oss-sec mailing list archives
Re: Docker 1.12.6 - Security Advisory
From: Trevor Jay <tjay () redhat com>
Date: Wed, 11 Jan 2017 04:28:20 +0000
A FYI for Red Hat and Fedora users: we have rated this CVE as having moderate impact to our users and are currently testing backports of this patch for 1.12.5. More info: https://access.redhat.com/ringwraith https://bugzilla.redhat.com/show_bug.cgi?id=1409531 https://access.redhat.com/security/cve/CVE-2016-9962 To mitigate this even without the patch, you can remove `ptrace` from your seccomp whitelist. ACS such as SELinux (not sure about AppArmor) will keep container processes from accessing external file descriptors. Of course, you can prevent these kind of attacks completely (modulo kernel bugs) by never running privileged containers or giving them CAP_SYS_PTRACE in the first place. Great work on the flaw and patch. An extremely interesting vulnerability. _Trevor -- Sent from my Casio Loopy. (Trevor Jay) Red Hat Product Security gpg-key: https://ssl.montrose.is/chat/gpg-key
Current thread:
- Docker 1.12.6 - Security Advisory Nathan McCauley (Jan 10)
- Re: Docker 1.12.6 - Security Advisory Kurt Seifried (Jan 10)
- Re: Docker 1.12.6 - Security Advisory Andreas Stieger (Jan 11)
- Re: Docker 1.12.6 - Security Advisory Trevor Jay (Jan 11)
- Re: Docker 1.12.6 - Security Advisory Kurt Seifried (Jan 10)