Date: Wed, 11 Jan 2017 04:28:20 +0000 From: Trevor Jay <tjay@...hat.com> To: docker-user@...glegroups.com Cc: docker-dev@...glegroups.com, oss-security@...ts.openwall.com Subject: Re: Docker 1.12.6 - Security Advisory A FYI for Red Hat and Fedora users: we have rated this CVE as having moderate impact to our users and are currently testing backports of this patch for 1.12.5. More info: https://access.redhat.com/ringwraith https://bugzilla.redhat.com/show_bug.cgi?id=1409531 https://access.redhat.com/security/cve/CVE-2016-9962 To mitigate this even without the patch, you can remove `ptrace` from your seccomp whitelist. ACS such as SELinux (not sure about AppArmor) will keep container processes from accessing external file descriptors. Of course, you can prevent these kind of attacks completely (modulo kernel bugs) by never running privileged containers or giving them CAP_SYS_PTRACE in the first place. Great work on the flaw and patch. An extremely interesting vulnerability. _Trevor -- Sent from my Casio Loopy. (Trevor Jay) Red Hat Product Security gpg-key: https://ssl.montrose.is/chat/gpg-key
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