glibc: CVE-2015-7547
tianon opened this issue Β· comments
CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
https://googleonlinesecurity.blogspot.no/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
RHEL 6 and RHEL 7 have fixes (cc @jperrin)
Fedora has an update submitted (cc @maxamillion)
openSUSE update is in-progress (cc @flavio)
Debian tarballs are in-progress (almost complete -- just waiting on the sid/unstable packages to propagate)
Ubuntu doesn't have updated packages yet
our packages are syncing to the mirrors now. I'll have an updated build shortly.
OL6 and OL7 have fixes and a new build has been requested from our build team.
will all the official docker-library images be rebuilt automatically?
@ThiefMaster yes, they're in-progress right now
@jperrin @Djelibeybi thanks for the updates! π
@tianon this has the patched packages http://www.ubuntu.com/usn/usn-2900-1/
@diogomonica nice -- wonder why they didn't update http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7547.html yet
I'll give our Canonical contacts a poke and see what the ETA for updated tarballs is.
(At their request, we consume their tarballs from https://partner-images.canonical.com/core/, built by Canonical on their official infra, so as soon as those are updated I can update the image.)
@tianon yeah, I didn't understand that either. I was checking the CVE page too.
Heard back and Ubuntu rebuilds are in progress downstream! π
Great!
As a minor update, there was a snag in Canonical's update process that's delayed the artifact generation on their side -- I'll keep an eye on things, but it looks like we likely won't get those artifacts until early tomorrow (relative to PST).
Oracle images updated in #1453
What's the best way to see whether an official image has already been updated or not? For example the mongo image on docker hub still shows "last pushed 14d ago" so i guess it's still vulnerable?
@tianon when can we expect all the major images to be rebuilt eg centos and secondary eg mariadb, nginx etc? It looks like you guys have gone to bed. We are sitting around waiting for this to happen so we can patch production systems. Thanks.
@macropin for CentOS, we're waiting for the image maintainer to provide an updated rootfs; for the Debian-based portion of the library, we're waiting for the images themselves to finish rebuilding (there are a ton of them, and it takes quite a while to rebuild them all)
Ubuntu is going to have a PR shortly.
Both ubuntu and buildpack-deps are now fully updated. Rebuilds of dependent images are still in-progress.
Just a quick update, openSUSE 42.1, 13.2 and tumbleweed packages are being rolled out at different paces. I'll update all the images as soon as the packages are there.
Out of curiosity, why do the rebuilds take so long for the debian-based images?
That'd mostly be because we have over 300 officially supported tags based directly on debian, and over 200 based indirectly on it via buildpack-deps (not to mention further chains going through language images).
Thanks @flavio! β€οΈ
Sorry for the delay on getting this one in. #1455
Fedora updated #1456
@jperrin @maxamillion thanks for your diligence π
Updating on the rebuild status, we're still rebuilding, but I've started pushing batches of images (especially those based directly on the updated base images, which should include most of the "service" images like nginx or mariadb).
Awesome :)
James Mills / prologic
E: prologic@shortcircuit.net.au
W: prologic.shortcircuit.net.au
On Wed, Feb 17, 2016 at 2:46 PM, Tianon Gravi notifications@github.com
wrote:
@prologic https://github.com/prologic @vaygr https://github.com/vaygr
looks like crux and sourcemage are updated now [image: π]β
Reply to this email directly or view it on GitHub
#1448 (comment)
.
fedora:22 image is still not updated. Tried pulling from two locations (AU and SG) both got Digest: sha256:6acac77cc134c673eda753de389551d10e7b8d014430bb562bcfd104b6123ee8 which is 3 months old.
@maxamillion is the update for fedora:22 still pending (either in the package repos, or in rootfs rebuilding), or is that going to be a WONTFIX?
https://bugzilla.redhat.com/show_bug.cgi?id=1308943#c7 claims the update is available π
And the latest fedora:23 image still contains the vulnerable glibc.
[root@docker docker-cve]# docker pull fedora:23
Trying to pull repository docker.io/library/fedora ... 23: Pulling from library/fedora
b0082ba983ef: Already exists
a7a02e6029ae: Already exists
Digest: sha256:f538e5517cb2160e869647f0bff049e4ee38d5dde4ba75b50ff213831426ba05
Status: Image is up to date for docker.io/fedora:23
[root@docker docker-cve]# docker images |grep fedora
docker.io/fedora 23 a7a02e6029ae 8 hours ago 204.4 MB
docker.io/fedora latest a7a02e6029ae 8 hours ago 204.4 MB
[root@docker docker-cve]# docker run --rm -ti fedora:23 bash
[root@db80f371f2e1 /]# rpm -qva |grep glibc
glibc-common-2.22-7.fc23.x86_64
glibc-2.22-7.fc23.x86_64
@macropin thanks for the additional info and testing -- @maxamillion thoughts on what might've happened? π
@frapposelli just realized I need to add photon to my template π Is there an official "security tracker" for the OS yet, or is the best place to look for updates just going to be the SPECS directory in https://github.com/vmware/photon ? It doesn't look like glibc there is updated yet (https://github.com/vmware/photon/tree/master/SPECS/glibc).
@tianon no security tracker at the moment (working on that), best way is to look at the SPEC dir (either master or dev branch).
Seems like the guys already pushed a patch: vmware/photon@fdf30fa
Ok, Fedora fix is pushed. π π
@frapposelli nice! π Does that mean it's ready for an image rootfs rebuild, or is there further process it has to go through first?
@tianon they have an automated process that uploads the new artifacts, I'm checking with them for a timeline, once they're up I will send a PR with the update π
@frapposelli rock on, sounds great β€οΈ
@juanluisbaptiste looks like mageia:5 is ready for a rootfs rebuild? π
@tianon yes I already did the image update locally, but it seems I got distracted by something and totally forgot to finish it, probably I saw a squirrel through the window or something hehe. I'll finish the update later today when I'm back home.
@tianon Ready, please check.
I think this is likely as good as it's going to get at this point. π