Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-16873 (GCVE-0-2018-16873)
Vulnerability from cvelistv5 – Published: 2018-12-14 14:00 – Updated: 2024-08-05 10:32
VLAI?
EPSS
Summary
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".
Severity ?
7.5 (High)
CWE
Assigner
References
12 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/106226 | vdb-entryx_refsource_BID |
| https://security.gentoo.org/glsa/201812-09 | vendor-advisoryx_refsource_GENTOO |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
| https://groups.google.com/forum/?pli=1#%21topic/g… | x_refsource_MISC |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
Impacted products
Date Public ?
2018-12-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:32:54.055Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106226",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106226"
},
{
"name": "GLSA-201812-09",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201812-09"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0"
},
{
"name": "openSUSE-SU-2019:1079",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"name": "openSUSE-SU-2019:1444",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1499",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"name": "openSUSE-SU-2019:1506",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"name": "openSUSE-SU-2019:1703",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"
},
{
"name": "openSUSE-SU-2020:0554",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "golang",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "1.10.6"
},
{
"status": "affected",
"version": "1.11.3"
}
]
}
],
"datePublic": "2018-12-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\"."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-13T20:06:33.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "106226",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106226"
},
{
"name": "GLSA-201812-09",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201812-09"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0"
},
{
"name": "openSUSE-SU-2019:1079",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"name": "openSUSE-SU-2019:1444",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1499",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"name": "openSUSE-SU-2019:1506",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"name": "openSUSE-SU-2019:1703",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"
},
{
"name": "openSUSE-SU-2020:0554",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-16873",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "golang",
"version": {
"version_data": [
{
"version_value": "1.10.6"
},
{
"version_value": "1.11.3"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\"."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "7.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106226",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106226"
},
{
"name": "GLSA-201812-09",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201812-09"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873"
},
{
"name": "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0",
"refsource": "MISC",
"url": "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0"
},
{
"name": "openSUSE-SU-2019:1079",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"name": "openSUSE-SU-2019:1444",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1499",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"name": "openSUSE-SU-2019:1506",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"name": "openSUSE-SU-2019:1703",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"
},
{
"name": "openSUSE-SU-2020:0554",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-16873",
"datePublished": "2018-12-14T14:00:00.000Z",
"dateReserved": "2018-09-11T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:32:54.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2018-16873",
"date": "2026-05-19",
"epss": "0.56804",
"percentile": "0.98159"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.10.6\", \"matchCriteriaId\": \"49A979C3-1002-477D-9874-FD5E0D1681D4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.11.0\", \"versionEndExcluding\": \"1.11.3\", \"matchCriteriaId\": \"7F67C474-BD21-4A3E-9F35-3D36BB6F09F4\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"D83DA865-E4A6-4FBF-AA1B-A969EBA6B2AD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F1E78106-58E6-4D59-990F-75DA575BFAD9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B620311B-34A3-48A6-82DF-6F078D7A4493\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"15FC9014-BD85-4382-9D04-C0703E901D7A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In Go before 1.10.6 and 1.11.x before 1.11.3, the \\\"go get\\\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \\\".git\\\" by using a vanity import path that ends with \\\"/.git\\\". If the Git repository root contains a \\\"HEAD\\\" file, a \\\"config\\\" file, an \\\"objects\\\" directory, a \\\"refs\\\" directory, with some work to ensure the proper ordering of operations, \\\"go get -u\\\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \\\"config\\\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \\\"go get -u\\\".\"}, {\"lang\": \"es\", \"value\": \"En Go en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3, el comando \\\"go get\\\" es vulnerable a la ejecuci\\u00f3n remota de c\\u00f3digo cuando se ejecuta con la marca -u y la ruta de importaci\\u00f3n de un paquete Go malicioso, o un paquete que lo importa directa o indirectamente. Espec\\u00edficamente, solo es vulnerable en modo GOPATH, pero no en modo m\\u00f3dulo (la diferencia est\\u00e1 documentada en https://golang.org/cmd/go/#hdr-Module_aware_go_get). Mediante el uso de dominios personalizados, es posible organizar todo para que un repositorio de Git se clone a una carpeta llamada \\\".git\\\" mediante una ruta de importaci\\u00f3n vanity que termina en \\\"/.git\\\". Si el root del repositorio Git contiene un archivo \\\"HEAD\\\", un archivo \\\"config\\\", un directorio \\\"objects\\\" y un directorio \\\"refs\\\", con algo de trabajo para asegurar el orden correcto de las operaciones, se puede enga\\u00f1ar a \\\"go get -u\\\" para que considere que el directorio padre es un root del repositorio y ejecute comandos Git en \\u00e9l. Eso emplear\\u00e1 el archivo \\\"config\\\" en el root del repositorio Git original, y si ese archivo de configuraci\\u00f3n contiene comandos maliciosos, se ejecutar\\u00e1n en el sistema con \\\"go get -u\\\".\"}]",
"id": "CVE-2018-16873",
"lastModified": "2024-11-21T03:53:29.973",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.9}], \"cvssMetricV30\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2018-12-14T14:29:00.227",
"references": "[{\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/106226\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/201812-09\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/106226\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/201812-09\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2018-16873\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2018-12-14T14:29:00.227\",\"lastModified\":\"2024-11-21T03:53:29.973\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Go before 1.10.6 and 1.11.x before 1.11.3, the \\\"go get\\\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \\\".git\\\" by using a vanity import path that ends with \\\"/.git\\\". If the Git repository root contains a \\\"HEAD\\\" file, a \\\"config\\\" file, an \\\"objects\\\" directory, a \\\"refs\\\" directory, with some work to ensure the proper ordering of operations, \\\"go get -u\\\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \\\"config\\\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \\\"go get -u\\\".\"},{\"lang\":\"es\",\"value\":\"En Go en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3, el comando \\\"go get\\\" es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo cuando se ejecuta con la marca -u y la ruta de importaci\u00f3n de un paquete Go malicioso, o un paquete que lo importa directa o indirectamente. Espec\u00edficamente, solo es vulnerable en modo GOPATH, pero no en modo m\u00f3dulo (la diferencia est\u00e1 documentada en https://golang.org/cmd/go/#hdr-Module_aware_go_get). Mediante el uso de dominios personalizados, es posible organizar todo para que un repositorio de Git se clone a una carpeta llamada \\\".git\\\" mediante una ruta de importaci\u00f3n vanity que termina en \\\"/.git\\\". Si el root del repositorio Git contiene un archivo \\\"HEAD\\\", un archivo \\\"config\\\", un directorio \\\"objects\\\" y un directorio \\\"refs\\\", con algo de trabajo para asegurar el orden correcto de las operaciones, se puede enga\u00f1ar a \\\"go get -u\\\" para que considere que el directorio padre es un root del repositorio y ejecute comandos Git en \u00e9l. Eso emplear\u00e1 el archivo \\\"config\\\" en el root del repositorio Git original, y si ese archivo de configuraci\u00f3n contiene comandos maliciosos, se ejecutar\u00e1n en el sistema con \\\"go get -u\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.10.6\",\"matchCriteriaId\":\"49A979C3-1002-477D-9874-FD5E0D1681D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.11.0\",\"versionEndExcluding\":\"1.11.3\",\"matchCriteriaId\":\"7F67C474-BD21-4A3E-9F35-3D36BB6F09F4\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"D83DA865-E4A6-4FBF-AA1B-A969EBA6B2AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F1E78106-58E6-4D59-990F-75DA575BFAD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B620311B-34A3-48A6-82DF-6F078D7A4493\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"15FC9014-BD85-4382-9D04-C0703E901D7A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/106226\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201812-09\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/106226\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201812-09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}"
}
}
BDU:2020-01887
Vulnerability from fstec - Published: 10.12.2018
VLAI Severity ?
Title
Уязвимость реализации команды «go get» языка программирования Go, позволяющая нарушителю выполнить произвольный код
Description
Уязвимость реализации команды «go get» языка программирования Go связана с недостаточной проверкой входных данных (недостаточная проверка пути импорта при использовании флага «-u»). Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код с помощью специально созданного вредоносного пакета
Severity ?
