openSUSE Security Update: Security update for containerd, docker, runc
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:3506-1
Rating:             important
References:         #1102408 #1185405 #1187704 #1188282 #1190826 
                    #1191015 #1191121 #1191334 #1191355 #1191434 
                    
Cross-References:   CVE-2021-30465 CVE-2021-32760 CVE-2021-41089
                    CVE-2021-41091 CVE-2021-41092 CVE-2021-41103
                   
CVSS scores:
                    CVE-2021-30465 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
                    CVE-2021-30465 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-32760 (NVD) : 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
                    CVE-2021-32760 (SUSE): 3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L
                    CVE-2021-41089 (NVD) : 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
                    CVE-2021-41089 (SUSE): 3.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
                    CVE-2021-41091 (NVD) : 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
                    CVE-2021-41091 (SUSE): 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
                    CVE-2021-41092 (NVD) : 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
                    CVE-2021-41092 (SUSE): 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
                    CVE-2021-41103 (SUSE): 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Products:
                    openSUSE Leap 15.3
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has four fixes
   is now available.

Description:

   This update for containerd, docker, runc fixes the following issues:

   Docker was updated to 20.10.9-ce. (bsc#1191355)

   See upstream changelog in the packaged
   /usr/share/doc/packages/docker/CHANGELOG.md.

     CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103

   container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

   - CVE-2021-32760: Fixed that a archive package allows chmod of file
     outside of unpack target directory (bsc#1188282)

   - Install systemd service file as well (bsc#1190826)

   Update to runc v1.0.2. Upstream changelog is available from

     https://github.com/opencontainers/runc/releases/tag/v1.0.2

   * Fixed a failure to set CPU quota period in some cases on cgroup v1.
   * Fixed the inability to start a container with the "adding seccomp filter
     rule for syscall ..." error, caused by redundant seccomp rules (i.e.
     those that has action equal to the default one). Such redundant rules
     are now skipped.
   * Made release builds reproducible from now on.
   * Fixed a rare debug log race in runc init, which can result in occasional
     harmful "failed to decode ..." errors from runc run or exec.
   * Fixed the check in cgroup v1 systemd manager if a container needs to be
     frozen before Set, and add a setting to skip such freeze
     unconditionally. The previous fix for that issue, done in runc 1.0.1,
     was not working.

   Update to runc v1.0.1. Upstream changelog is available from

   https://github.com/opencontainers/runc/releases/tag/v1.0.1

   * Fixed occasional runc exec/run failure ("interrupted system call") on an
     Azure volume.
   * Fixed "unable to find groups ... token too long" error with /etc/group
     containing lines longer than 64K characters.
   * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent
     cgroup is frozen. This is a regression in 1.0.0, not affecting runc
     itself but some
     of libcontainer users (e.g Kubernetes).
   * cgroupv2: bpf: Ignore inaccessible existing programs in case of
     permission error when handling replacement of existing bpf cgroup
     programs. This fixes a regression in 1.0.0, where some SELinux policies
     would block runc from being able to run entirely.
   * cgroup/systemd/v2: don't freeze cgroup on Set.
   * cgroup/systemd/v1: avoid unnecessary freeze on Set.
   - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

   Update to runc v1.0.0. Upstream changelog is available from

   https://github.com/opencontainers/runc/releases/tag/v1.0.0

   ! The usage of relative paths for mountpoints will now produce a warning
   (such configurations are outside of the spec, and in future runc will
   produce an error when given such configurations).
   * cgroupv2: devices: rework the filter generation to produce consistent
     results with cgroupv1, and always clobber any existing eBPF program(s)
     to fix runc update and avoid leaking eBPF programs (resulting in errors     when managing containers).
   * cgroupv2: correctly convert "number of IOs" statistics in a
     cgroupv1-compatible way.
   * cgroupv2: support larger than 32-bit IO statistics on 32-bit
     architectures.
   * cgroupv2: wait for freeze to finish before returning from the freezing
     code, optimize the method for checking whether a cgroup is frozen.
   * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in
     rc94
   * cgroups/systemd: fixed returning "unit already exists" error from a
     systemd cgroup manager (regression in rc94)
   + cgroupv2: support SkipDevices with systemd driver
   + cgroup/systemd: return, not ignore, stop unit error from Destroy
   + Make "runc --version" output sane even when built with go get or
     otherwise outside of our build scripts.
   + cgroups: set SkipDevices during runc update (so we don't modify cgroups
     at all during runc update).
   + cgroup1: blkio: support BFQ weights.
   + cgroupv2: set per-device io weights if BFQ IO scheduler is available.

   Update to runc v1.0.0~rc95. Upstream changelog is available from
   https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95

   This release of runc contains a fix for CVE-2021-30465, and users are
   strongly recommended to update (especially if you are providing
   semi-limited access to spawn containers to untrusted users). (bsc#1185405)

   Update to runc v1.0.0~rc94. Upstream changelog is available from
   https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94

   Breaking Changes:
   * cgroupv1: kernel memory limits are now always ignored, as kmemcg has
     been effectively deprecated by the kernel. Users should make use of
     regular memory cgroup controls.

