Your message dated Sat, 09 Jun 2018 05:34:44 +0000 with message-id <e1frwws-000bht...@fasolo.debian.org> and subject line Bug#900140: fixed in docker.io 1.13.1~ds3-1 has caused the Debian Bug report #900140, regarding docker.io: CVE-2017-16539: The DefaultLinuxSpec function does not block /proc/scsi pathnames to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900140: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900140 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: docker.io Version: 1.13.1~ds2-3 Severity: grave Tags: patch security upstream Forwarded: https://github.com/moby/moby/pull/35399 Hi, The following vulnerability was published for docker.io. CVE-2017-16539[0]: | The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through | 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers | to trigger data loss (when certain older Linux kernels are used) by | leveraging Docker container access to write a "scsi | remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP. There is upstream issue in [1] and the fixed slightly changes for us for the version in unstable. Red Hat has fixed the issue fuer their docker-1.12.1 and docker-1.13.1, cf. [2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16539 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16539 [1] https://github.com/moby/moby/pull/35399 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1516205 [3] https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: docker.io Source-Version: 1.13.1~ds3-1 We believe that the bug you reported is fixed in the latest version of docker.io, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Smirnov <only...@debian.org> (supplier of updated docker.io package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 09 Jun 2018 14:50:13 +1000 Source: docker.io Binary: docker.io vim-syntax-docker golang-github-docker-docker-dev golang-docker-dev docker-doc Architecture: source all amd64 Version: 1.13.1~ds3-1 Distribution: unstable Urgency: medium Maintainer: Tim Potter <t...@hpe.com> Changed-By: Dmitry Smirnov <only...@debian.org> Description: docker-doc - Linux container runtime -- documentation docker.io - Linux container runtime golang-docker-dev - Transitional package for golang-github-docker-docker-dev golang-github-docker-docker-dev - Externally reusable Go packages included with Docker vim-syntax-docker - Docker container engine - Vim highlighting syntax files Closes: 853258 900140 Changes: docker.io (1.13.1~ds3-1) unstable; urgency=medium . * Team upload. . [ Tianon Gravi ] * Remove gccgo support. Removed upstream in commit eda90f63446253f97d2011926555306f2417d208 (https://github.com/moby/moby/pull/25978) * Update upstream-version-gitcommits with more upstream versions . [ Dmitry Smirnov ] * New patch to fix CVE-2017-16539 (Closes: #900140). * New patch to remove 10 seconds delay on purge (Closes: #853258). * debhelper to version 11; compat to version 10. * copyright format URL to HTTPS; bump copyright years. * Standards-Version: 4.1.4. * Vcs URLs to Salsa. * Included "cliconfig" to -dev package (used by "gitlab-runner"). * Included "reference" and "registry" into -dev package (used by "nomad"). * Removed obsolete "golang-github-docker-engine-api-dev" from Build-Depends. * Use more private libraries to fix build and break circular dependencies: + github.com/docker/swarmkit + github.com/docker/libnetwork + github.com/docker/go-events + github.com/docker/go-metrics * Removed Upstart .conf file. * rules: + better clean, remove generated file(s). + fixed "sirupsen/logrus" imports. + DH_GOLANG_GO_GENERATE = 1 Checksums-Sha1: 469f036431187e01825085b3364b3beed4d88980 6518 docker.io_1.13.1~ds3-1.dsc 