Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc#39612
Merged
AkihiroSuda merged 1 commit intomoby:masterfrom Jul 26, 2019
Merged
Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc#39612AkihiroSuda merged 1 commit intomoby:masterfrom
AkihiroSuda merged 1 commit intomoby:masterfrom
Conversation
…oaded in the host environment not in the chroot from untrusted files. See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234 Signed-off-by: Justin Cormack <[email protected]> (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b) Signed-off-by: Tibor Vass <[email protected]>
Member
|
@tiborvass fixes #39449 ? |
Member
|
@moby/moby-maintainers ptal |
AkihiroSuda
approved these changes
Jul 26, 2019
Member
|
@thaJeztah Just a reminder that this still needs to be cherry-picked to 18.09 tree |
Member
|
@tonistiigi if you can prepare a cherry-pick, I can LGTM 😉 😇 |
|
@tonistiigi, @thaJeztah: In #39612 (comment) it is said that this affects only 19.03.0 series. But then the #39612 (comment) mentions the fix needs to be cherry-picked to 18.09 tree. So what is right? Are any older versions as well affected by this issue? Where was the issue introduced? docker-archive#305 (comment) gives the information htat 18.09 needs the fix as well. |
Member
|
current versions of 18.09 are not affected because they are still using Go 1.10, and a custom archive implementation. The 18.09 release branch was recently updated to Go 1.11 (which also removed the custom archive implementation), but no release was done yet with that code, but we had to backport the fix to prevent the next patch release being vulnerable |
|
@thaJeztah, ack thank you |
thaJeztah
added
area/security
impact/changelog
process/cherry-picked
and removed
process/cherry-pick
labels
This was referenced Nov 3, 2020
julianladisch
added a commit
to julianladisch/folio-tools
that referenced
this pull request
May 17, 2021
* Update Ansible from 2.9.13 to 2.9.21 fixing security issues: * https://access.redhat.com/security/cve/cve-2021-2022 - Mask default and fallback values for `no_log` module options * https://access.redhat.com/security/cve/cve-2021-20191 - Various modules missing `no_log` on sensitive module arguments * https://access.redhat.com/security/cve/cve-2021-20180 - `bitbucket_pipeline_variable` - hide user sensitive information which are marked as `secured` from logging into the console * https://access.redhat.com/security/cve/cve-2021-20178 - `snmp_facts` - hide user sensitive information such as ``privkey`` and ``authkey`` from logging into the console * https://access.redhat.com/security/cve/cve-2020-1753 - kubectl connection plugin - now redacts `kubectl_token` and `kubectl_password` in console log * Update Docker from 19.03.9 to 20.10.6 fixing * CVE-2021-21285 Prevent an invalid image from crashing docker daemon GHSA-6fj5-m822-rqx8 * CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state GHSA-7452-xqpj-6rpc * CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc moby/moby#39612 * CVE-2020-15257 Update bundled static binaries of containerd to v1.3.9 GHSA-36xw-fx78-c5r4 * Update Yarn from 1.22.4 to 1.22.5, to the classic stable version: https://classic.yarnpkg.com/lang/en/ * The re-build also updates many other tools, most notably Node: * Update Node from 12.20.1 to 12.22.1 fixing * https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/ OpenSSL - CA certificate check bypass with `X509_V_FLAG_X509_STRICT` (CVE-2021-3450) * https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/ OpenSSL - NULL pointer deref in signature_algorithms processing (CVE-2021-3449) * https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/ npm upgrade - Update y18n to fix Prototype-Pollution (CVE-2020-7774) * https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (CVE-2021-22883) * https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ DNS rebinding in --inspect (CVE-2021-22884) * https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)
|
Hi all, I'm running into the This is what I get as output: Any help would be appreciated, thanks! |
Member
|
@shraddhapai is that package a |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files.
CVE-2019-14271 may allow unprivileged access to host system while copying files from a malicious container image with
docker cpcommand.Affected versions: v19.03.0. Older Docker versions are not affected by this issue.
This fix is included in the already released Docker v19.03.1. Users of Docker v19.03.0 are advised to upgrade.
The patch was previously reviewed internally by maintainers under GitHub security advisory.
If you find security issues in Moby, please follow responsible disclosure guidelines by sending an email to [email protected].