVE-2020-14298\", \"CVE-2020-14300\");\n script_bugtraq_id(94228);\n script_xref(name:\"RHSA\", value:\"2020:2653\");\n\n script_name(english:\"RHEL 7 : docker (RHSA-2020:2653)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2653 advisory.\n\n - docker: Ambient capability usage in containers (CVE-2016-8867)\n\n - docker: Security regression of CVE-2019-5736 due to inclusion of vulnerable runc (CVE-2020-14298)\n\n - docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc (CVE-2020-14300)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/271.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2016-8867\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14298\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14300\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:2653\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1390163\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1848239\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1848829\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-8867\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(271);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_extras_other:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-logrotate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-lvm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-novolume-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-rhel-push-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-v1.10-migrator\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_extras_other_7': [\n 'rhel-7-desktop-extras-debug-rpms',\n 'rhel-7-desktop-extras-rpms',\n 'rhel-7-desktop-extras-source-rpms',\n 'rhel-7-for-system-z-a-extras-debug-rpms',\n 'rhel-7-for-system-z-a-extras-rpms',\n 'rhel-7-for-system-z-a-extras-source-rpms',\n 'rhel-7-for-system-z-extras-debug-rpms',\n 'rhel-7-for-system-z-extras-rpms',\n 'rhel-7-for-system-z-extras-source-rpms',\n 'rhel-7-server-extras-debug-rpms',\n 'rhel-7-server-extras-rpms',\n 'rhel-7-server-extras-source-rpms',\n 'rhel-7-workstation-extras-debug-rpms',\n 'rhel-7-workstation-extras-rpms',\n 'rhel-7-workstation-extras-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:2653');\n}\n\npkgs = [\n {'reference':'docker-1.13.1-162.git64e9980.el7_8', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-1.13.1-162.git64e9980.el7_8', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-client-1.13.1-162.git64e9980.el7_8', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-client-1.13.1-162.git64e9980.el7_8', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-common-1.13.1-162.git64e9980.el7_8', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-common-1.13.1-162.git64e9980.el7_8', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-logrotate-1.13.1-162.git64e9980.el7_8', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-logrotate-1.13.1-162.git64e9980.el7_8', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-lvm-plugin-1.13.1-162.git64e9980.el7_8', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-lvm-plugin-1.13.1-162.git64e9980.el7_8', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-novolume-plugin-1.13.1-162.git64e9980.el7_8', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-novolume-plugin-1.13.1-162.git64e9980.el7_8', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-rhel-push-plugin-1.13.1-162.git64e9980.el7_8', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-rhel-push-plugin-1.13.1-162.git64e9980.el7_8', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-v1.10-migrator-1.13.1-162.git64e9980.el7_8', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']},\n {'reference':'docker-v1.10-migrator-1.13.1-162.git64e9980.el7_8', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2', 'repo_list':['rhel_extras_other_7']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'docker / docker-client / docker-common / docker-logrotate / etc');\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:34:10", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8867", "CVE-2016-9962"], "description": "[1.12.6-1.0.1]\n- Enable configuration of Docker daemon via sysconfig [orabug 21804877]\n- Require UEK4 for docker 1.9 [orabug 22235639 22235645]\n- Add docker.conf for prelink [orabug 25147708]\n[1.12.6]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present).\n- Fix runC privilege escalation (CVE-2016-9962)\n[1.12.5]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present).\n- Fix race on sending stdin close event [#29424](https://github.com/docker/docker/pull/29424)\n- Fix panic in docker network ls when a network was created with --ipv6 and no ipv6 --subnet in older docker versions [#29416](https://github.com/docker/docker/pull/29416)\n- Fix compilation on Darwin [#29370](https://github.com/docker/docker/pull/29370)\n[1.12.4]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present).\n- Fix issue where volume metadata was not removed [#29083](https://github.com/docker/docker/pull/29083)\n- Asynchronously close streams to prevent holding container lock [#29050](https://github.com/docker/docker/pull/29050)\n- Fix selinux labels for newly created container volumes [#29050](https://github.com/docker/docker/pull/29050)\n- Remove hostname validation [#28990](https://github.com/docker/docker/pull/28990)\n- Fix deadlocks caused by IO races [#29095](https://github.com/docker/docker/pull/29095) [#29141](https://github.com/docker/docker/pull/29141)\n- Return an empty stats if the container is restarting [#29150](https://github.com/docker/docker/pull/29150)\n- Fix volume store locking [#29151](https://github.com/docker/docker/pull/29151)\n- Ensure consistent status code in API [#29150](https://github.com/docker/docker/pull/29150)\n- Fix incorrect opaque directory permission in overlay2 [#29093](https://github.com/docker/docker/pull/29093)\n- Detect plugin content and error out on docker pull [#29297](https://github.com/docker/docker/pull/29297)\n- Update Swarmkit [#29047](https://github.com/docker/docker/pull/29047)\n- orchestrator/global: Fix deadlock on updates [docker/swarmkit#1760](https://github.com/docker/swarmkit/pull/1760)\n- on leader switchover preserve the vxlan id for existing networks [docker/swarmkit#1773](https://github.com/docker/swarmkit/pull/1773)\n- Refuse swarm spec not named 'default' [#29152](https://github.com/docker/docker/pull/29152)\n- Update libnetwork [#29004](https://github.com/docker/docker/pull/29004) [#29146](https://github.com/docker/docker/pull/29146)\n- Fix panic in embedded DNS [docker/libnetwork#1561](https://github.com/docker/libnetwork/pull/1561)\n- Fix unmarhalling panic when passing --link-local-ip on global scope network [docker/libnetwork#1564](https://github.com/docker/libnetwork/pull/1564)\n- Fix panic when network plugin returns nil StaticRoutes [docker/libnetwork#1563](https://github.com/docker/libnetwork/pull/1563)\n- Fix panic in osl.