Your message dated Sat, 22 Jun 2019 19:49:07 +0000
with message-id <e1hem0z-0007ur...@fasolo.debian.org>
and subject line Bug#929662: fixed in docker.io 18.09.1+dfsg1-7.1
has caused the Debian Bug report #929662,
regarding docker.io: CVE-2018-15664
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
929662: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929662
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: docker.io
Version: 18.09.1+dfsg1-7
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/docker/docker/pull/39252
Control: found -1 18.09.1+dfsg1-7~deb10u1
Control: found -1 18.09.5+dfsg1-1
Hi,
The following vulnerability was published for docker.io.
CVE-2018-15664[0]:
| In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker
| cp' command are vulnerable to a symlink-exchange attack with Directory
| Traversal, giving attackers arbitrary read-write access to the host
| filesystem with root privileges, because daemon/archive.go does not do
| archive operations on a frozen filesystem (or from within a chroot).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-15664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15664
[1] https://github.com/docker/docker/pull/39252
[2] https://www.openwall.com/lists/oss-security/2019/05/28/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: docker.io
Source-Version: 18.09.1+dfsg1-7.1
We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Shengjing Zhu <z...@debian.org> (supplier of updated docker.io package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 23 Jun 2019 01:25:10 +0800
Source: docker.io
Architecture: source
Version: 18.09.1+dfsg1-7.1
Distribution: unstable
Urgency: medium
Maintainer: Dmitry Smirnov <only...@debian.org>
Changed-By: Shengjing Zhu <z...@debian.org>
Closes: 929662
Changes:
docker.io (18.09.1+dfsg1-7.1) unstable; urgency=medium
.
* Non-maintainer upload.
.
[ Hideki Yamane ]
* upstream site moved to mobyproject.org
.
[ Arnaud Rebillout ]
* Add patch for CVE-2018-15664 (Closes: #929662).
Checksums-Sha1:
c9ce8d8dd939a52111c980a922ae95b1ba8a5142 8614 docker.io_18.09.1+dfsg1-7.1.dsc
9cbeb8876907ba852d139e520507b7c95b923775 45272
docker.io_18.09.1+dfsg1-7.1.debian.tar.xz
7a9c8fbf49188b5992fe132e0e344bbf6104dad5 25413
docker.io_18.09.1+dfsg1-7.1_amd64.buildinfo
Checksums-Sha256:
c14f4451625377afef7e27668a4d9489416ca349074dc26ee2723a964f5b8e7f 8614
docker.io_18.09.1+dfsg1-7.1.dsc
0e61ad0f85811ab4bef32214a4804d1715373173015fddff8068640f765eb7d6 45272
docker.io_18.09.1+dfsg1-7.1.debian.tar.xz
0c9dc908a21e47c0e8255cb7feab4cbfc968b391392b354da767ab291c9105b8 25413
docker.io_18.09.1+dfsg1-7.1_amd64.buildinfo
Files:
0d72ff92097d29796214d831e3f97746 8614 admin optional
docker.io_18.09.1+dfsg1-7.1.dsc
8e159a168a72a35db06b9f342ccc2d4e 45272 admin optional
docker.io_18.09.1+dfsg1-7.1.debian.tar.xz
ec30cfe80f3215856ca041e5e0cf7ab4 25413 admin optional
docker.io_18.09.1+dfsg1-7.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFEBAEBCgAuFiEE85F2DZP0aJKsSKyHONAPABi+PjUFAl0OgxcQHHpoc2pAZGVi
aWFuLm9yZwAKCRA40A8AGL4+NZwTB/0bTInEres7F3L9gY94qT/hM6rw2e5jBSgu
NoXeRl1No2h1cfgPoCMpparLomNVx6mlJvGBjWpZcUXNde/V6bjwpHZGQFzF1Q4l
KlOERbpSQXz8d/k+OZJX4/l0+4ComIEJhWNeqzBfw6zJr1hIpyn4ahYZEiYQuIVM
hJ3s83fzY75V/NjXuduMxgCIbRrs8gL4rM2ooW87ajMxv2Cdyy0pCsKoHxj9Ojra
OQRXEH7VZMh/OsIA0YOPzX036P4P0CIjBLackVP/tAZHFvpTSvTtlnBYlXAlMSLV
ygUvOZfuC44aUkc7M+2OVqwoxe7X13wPOvl1wX56NqVhN/YrnxPm
=ixKJ
-----END PGP SIGNATURE-----
--- End Message ---
