Overview

File _patchinfo of Package patchinfo.119

<patchinfo incident="119">
 <issue id="902413" tracker="bnc">CVE-2014-5282: docker: Tagging image to ID can redirect images on subsequent pulls</issue>
  <issue id="898901" tracker="bnc">CVE-2014-7189: TLS client authentication issue fixed in version 1.3.2</issue>
  <issue id="902289" tracker="bnc">Fixed SLES12 URIs</issue>
  <issue id="907012" tracker="bnc">CVE-2014-6407: docker: symbolic and hardlink issues leading to privilege escalation</issue>
  <issue id="907014" tracker="bnc">CVE-2014-6408: docker: potential container escalation</issue>
  <issue id="CVE-2014-6407" tracker="cve" />
  <issue id="CVE-2014-6408" tracker="cve" />
  <issue id="CVE-2014-5282" tracker="cve" />
  <issue id="CVE-2014-5277" tracker="cve" />
  <issue id="CVE-2014-7189" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>flavio_castelli</packager>
  <description>

Docker was updated to version 1.3.2 to fix five security issues and several other bugs.

- Updated to 1.3.2 (2014-11-20) - fixes bnc#907012 (CVE-2014-6407) and
  bnc#907014 (CVE-2014-6408)
- Fixed minor packaging issues.

These security issues were fixed:
- Prevent fallback to SSL protocols lower than TLS 1.0 for client, daemon and registry (CVE-2014-5277).
- Secure HTTPS connection to registries with certificate verification and without HTTP fallback unless `--insecure-registry` is specified.
- Tagging image to ID can redirect images on subsequent pulls (CVE-2014-5282).
- Fix tar breakout vulnerability (CVE-2014-6407)
- Extractions are now sandboxed chroot (CVE-2014-6407)
- Security options are no longer committed to images (CVE-2014-6408)

These non-security issues were fixed:
- Fix deadlock in `docker ps -f exited=1`
- Fix a bug when `--volumes-from` references a container that failed to start
- `--insecure-registry` now accepts CIDR notation such as 10.1.0.0/16
- Private registries whose IPs fall in the 127.0.0.0/8 range do no need
  the `--insecure-registry` flag
- Skip the experimental registry v2 API when mirroring is enabled
- Fix issue where volumes would not be shared
- Fix issue with `--iptables=false` not automatically setting `--ip-masq=false`
- Fix docker run output to non-TTY stdout
- Fix escaping `$` for environment variables
- Fix issue with lowercase `onbuild` Dockerfile instruction
- Restrict envrionment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`, `EXPOSE`, `VOLUME` and `USER`
- docker `exec` allows you to run additional processes inside existing containers
- docker `create` gives you the ability to create a container via the cli without executing a process
- `--security-opts` options to allow user to customize container labels and apparmor profiles
- docker `ps` filters
- Wildcard support to copy/add
- Move production urls to get.docker.com from get.docker.io
- Allocate ip address on the bridge inside a valid cidr
- Use drone.io for pr and ci testing
- Ability to setup an official registry mirror
- Ability to save multiple images with docker `save`

go was updated to version 1.3.3 to fix one security issue and several other bugs.

This security issue was fixed:
- TLS client authentication issue (CVE-2014-7189).
  
These non-security issues were fixed:
- Avoid stripping debuginfo on arm, it fails (and is not necessary)
- Revert the /usr/share/go/contrib symlink as it caused problems
  during update. Moved all go sources to /usr/share/go/contrib/src
  instead of /usr/share/go/contrib/src/pkg and created pkg and src
  symlinks in contrib to add it to GOPATH
- Fixed %go_contribsrcdir value
- Copy temporary macros.go as go.macros to avoid it to be built
- Do not modify Source: files, because that makes the .src.rpm
  being tied to one specific arch.
- Removed extra src folder in /usr/share/go/contrib: the goal is to
  transform this folder into a proper entry for GOPATH. This folder
  is now linked to %{_libdir}/go/contrib
- go requires gcc to build sources using cgo
- tools-packaging.patch: Allow building cover and vet tools in
  $GOROOT_TARGET/pkg/tool instead of $GOROOT/pkg/tool. This will
  allow building go tools as a separate package

sle2docker was updated to version 0.2.2 to fix one bug:
- Fix SLE12 urls (bnc#902289)
</description>
  <summary>Security update for docker, sle2docker, go</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places