37e9a9e97615963c6a5bc5616b8df29b258c7502 3677546 docker.io_1.13.1~ds3.orig.tar.gz eaa705dcfa3e67ba2a9663ddacf7d1b546efb78a 40148 docker.io_1.13.1~ds3-1.debian.tar.xz e2cdfb12aa0731d39b3128df2ab4f8a0e29d3201 658020 docker-doc_1.13.1~ds3-1_all.deb e26be5cfdf03f8ee72e9aa914c74d878d752c7f5 642948 docker.io-dbgsym_1.13.1~ds3-1_amd64.deb 2b41eff5a5cfa4e5e2c82cd533e6844c9b43ec53 23071 docker.io_1.13.1~ds3-1_amd64.buildinfo 3587d20ff6495d388ad0b9323e3b30cc50ed807d 11142936 docker.io_1.13.1~ds3-1_amd64.deb 52e123c30308867162afe440f2955bc07d740fa8 63280 golang-docker-dev_1.13.1~ds3-1_all.deb dc9eaca4d2a6f6d9aa2dd558190466979e4416a1 475868 golang-github-docker-docker-dev_1.13.1~ds3-1_all.deb 119bf62aa9e2ff1c1df5c0f38eeea2bf2752b263 64492 vim-syntax-docker_1.13.1~ds3-1_all.deb Checksums-Sha256: 5cd63ed90edf6afd7feb87fa222027399040e61175a26e05b2081184ad5929b7 6518 docker.io_1.13.1~ds3-1.dsc 29710879ec6a9caa7fd9952d38d4229f32d691832800d5493dc254691f812307 3677546 docker.io_1.13.1~ds3.orig.tar.gz 687f878d2418e3418f6a497d908c653a4063ee29d1bf6d9ca70b184fac267d63 40148 docker.io_1.13.1~ds3-1.debian.tar.xz 2a9fb0645c7e2189ffe95383266e782af6838bc99b6f3fbc88cf0fdfec2f5b4b 658020 docker-doc_1.13.1~ds3-1_all.deb 9053061800c44c4f9e6abe2c9f116fdcacee533c54f4fa17dd808f7062ebb833 642948 docker.io-dbgsym_1.13.1~ds3-1_amd64.deb 5f04e9b2fd203557b85715585fef153bea603d7524f591c9d00d03eb9caead3a 23071 docker.io_1.13.1~ds3-1_amd64.buildinfo 16b4ee22d4c83a17a4964c9f0df1947ee53f023446fcd184a1c96876d3e89401 11142936 docker.io_1.13.1~ds3-1_amd64.deb 11bae8234c7286a3b264b6b95f6c0e146befdb05138aa75c8713d56d3c57d674 63280 golang-docker-dev_1.13.1~ds3-1_all.deb ac67b71dfabf8d927e94d48c06321254fdec53897f469c0f4bcc4da6027346b6 475868 golang-github-docker-docker-dev_1.13.1~ds3-1_all.deb b99dba06e4fc8035302a49b1d8639c16b06a690782e461510cbdadcc7b2ed5d4 64492 vim-syntax-docker_1.13.1~ds3-1_all.deb Files: fe053575cdaef20abb1103521d08f193 6518 admin optional docker.io_1.13.1~ds3-1.dsc 05f21ca14f3f54b85ea3bf14b98f8224 3677546 admin optional docker.io_1.13.1~ds3.orig.tar.gz 83021d7ffed168ce10e6024c2e8a3877 40148 admin optional docker.io_1.13.1~ds3-1.debian.tar.xz 3a313863e3ea5db76d61895bd5f763f6 658020 doc optional docker-doc_1.13.1~ds3-1_all.deb 67996c1487da4d27f55ebac9ef3e278c 642948 debug optional docker.io-dbgsym_1.13.1~ds3-1_amd64.deb 94fdd24971316b1d27c28329de1d604b 23071 admin optional docker.io_1.13.1~ds3-1_amd64.buildinfo dae14e35c01afcbaa25982e41f91f9be 11142936 admin optional docker.io_1.13.1~ds3-1_amd64.deb e0a078adc998a33565c2e768fa9efbc7 63280 oldlibs optional golang-docker-dev_1.13.1~ds3-1_all.deb bc24ddac2ae376599fe0bec9c0946717 475868 admin optional golang-github-docker-docker-dev_1.13.1~ds3-1_all.deb 2184b93e205a104bbe96528d45c04c6c 64492 admin optional vim-syntax-docker_1.13.1~ds3-1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEULx8+TnSDCcqawZWUra72VOWjRsFAlsbX1QACgkQUra72VOW jRu4Eg//at/GrtAh8EXJX56tCHfScztkSS7GbMwcz43mcnmNbzplfYSHhVVPzO2j EMhKEgwMhXTcWdvyWsJ5TYIddrgJnS0E4b03rII+liReODgXpTtyKUeIOby4lC2v dKrcnP0UeD7rpA7FRCNVDrMTokerkwKGuJLTSO5oxh1b9utcukpsGJQ05EG45Jk1 EUZ/ZFCLLNEFa61SpDXlICqGyzaYBh61IbpKiP/MlolCzuQs35+wnCwjYMgedx2h x8Nu3VTiOBRjTS4kwLPNS3LlO/fzSKhDONp0kE37iFjytu6T58QPxuBD02XRjDeY eUSskGQL4tQrdv4m3kUZRHNP4hHdJo19RothL2LlNIVVIZI6gWmVXDjksnOOYHys Nb3wsjuX+Sb1KUy0GtjT5wN7gky3F41Jn2onUjiN8rix/eDwNrIl/oN8+o/at6Cm 8AOx0QbrkcifsXhgniXa+q5hbqdVyai/qqO9NNARp3ZYwGLZUjrYJ+bzzWnw8WRT +HaIjBYQdcGAsGzlbctXJWWlu3fOkek4NN6oqIjrZUM1WPAawoIeXUPsrrHitr/e 0SBoX4o+ZD4nF0N3HBlhbS5wF4CWFrC2zGHdgoD57g7CU4HUZSE4qo7Q36AbXZIL E0Zr8yVpLm9Hxntr/89Qk/6o/VDDY/ue5cFZaIeLWkMO6zmnBG8= =151h -----END PGP SIGNATURE-----
--- End Message ---