Vendor
Novell Inc., The Go Project
Software Name
OpenSUSE Leap, Go
Software Version
42.3 (OpenSUSE Leap), 15.0 (OpenSUSE Leap), 15.1 (OpenSUSE Leap), до 1.10.6 (Go), от 1.11.0 до 1.11.3 (Go)
Possible Mitigations
Использование рекомендаций:
Для Go:
https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0
Для программных продуктов Novell Inc.:
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
Reference
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
http://www.securityfocus.com/bid/106226
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873
https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0
https://security.gentoo.org/glsa/201812-09
CWE
CWE-20
{
"CVSS 2.0": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Novell Inc., The Go Project",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "42.3 (OpenSUSE Leap), 15.0 (OpenSUSE Leap), 15.1 (OpenSUSE Leap), \u0434\u043e 1.10.6 (Go), \u043e\u0442 1.11.0 \u0434\u043e 1.11.3 (Go)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Go:\nhttps://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttp://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html \nhttp://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html \nhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html \nhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html \nhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "10.12.2018",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "29.04.2020",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "29.04.2020",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2020-01887",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2018-16873",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "OpenSUSE Leap, Go",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Novell Inc. OpenSUSE Leap 42.3 , Novell Inc. OpenSUSE Leap 15.0 , Novell Inc. OpenSUSE Leap 15.1 ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u00abgo get\u00bb \u044f\u0437\u044b\u043a\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f Go, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u00abgo get\u00bb \u044f\u0437\u044b\u043a\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f Go \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (\u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043f\u0443\u0442\u0438 \u0438\u043c\u043f\u043e\u0440\u0442\u0430 \u043f\u0440\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 \u0444\u043b\u0430\u0433\u0430 \u00ab-u\u00bb). \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u043e\u0433\u043e \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0433\u043e \u043f\u0430\u043a\u0435\u0442\u0430",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html \nhttp://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html \nhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html \nhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html \nhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html \nhttp://www.securityfocus.com/bid/106226 \nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873 \nhttps://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0 \nhttps://security.gentoo.org/glsa/201812-09",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,3)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,1)"
}
CNVD-2018-25737
Vulnerability from cnvd - Published: 2018-12-19
VLAI Severity ?
Title
Google Go远程代码执行漏洞
Description
Google Go是美国谷歌(Google)公司的一种针对多处理器系统应用程序的编程进行了优化的编程语言。
Google Go 1.10.6之前版本和1.11.3之前的1.11.x版本(GOPATH模式)中的‘go get’命令存在远程代码执行漏洞,远程攻击者可利用该漏洞执行恶意的命令。
Severity
高
Patch Name
Google Go远程代码执行漏洞的补丁
Patch Description
Google Go是美国谷歌(Google)公司的一种针对多处理器系统应用程序的编程进行了优化的编程语言。
Google Go 1.10.6之前版本和1.11.3之前的1.11.x版本(GOPATH模式)中的‘go get’命令存在远程代码执行漏洞,远程攻击者可利用该漏洞执行恶意的命令。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://github.com/golang/go/issues/29230
Reference
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873
https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0
Impacted products
| Name | ['Google GO <1.10.6', 'Google GO 1.11.*,<1.11.3'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2018-16873"
}
},
"description": "Google Go\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u79cd\u9488\u5bf9\u591a\u5904\u7406\u5668\u7cfb\u7edf\u5e94\u7528\u7a0b\u5e8f\u7684\u7f16\u7a0b\u8fdb\u884c\u4e86\u4f18\u5316\u7684\u7f16\u7a0b\u8bed\u8a00\u3002\n\nGoogle Go 1.10.6\u4e4b\u524d\u7248\u672c\u548c1.11.3\u4e4b\u524d\u76841.11.x\u7248\u672c\uff08GOPATH\u6a21\u5f0f\uff09\u4e2d\u7684\u2018go get\u2019\u547d\u4ee4\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u6076\u610f\u7684\u547d\u4ee4\u3002",
"discovererName": "Sam Fowler",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/golang/go/issues/29230",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2018-25737",
"openTime": "2018-12-19",
"patchDescription": "Google Go\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u79cd\u9488\u5bf9\u591a\u5904\u7406\u5668\u7cfb\u7edf\u5e94\u7528\u7a0b\u5e8f\u7684\u7f16\u7a0b\u8fdb\u884c\u4e86\u4f18\u5316\u7684\u7f16\u7a0b\u8bed\u8a00\u3002\r\n\r\nGoogle Go 1.10.6\u4e4b\u524d\u7248\u672c\u548c1.11.3\u4e4b\u524d\u76841.11.x\u7248\u672c\uff08GOPATH\u6a21\u5f0f\uff09\u4e2d\u7684\u2018go get\u2019\u547d\u4ee4\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u6076\u610f\u7684\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Google Go\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Google GO \u003c1.10.6",
"Google GO 1.11.*\uff0c\u003c1.11.3"
]
},
"referenceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873\r\nhttps://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0",
"serverity": "\u9ad8",
"submitTime": "2018-12-17",
"title": "Google Go\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}
FKIE_CVE-2018-16873
Vulnerability from fkie_nvd - Published: 2018-12-14 14:29 - Updated: 2024-11-21 03:53
Severity ?