(*networkNamespace).DeleteNeighbor [docker/libnetwork#1555](https://github.com/docker/libnetwork/pull/1555)\n- Fix panic in swarm networking concurrent map read/write [docker/libnetwork#1570](https://github.com/docker/libnetwork/pull/1570)\n- Allow encrypted networks when running docker inside a container [docker/libnetwork#1502](https://github.com/docker/libnetwork/pull/1502)\n- Do not block autoallocation of IPv6 pool [docker/libnetwork#1538](https://github.com/docker/libnetwork/pull/1538)\n- Set timeout for netlink calls [docker/libnetwork#1557](https://github.com/docker/libnetwork/pull/1557)\n- Increase networking local store timeout to one minute [docker/libkv#140](https://github.com/docker/libkv/pull/140)\n- Fix a panic in libnetwork.(*sandbox).execFunc [docker/libnetwork#1556](https://github.com/docker/libnetwork/pull/1556)\n- Honor icc=false for internal networks [docker/libnetwork#1525](https://github.com/docker/libnetwork/pull/1525)\n- Update syslog log driver [#29150](https://github.com/docker/docker/pull/29150)\n- Run 'dnf upgrade' before installing in fedora [#29150](https://github.com/docker/docker/pull/29150)\n- Add build-date back to RPM packages [#29150](https://github.com/docker/docker/pull/29150)\n- deb package filename changed to include distro to distinguish between distro code names [#27829](https://github.com/docker/docker/pull/27829)\n[1.12.3]\n- the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or\n- a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive\n- Backup the current version of the unit file, and replace the file with the\n- Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present\n- Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present).\n- Fix ambient capability usage in containers (CVE-2016-8867) [#27610](https://github.com/docker/docker/pull/27610)\n- Prevent a deadlock in libcontainerd for Windows [#27136](https://github.com/docker/docker/pull/27136)\n- Fix error reporting in CopyFileWithTar [#27075](https://github.com/docker/docker/pull/27075)\n- Reset health status to starting when a container is restarted [#27387](https://github.com/docker/docker/pull/27387)\n- Properly handle shared mount propagation in storage directory [#27609](https://github.com/docker/docker/pull/27609)\n- Fix docker exec [#27610](https://github.com/docker/docker/pull/27610)\n- Fix backward compatibility with containerds events log [#27693](https://github.com/docker/docker/pull/27693)\n- Fix conversion of restart-policy [#27062](https://github.com/docker/docker/pull/27062)\n- Update Swarmkit [#27554](https://github.com/docker/docker/pull/27554)\n- Avoid restarting a task that has already been restarted [docker/swarmkit#1305](https://github.com/docker/swarmkit/pull/1305)\n- Allow duplicate published ports when they use different protocols [docker/swarmkit#1632](https://github.com/docker/swarmkit/pull/1632)\n- Allow multiple randomly assigned published ports on service [docker/swarmkit#1657](https://github.com/docker/swarmkit/pull/1657)\n- Fix panic when allocations happen at init time [docker/swarmkit#1651](https://github.com/docker/swarmkit/pull/1651)\n- Update libnetwork [#27559](https://github.com/docker/docker/pull/27559)\n- Fix race in serializing sandbox to string [docker/libnetwork#1495](https://github.com/docker/libnetwork/pull/1495)\n- Fix race during deletion [docker/libnetwork#1503](https://github.com/docker/libnetwork/pull/1503)\n- Reset endpoint port info on connectivity revoke in bridge driver [docker/libnetwork#1504](https://github.com/docker/libnetwork/pull/1504)\n- Fix a deadlock in networking code [docker/libnetwork#1507](https://github.com/docker/libnetwork/pull/1507)\n- Fix a race in load balancer state [docker/libnetwork#1512](https://github.com/docker/libnetwork/pull/1512)\n- Update fluent-logger-golang to v1.2.1 [#27474](https://github.com/docker/docker/pull/27474)\n- Update buildtags for armhf ubuntu-trusty [#27327](https://github.com/docker/docker/pull/27327)\n- Add AppArmor to runc buildtags for armhf [#27421](https://github.com/docker/docker/pull/27421)", "edition": 4, "modified": "2017-01-13T00:00:00", "published": "2017-01-13T00:00:00", "id": "ELSA-2017-3511", "href": "http://linux.oracle.com/errata/ELSA-2017-3511.html", "title": "docker-engine docker-engine-selinux security and bugfix update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "redhat": [{"lastseen": "2020-06-23T19:55:15", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8867", "CVE-2016-9962", "CVE-2019-5736", "CVE-2020-14298", "CVE-2020-14300"], "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere. \n\nSecurity Fix(es):\n\n* docker: Ambient capability usage in containers (CVE-2016-8867)\n\n* docker: Security regression of CVE-2019-5736 due to inclusion of vulnerable runc (CVE-2020-14298)\n\n* docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc (CVE-2020-14300)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-06-23T23:38:01", "published": "2020-06-23T23:31:12", "id": "RHSA-2020:2653", "href": "https://access.redhat.com/errata/RHSA-2020:2653", "type": "redhat", "title": "(RHSA-2020:2653) Important: docker security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