   Regression Fixes:

   * seccomp: fix 32-bit compilation errors   * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
   * runc start: fix "chdir to cwd: permission denied" for some setups


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2021-3506=1



Package List:

   - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

      containerd-1.4.11-56.1
      containerd-ctr-1.4.11-56.1
      docker-20.10.9_ce-156.1
      docker-debuginfo-20.10.9_ce-156.1
      docker-kubic-20.10.9_ce-156.1
      docker-kubic-debuginfo-20.10.9_ce-156.1
      docker-kubic-kubeadm-criconfig-20.10.9_ce-156.1
      runc-1.0.2-23.1
      runc-debuginfo-1.0.2-23.1

   - openSUSE Leap 15.3 (noarch):

      docker-bash-completion-20.10.9_ce-156.1
      docker-fish-completion-20.10.9_ce-156.1
      docker-kubic-bash-completion-20.10.9_ce-156.1
      docker-kubic-fish-completion-20.10.9_ce-156.1
      docker-kubic-zsh-completion-20.10.9_ce-156.1
      docker-zsh-completion-20.10.9_ce-156.1


References:

   https://www.suse.com/security/cve/CVE-2021-30465.html
   https://www.suse.com/security/cve/CVE-2021-32760.html
   https://www.suse.com/security/cve/CVE-2021-41089.html
   https://www.suse.com/security/cve/CVE-2021-41091.html
   https://www.suse.com/security/cve/CVE-2021-41092.html
   https://www.suse.com/security/cve/CVE-2021-41103.html
   https://bugzilla.suse.com/1102408
   https://bugzilla.suse.com/1185405
   https://bugzilla.suse.com/1187704
   https://bugzilla.suse.com/1188282
   https://bugzilla.suse.com/1190826
   https://bugzilla.suse.com/1191015
   https://bugzilla.suse.com/1191121
   https://bugzilla.suse.com/1191334
   https://bugzilla.suse.com/1191355
   https://bugzilla.suse.com/1191434

openSUSE: 2021:3506-1 important: containerd, docker, runc

October 25, 2021
An update that solves 6 vulnerabilities and has four fixes is now available

Description

This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) - Install systemd service file as well (bsc#1190826) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 * Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the "adding seccomp filter rule for syscall ..." error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful "failed to decode ..." errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ("interrupted system call") on an Azure volume. * Fixed "unable to find groups ... token too long" error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert "number of IOs" statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94 * cgroups/systemd: fixed returning "unit already exists" error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make "runc --version" output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: * seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix "chdir to cwd: permission denied" for some setups

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2021-3506=1


Package List

- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): containerd-1.4.11-56.1 containerd-ctr-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 docker-kubic-20.10.9_ce-156.1 docker-kubic-debuginfo-20.10.9_ce-156.1 docker-kubic-kubeadm-criconfig-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - openSUSE Leap 15.3 (noarch): docker-bash-completion-20.10.9_ce-156.1 docker-fish-completion-20.10.9_ce-156.1 docker-kubic-bash-completion-20.10.9_ce-156.1 docker-kubic-fish-completion-20.10.9_ce-156.1 docker-kubic-zsh-completion-20.10.9_ce-156.1 docker-zsh-completion-20.10.9_ce-156.1


References

https://www.suse.com/security/cve/CVE-2021-30465.html https://www.suse.com/security/cve/CVE-2021-32760.html https://www.suse.com/security/cve/CVE-2021-41089.html https://www.suse.com/security/cve/CVE-2021-41091.html https://www.suse.com/security/cve/CVE-2021-41092.html https://www.suse.com/security/cve/CVE-2021-41103.html https://bugzilla.suse.com/1102408 https://bugzilla.suse.com/1185405 https://bugzilla.suse.com/1187704 https://bugzilla.suse.com/1188282 https://bugzilla.suse.com/1190826 https://bugzilla.suse.com/1191015 https://bugzilla.suse.com/1191121 https://bugzilla.suse.com/1191334 https://bugzilla.suse.com/1191355 https://bugzilla.suse.com/1191434


Severity
Announcement ID: openSUSE-SU-2021:3506-1
Rating: important
Affected Products: openSUSE Leap 15.3 ble.

Related News

28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
1.Penguin Landscape Esm H320
1 - 2 min read
There are compelling arguments in favor of Linux over Windows for desktop usage. Let's explore some advantages of choosing Linux over Windows for
4.Lock AbstractDigital Esm H320
2 - 3 min read
Canonical , the company behind Ubuntu , has introduced Netplan 1.0 , a network configuration tool that simplifies networking configuration on Linux

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved