Your message dated Sat, 15 Oct 2022 17:06:02 +0000
with message-id <[email protected]>
and subject line Bug#1019601: fixed in docker.io 20.10.19+dfsg1-1
has caused the Debian Bug report #1019601,
regarding docker.io: CVE-2022-36109
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1019601: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019601
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: docker.io
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for docker.io.
CVE-2022-36109[0]:
| Moby is an open-source project created by Docker to enable software
| containerization. A bug was found in Moby (Docker Engine) where
| supplementary groups are not set up properly. If an attacker has
| direct access to a container and manipulates their supplementary group
| access, they may be able to use supplementary group access to bypass
| primary group restrictions in some cases, potentially gaining access
| to sensitive information or gaining the ability to execute code in
| that container. This bug is fixed in Moby (Docker Engine) 20.10.18.
| Running containers should be stopped and restarted for the permissions
| to be fixed. For users unable to upgrade, this problem can be worked
| around by not using the `"USER $USERNAME"` Dockerfile instruction.
| Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary
| groups will be set up properly.
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-36109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36109
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: docker.io
Source-Version: 20.10.19+dfsg1-1
Done: Felix Geyer <[email protected]>
We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <[email protected]> (supplier of updated docker.io package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 15 Oct 2022 17:47:37 +0200
Source: docker.io
Architecture: source
Version: 20.10.19+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Felix Geyer <[email protected]>
Closes: 1019601
Changes:
docker.io (20.10.19+dfsg1-1) unstable; urgency=medium
.
* Team upload.
* New upstream release [20.10.19]
- Fixes CVE-2022-36109 (Closes: #1019601)
* Drop test--cli-skip-TestRemoveForce.patch, race condition has been fixed
upstream.
* Adapt watch file to GitHub changes.
Checksums-Sha1:
2fda1322833e13b8239493f6ead64ecbe47191ec 7548 docker.io_20.10.19+dfsg1-1.dsc
f61a1733e227b62f118c06800c4af6e87c48af32 1829544
docker.io_20.10.19+dfsg1.orig-cli.tar.xz
ce693add4314538273bf53e660446b77e3f189c5 629652
docker.io_20.10.19+dfsg1.orig-libnetwork.tar.xz
e6f2897fe2855abd1ac6c1884937751361175826 721268
docker.io_20.10.19+dfsg1.orig-swarmkit.tar.xz
ac7ce12f7b46d0ee9d5a32e9e0e47b49a01d277b 2269792
docker.io_20.10.19+dfsg1.orig.tar.xz
c02a504299ebc8e6c9a40931d2b394d999c754f4 46836
docker.io_20.10.19+dfsg1-1.debian.tar.xz
Checksums-Sha256:
9255be20accd03147b27c3741e6fd6fea13a820166caa3245e50c687c9e5223b 7548
docker.io_20.10.19+dfsg1-1.dsc
631f1931b6296ee7a54ef80d3dc3e3a761235c6170eb12c17d2cca08e7c2438e 1829544
docker.io_20.10.19+dfsg1.orig-cli.tar.xz
222c21e80d563dc1d85f9de06a6859dece65ad7cf79a416dcae95bdde7e6acc7 629652
docker.io_20.10.19+dfsg1.orig-libnetwork.tar.xz
20c9393c3cc12342a5ab72abb8fff74f2174cf956448db8b5a8b28fde90d9102 721268
docker.io_20.10.19+dfsg1.orig-swarmkit.tar.xz
07843b50b28dfe74df6d177e2dde4dbe97a30b4db5b6f2e558c2d097080c3fa0 2269792
docker.io_20.10.19+dfsg1.orig.tar.xz
2114eb77fad0bd66e65be4b2b5b98c98ae8259bfd3675be3955ff1f6d5a84538 46836
docker.io_20.10.19+dfsg1-1.debian.tar.xz
Files:
dea15b2ef34c2b0935fa4f8b9a4b8032 7548 admin optional
docker.io_20.10.19+dfsg1-1.dsc
1b1b9621c41a44d870f6e00f67d205a9 1829544 admin optional
docker.io_20.10.19+dfsg1.orig-cli.tar.xz
e8715cee9013cbc14ce33b93dd40d0c7 629652 admin optional
docker.io_20.10.19+dfsg1.orig-libnetwork.tar.xz
db76002d390d29c2fc3ecfc744203074 721268 admin optional
docker.io_20.10.19+dfsg1.orig-swarmkit.tar.xz
0ad3b65828a1c4cdfd5de6bc50d5e39d 2269792 admin optional
docker.io_20.10.19+dfsg1.orig.tar.xz
4003b32dfc654688835063315bfe6d5d 46836 admin optional
docker.io_20.10.19+dfsg1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAmNK3z4ACgkQ/iLG/YMT
XUXWZA//doJUUU1KKCKyLxpZBey8sRibqh3S4vwaUsBpidAyBZOWfST1P6yYjeOg
Z4fIRDmVRCi1kdqwPHu+9rBKNKP84kz+k16QZJwbc6QpVykUlH2BBP/etYFw8XnC
ko6DI8rZoZUBqixrW00a5SJF0YnCPrs2IO7VEn/sK2KiN9xF5iGXs1msot21aa55
TXQt9+MepNmQUmaobVsLNNyJ72SOdu2srlsAW6TLqYpcsePzuzu5309RDpieAdTj
9fqVqOePjHIaOmradrV7MI68mlzEC8scHFEHpSKjMk0nVbrS+HpJa8EaL06X3hXf
UPhsPVsKNWeS/nFPbB594ekLbm0U8P0CMWeSWjP25ff+R/nhz8WDi5oBY/+r1tuR
8FGMwbLhp8LH8OHNwEP3qawFyf3M84ELSKbhNQXAM6WsKBgefggaiwhVYrh+WQx5
5U2wNmUss9f2xaiK+ZReAbg11g3nnRHW1cOTvYZCEgPFXFDOe3WvC5xKkPa/hVAQ
RFAWrZAN/mc4fx1W3ALn3upnt1safQHr2hq1h5jqKZn2699tLcyebHx8Hmirpdcv
AycJ+X9+dAhdsHybIqww1tF3Pydi/VLU7lSLGnW3bNqp5bLoLwPVUsI9bhjCJaVO
hj7+03Q7lD3AgAsU2ON7wT+bjGHlzkXxzb1w3R3HQcWgdgLnvqI=
=XBg2
-----END PGP SIGNATURE-----
--- End Message ---
