Debian Bug report logs -
#784726
docker.io: CVE-2015-3627 CVE-2015-3629 CVE-2015-3630 CVE-2015-3631
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 8 May 2015 04:57:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version docker.io/1.6.0+dfsg1-1
Fixed in version docker.io/1.6.1+dfsg1-1
Done: Tianon Gravi <admwiggin@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Tagliamonte <paultag@debian.org>:
Bug#784726; Package src:docker.io.
(Fri, 08 May 2015 04:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Tagliamonte <paultag@debian.org>.
(Fri, 08 May 2015 04:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: docker.io
Version: 1.6.0+dfsg1-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for docker.io.
CVE-2015-3627[0]:
Insecure opening of file-descriptor 1 leading to privilege escalation
CVE-2015-3629[1]:
Symlink traversal on container respawn allows local privilege escalation
CVE-2015-3630[2]:
Read/write proc paths allow host modification & information disclosure
CVE-2015-3631[3]:
Volume mounts allow LSM profile escalation
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3627
[1] https://security-tracker.debian.org/tracker/CVE-2015-3629
[2] https://security-tracker.debian.org/tracker/CVE-2015-3630
[3] https://security-tracker.debian.org/tracker/CVE-2015-3631
[4] http://www.openwall.com/lists/oss-security/2015/05/07/10
Regards,
Salvatore
Reply sent
to Tianon Gravi <admwiggin@gmail.com>:
You have taken responsibility.
(Sat, 09 May 2015 00:21:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 09 May 2015 00:21:13 GMT) (full text, mbox, link).
Message #10 received at 784726-close@bugs.debian.org (full text, mbox, reply):
Source: docker.io
Source-Version: 1.6.1+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 784726@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tianon Gravi <admwiggin@gmail.com> (supplier of updated docker.io package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 May 2015 17:57:10 -0600
Source: docker.io
Binary: docker.io vim-syntax-docker golang-docker-dev
Architecture: source amd64 all
Version: 1.6.1+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Paul Tagliamonte <paultag@debian.org>
Changed-By: Tianon Gravi <admwiggin@gmail.com>
Description:
docker.io - Linux container runtime
golang-docker-dev - Externally reusable Go packages included with Docker
vim-syntax-docker - Docker container engine - Vim highlighting syntax files
Closes: 784726
Changes:
docker.io (1.6.1+dfsg1-1) unstable; urgency=high
.
* Update to 1.6.1 upstream release (Closes: #784726)
- CVE-2015-3627
Insecure opening of file-descriptor 1 leading to privilege escalation
- CVE-2015-3629
Symlink traversal on container respawn allows local privilege escalation
- CVE-2015-3630
Read/write proc paths allow host modification & information disclosure
- CVE-2015-3631
Volume mounts allow LSM profile escalation
Checksums-Sha1:
cdd3d6f567a1cc110c8e1513092c1c1cb4aeb911 3608 docker.io_1.6.1+dfsg1-1.dsc
f8faf2226e3eb996e368d621af4bfdd2d4c956dc 210101 docker.io_1.6.1+dfsg1.orig-distribution.tar.gz
43697cc69ca0b11290ea4cbeeb3c5a989dfb1c19 107249 docker.io_1.6.1+dfsg1.orig-libcontainer.tar.gz
8fa01c83129c94d0868205ea41a31954f2cab43a 34014 docker.io_1.6.1+dfsg1.orig-libtrust.tar.gz
