Source: docker.io Version: 1.13.1~ds2-3 Severity: grave Tags: patch security upstream Forwarded: https://github.com/moby/moby/pull/35399
Hi, The following vulnerability was published for docker.io. CVE-2017-16539[0]: | The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through | 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers | to trigger data loss (when certain older Linux kernels are used) by | leveraging Docker container access to write a "scsi | remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP. There is upstream issue in [1] and the fixed slightly changes for us for the version in unstable. Red Hat has fixed the issue fuer their docker-1.12.1 and docker-1.13.1, cf. [2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16539 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16539 [1] https://github.com/moby/moby/pull/35399 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1516205 [3] https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1 Regards, Salvatore
