CVE-2017-16539 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16539): The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
@Maintainers could you please confirm if we are affected? I see 17.06.2 also stable, maybe we just need to clean 17.03? Thank you
17.03 is unsupported upstream, so removing probably makes sense. Same goes for 17.06, though. This was fixed in 17.09 via https://github.com/docker/docker-ce/pull/291 (but the change doesn't appear to be in an actual 17.09 release yet, just the staging branch for the release). The same goes for 17.11 via https://github.com/docker/docker-ce/pull/290 (but with the same caveat that it appears it never went out with an actual release). So, the only official releases which actually contain this fix are the release candidates for 17.12, currently.
17.12.1 contains the patch per the upstream commit on: https://github.com/docker/docker-ce/pull/290 GLSA Vote: No @maintainers, please clean the vulnerable version.