CVE-2021-21284 (https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc): In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user. CVE-2021-21285 (https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8): In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. Please bump to 19.03.15 and 20.10.3.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a61c65ac049a905f70fdd3771946816c4d265b36 commit a61c65ac049a905f70fdd3771946816c4d265b36 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-02-04 15:05:56 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-02-04 15:05:56 +0000 app-emulation/docker: 20.10.3 bump Bug: https://bugs.gentoo.org/768612 Signed-off-by: William Hubbs <williamh@gentoo.org> app-emulation/docker/Manifest | 1 + app-emulation/docker/docker-20.10.3.ebuild | 293 +++++++++++++++++++++++++++++ 2 files changed, 294 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdfb741d34233f5d2e57fe2f8cdd4946b0a3c8c5 commit cdfb741d34233f5d2e57fe2f8cdd4946b0a3c8c5 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-02-04 15:05:55 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-02-04 15:05:55 +0000 app-emulation/docker: 19.03.15 bump Bug: https://bugs.gentoo.org/768612 Signed-off-by: William Hubbs <williamh@gentoo.org> app-emulation/docker/Manifest | 1 + app-emulation/docker/docker-19.03.15.ebuild | 333 ++++++++++++++++++++++++++++ 2 files changed, 334 insertions(+)
Thank you! Please stable 19.03.15 when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81ba14bce19876c223817064e2607b1da480f0f5 commit 81ba14bce19876c223817064e2607b1da480f0f5 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-02-04 19:13:59 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-02-04 19:14:11 +0000 app-emulation/docker: stable 19.03.15 on amd64 Bug: https://bugs.gentoo.org/768612 Signed-off-by: William Hubbs <williamh@gentoo.org> app-emulation/docker/docker-19.03.15.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
arm64 and ppc64 done. leaving old versions in the tree for about a week in case of regressions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c0abb54b8099aaa2b026fe74ceccccb1564b532 commit 8c0abb54b8099aaa2b026fe74ceccccb1564b532 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-02-15 01:11:48 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-02-15 01:15:00 +0000 app-emulation/docker: remove vulnerable versions Bug: https://bugs.gentoo.org/768612 Signed-off-by: William Hubbs <williamh@gentoo.org> app-emulation/docker/Manifest | 3 - app-emulation/docker/docker-19.03.13-r2.ebuild | 333 ------------------------- app-emulation/docker/docker-19.03.14.ebuild | 333 ------------------------- app-emulation/docker/docker-20.10.2.ebuild | 293 ---------------------- 4 files changed, 962 deletions(-)
Thank you!
cleanup done
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-23 at https://security.gentoo.org/glsa/202107-23 by GLSA coordinator John Helmert III (ajak).