43212174a953be25207e86f1b7e546b9406b2bb7 825914 docker.io_1.6.1+dfsg1.orig.tar.gz
128545b20a06793491f6d61b30120bfd03c973b6 16164 docker.io_1.6.1+dfsg1-1.debian.tar.xz
ebb65cb279bbf55200611a2db8157d732b866e6d 4536246 docker.io_1.6.1+dfsg1-1_amd64.deb
0d6f49ae5c50d1fa8bfce5a8f338f81ab8091c12 29986 vim-syntax-docker_1.6.1+dfsg1-1_all.deb
3940e98f31f1b388c3ee5f19dca6b9da45efa0d5 257344 golang-docker-dev_1.6.1+dfsg1-1_all.deb
Checksums-Sha256:
bf2f129c85ebe301388f124a68c43a3555d9105e6a9cd92370235b0515e32107 3608 docker.io_1.6.1+dfsg1-1.dsc
53196fe5b0700c7f2d4308c0dab5b159da94a212eefeffa9e3b3a0da5f9be0a7 210101 docker.io_1.6.1+dfsg1.orig-distribution.tar.gz
6410410dbe3261cbf4edc147868460e4882a97d410a9634a4f561326d3283adb 107249 docker.io_1.6.1+dfsg1.orig-libcontainer.tar.gz
b2bad63cefd284d786035804eef988c2580d3b010b2677277e8991e1cda3fc73 34014 docker.io_1.6.1+dfsg1.orig-libtrust.tar.gz
99ed8807c3c7885fa01d2d11a2cd4ace5f2b04ad5d00eb83e85ebc7e0de6c471 825914 docker.io_1.6.1+dfsg1.orig.tar.gz
917ee410ca98950de8d39c6850e50f263e2568e5ead49c5df99b92f55820d98e 16164 docker.io_1.6.1+dfsg1-1.debian.tar.xz
5197e3003cdd152c48a606830ef0f7d804e128fc623ef117238a890751520953 4536246 docker.io_1.6.1+dfsg1-1_amd64.deb
370babdc5691c0fd2d0dc0bc2cf9b494d38500a258463ccd4004fbedf22eb1be 29986 vim-syntax-docker_1.6.1+dfsg1-1_all.deb
22cec996a7fe33e0382692dd0f485b62e5671667cb06bd0fb0444fb55376f4f9 257344 golang-docker-dev_1.6.1+dfsg1-1_all.deb
Files:
564f00fa5253b84be75acfe8e09a5f21 3608 admin optional docker.io_1.6.1+dfsg1-1.dsc
4e717b5c42abc11ff29c7febac860b32 210101 admin optional docker.io_1.6.1+dfsg1.orig-distribution.tar.gz
e9dbfff6b130ba0c2436626ded82d712 107249 admin optional docker.io_1.6.1+dfsg1.orig-libcontainer.tar.gz
6127f4149fc8a0309674dfc0e1db909c 34014 admin optional docker.io_1.6.1+dfsg1.orig-libtrust.tar.gz
b470c24892990bc42eacc4d52831a655 825914 admin optional docker.io_1.6.1+dfsg1.orig.tar.gz
2afbeb8bdf31bf433f462fd5f649e06f 16164 admin optional docker.io_1.6.1+dfsg1-1.debian.tar.xz
dc706b5ea84fb5dc3f424a0a8f6b7642 4536246 admin optional docker.io_1.6.1+dfsg1-1_amd64.deb
8531da53aac8d33503fc16b0749212cc 29986 admin optional vim-syntax-docker_1.6.1+dfsg1-1_all.deb
86b078ac1dcbb76c88cff0d0a2ee19d8 257344 admin optional golang-docker-dev_1.6.1+dfsg1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVTU8gAAoJEANqnCW/NX3UqOAQAI05fqLhc49eSUKddw1jirse
xG+lNIQXmM/rfSPN3+Nf7EPdZcyOZjH/DKckZah4DdLD+CqLTA30y6bBSllbIsKn
inFl5EbbuTGWD08Z0ZBYidMMYEb6kkQlT0vQW+EmLvFELnmK+nsmeCpFtxpuUmZz
Ya89fLeeaQylcMpk/7yw+w6OhJOTWkzFrcF/wD0r2kyG/KplC5oTgrVnyn/e7M1v
Fqju6LwlxISlH7DW96BUL6Hk63twvlvEF85130OtNb5toyiIJN3ZrT+f48y6oSM+
mlBbc9Fhcsj9fRDxs6TR71a5+qMZt4+yx3keQEh7LcKotOypqlBXv4KWYlDZQhdQ
Itfb7a+hpL5vbPrC/nLT4Rm244nAdMYUvUODp1H29TRKGmhyZNRdINYRIKumP5Ry
LhQp/OEGbKZW+/7b/Hp8HIB0+r5brr9DIVfCx33Mx7VanB7LTmZmTneM3QH6AnAB
gU+2358oNbKrjf6njMkHPlIbZpRP8vjFnR8BhnY3SuWghpSiLoYm92sOb22ypAFf
IJh4v7fXCJuL8CXG/C4FbscpHCf6hf7Twz1q1x9p/50DOolEJM8SgCoW86YByFN9
iRNJAWB9dnjOa+bSUAvMc5cmc1q0MICW/U1e96y5xdaOX7Ky1H7lPlpbd4BCoYKJ
sjaKQKPVF2lor5iuvdLw
=hh6l
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 23 Jun 2015 07:27:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:20:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon