|
Message-ID: <CANO=Ty3C4kfhp=A6zQksNzmNRgUBpUk4M__mhkcez=_RA8_Dew@mail.gmail.com> Date: Tue, 10 Jan 2017 19:29:40 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Cc: docker-user@...glegroups.com, docker-dev@...glegroups.com, fulldisclosure@...lists.org, vuln@...unia.com, bugtraq@...urityfocus.com Subject: Re: Docker 1.12.6 - Security Advisory Can you post a link to a patch for this issue, or to a bug entry with additional details, or the download site at a minimum? Thanks! On Tue, Jan 10, 2017 at 6:58 PM, Nathan McCauley <nathan.mccauley@...ker.com > wrote: > Docker Engine version 1.12.6 has been released to address a vulnerability > and is immediately available for all supported platforms. Users are advised > to upgrade existing installations of the Docker Engine and use 1.12.6 for > new installations. > > Please send any questions to security@...ker.com. > > > ============================================================== > [CVE-2016-9962] Insecure opening of file-descriptor allows privilege > escalation > > ============================================================== > > RunC allowed additional container processes via `runc exec` to be ptraced > by the pid 1 of the container. This allows the main processes of the > container, if running as root, to gain access to file-descriptors of these > new processes during the initialization and can lead to container escapes > or modification of runC state before the process is fully placed inside the > container > > > Credit for this discovery goes to Aleksa Sarai from SUSE and Tõnis Tiigi > from Docker. > -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.