On Sun, Jun 14, 2020 at 11:23:41PM +0200, Felix Geyer wrote:
> Hi security team / maintainers,
>
> On Wed, 03 Jun 2020 20:58:53 +0200 Salvatore Bonaccorso <car...@debian.org>
> wrote:
> > Source: docker.io
> > Version: 19.03.7+dfsg1-3
> > Severity: important
> > Tags: security upstream
> >
> > Hi,
> >
> > The following vulnerability was published for docker.io.
> >
> > CVE-2020-13401[0]:
> > | An issue was discovered in Docker Engine before 19.03.11. An attacker
> > | in a container, with the CAP_NET_RAW capability, can craft IPv6 router
> > | advertisements, and consequently spoof external IPv6 hosts, obtain
> > | sensitive information, or cause a denial of service.
>
> I've prepared an update for buster-security (debdiff attached).
> With the update accept_ra is correctly set to 0 for bridges Docker creates.
DSA has been released, thanks Felix!
There was some delay since docker.io makes excessive use of Built-Using, which
(currently) needs manual FTP master action the first time a package gets
updated in foo-security. This won't be needed again for further potential
docker.ui security updates in buster-security.
Cheers,
Moritz
