Oracle Linux Local Security Checks : Oracle: Security Advisory (ELSA-2014-3095)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.123232

Category: Oracle Linux Local Security Checks

Title: Oracle: Security Advisory (ELSA-2014-3095)

Summary: The remote host is missing an update for the 'docker' package(s) announced via the ELSA-2014-3095 advisory.

Description: Summary:
The remote host is missing an update for the 'docker' package(s) announced via the ELSA-2014-3095 advisory.

Vulnerability Insight:
[1.3.2-1.0.1]
- Rename requirement of docker-io-pkg-devel in %package devel as docker-pkg-devel
- Restore SysV init scripts for Oracle Linux 6
- Require Oracle Unbreakable Enterprise Kernel Release 3 or higher
- Rename as docker.
- Re-enable btrfs graphdriver support

[1.3.2-1]
- Update source to 1.3.2 from [link moved to references]
Prevent host privilege escalation from an image extraction vulnerability (CVE-2014-6407).
Prevent container escalation from malicious security options applied to images (CVE-2014-6408).
The '--insecure-registry' flag of the 'docker run' command has undergone several refinements and additions.
You can now specify a sub-net in order to set a range of registries which the Docker daemon will consider insecure.
By default, Docker now defines 'localhost' as an insecure registry.
Registries can now be referenced using the Classless Inter-Domain Routing (CIDR) format.
When mirroring is enabled, the experimental registry v2 API is skipped.

[1.3.1-2]
- Remove pandoc from build reqs

[1.3.1-1]
- update to v1.3.1

[1.3.0-1]
- Resolves: rhbz#1153936 - update to v1.3.0
- iptables=false => ip-masq=false

[1.2.0-3]
- Resolves: rhbz#1139415 - correct path for bash completion
/usr/share/bash-completion/completions
- sysvinit script update as per upstream commit
640d2ef6f54d96ac4fc3f0f745cb1e6a35148607
- don't own dirs for vim highlighting, bash completion and udev

[1.2.0-2]
- Resolves: rhbz#1145660 - support /etc/sysconfig/docker-storage
From: Colin Walters - patch to ignore selinux if its disabled [link moved to references] From: Dan Walsh - Resolves: rhbz#1139415 - correct path for bash completion- init script waits up to 5 mins before terminating daemon[1.2.0-1]- Resolves: rhbz#1132824 - update to v1.2.0

Affected Software/OS:
'docker' package(s) on Oracle Linux 6, Oracle Linux 7.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-6407
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145154.html
http://www.openwall.com/lists/oss-security/2014/11/24/5
http://secunia.com/advisories/60171
http://secunia.com/advisories/60241
SuSE Security Announcement: openSUSE-SU-2014:1596 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00009.html
Common Vulnerability Exposure (CVE) ID: CVE-2014-6408

Copyright Copyright (C) 2015 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.123232
Category:	Oracle Linux Local Security Checks
Title:	Oracle: Security Advisory (ELSA-2014-3095)
Summary:	The remote host is missing an update for the 'docker' package(s) announced via the ELSA-2014-3095 advisory.
Description:	Summary: The remote host is missing an update for the 'docker' package(s) announced via the ELSA-2014-3095 advisory. Vulnerability Insight: [1.3.2-1.0.1] - Rename requirement of docker-io-pkg-devel in %package devel as docker-pkg-devel - Restore SysV init scripts for Oracle Linux 6 - Require Oracle Unbreakable Enterprise Kernel Release 3 or higher - Rename as docker. - Re-enable btrfs graphdriver support [1.3.2-1] - Update source to 1.3.2 from [link moved to references] Prevent host privilege escalation from an image extraction vulnerability (CVE-2014-6407). Prevent container escalation from malicious security options applied to images (CVE-2014-6408). The '--insecure-registry' flag of the 'docker run' command has undergone several refinements and additions. You can now specify a sub-net in order to set a range of registries which the Docker daemon will consider insecure. By default, Docker now defines 'localhost' as an insecure registry. Registries can now be referenced using the Classless Inter-Domain Routing (CIDR) format. When mirroring is enabled, the experimental registry v2 API is skipped. [1.3.1-2] - Remove pandoc from build reqs [1.3.1-1] - update to v1.3.1 [1.3.0-1] - Resolves: rhbz#1153936 - update to v1.3.0 - iptables=false => ip-masq=false [1.2.0-3] - Resolves: rhbz#1139415 - correct path for bash completion /usr/share/bash-completion/completions - sysvinit script update as per upstream commit 640d2ef6f54d96ac4fc3f0f745cb1e6a35148607 - don't own dirs for vim highlighting, bash completion and udev [1.2.0-2] - Resolves: rhbz#1145660 - support /etc/sysconfig/docker-storage From: Colin Walters - patch to ignore selinux if its disabled [link moved to references] From: Dan Walsh - Resolves: rhbz#1139415 - correct path for bash completion- init script waits up to 5 mins before terminating daemon[1.2.0-1]- Resolves: rhbz#1132824 - update to v1.2.0 Affected Software/OS: 'docker' package(s) on Oracle Linux 6, Oracle Linux 7. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-6407 http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145154.html http://www.openwall.com/lists/oss-security/2014/11/24/5 http://secunia.com/advisories/60171 http://secunia.com/advisories/60241 SuSE Security Announcement: openSUSE-SU-2014:1596 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00009.html Common Vulnerability Exposure (CVE) ID: CVE-2014-6408
Copyright	Copyright (C) 2015 Greenbone AG