Summary
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "49A979C3-1002-477D-9874-FD5E0D1681D4",
"versionEndExcluding": "1.10.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F67C474-BD21-4A3E-9F35-3D36BB6F09F4",
"versionEndExcluding": "1.11.3",
"versionStartIncluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D83DA865-E4A6-4FBF-AA1B-A969EBA6B2AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*",
"matchCriteriaId": "15FC9014-BD85-4382-9D04-C0703E901D7A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\"."
},
{
"lang": "es",
"value": "En Go en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3, el comando \"go get\" es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo cuando se ejecuta con la marca -u y la ruta de importaci\u00f3n de un paquete Go malicioso, o un paquete que lo importa directa o indirectamente. Espec\u00edficamente, solo es vulnerable en modo GOPATH, pero no en modo m\u00f3dulo (la diferencia est\u00e1 documentada en https://golang.org/cmd/go/#hdr-Module_aware_go_get). Mediante el uso de dominios personalizados, es posible organizar todo para que un repositorio de Git se clone a una carpeta llamada \".git\" mediante una ruta de importaci\u00f3n vanity que termina en \"/.git\". Si el root del repositorio Git contiene un archivo \"HEAD\", un archivo \"config\", un directorio \"objects\" y un directorio \"refs\", con algo de trabajo para asegurar el orden correcto de las operaciones, se puede enga\u00f1ar a \"go get -u\" para que considere que el directorio padre es un root del repositorio y ejecute comandos Git en \u00e9l. Eso emplear\u00e1 el archivo \"config\" en el root del repositorio Git original, y si ese archivo de configuraci\u00f3n contiene comandos maliciosos, se ejecutar\u00e1n en el sistema con \"go get -u\"."
}
],
"id": "CVE-2018-16873",
"lastModified": "2024-11-21T03:53:29.973",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-12-14T14:29:00.227",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106226"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201812-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106226"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201812-09"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
GHSA-Q6PP-3Q54-QW37
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11
VLAI?
Details
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".
Severity ?
8.1 (High)
{
"affected": [],
"aliases": [
"CVE-2018-16873"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-14T14:29:00Z",
"severity": "HIGH"
},
"details": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
"id": "GHSA-q6pp-3q54-qw37",
"modified": "2022-05-13T01:11:23Z",
"published": "2022-05-13T01:11:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16873"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201812-09"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106226"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GSD-2018-16873
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-16873",
"description": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
"id": "GSD-2018-16873",
"references": [
"https://www.suse.com/security/cve/CVE-2018-16873.html",
"https://advisories.mageia.org/CVE-2018-16873.html",
"https://security.archlinux.org/CVE-2018-16873",
"https://alas.aws.amazon.com/cve/html/CVE-2018-16873.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-16873"
],
"details": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
"id": "GSD-2018-16873",
"modified": "2023-12-13T01:22:25.994626Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-16873",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "golang",
"version": {
"version_data": [
{
"version_value": "1.10.6"
},
{
"version_value": "1.11.3"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\"."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "7.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106226",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106226"
},
{
"name": "GLSA-201812-09",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201812-09"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873"
},
{
"name": "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0",
"refsource": "MISC",
"url": "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0"
},
{
"name": "openSUSE-SU-2019:1079",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"name": "openSUSE-SU-2019:1444",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1499",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"name": "openSUSE-SU-2019:1506",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"name": "openSUSE-SU-2019:1703",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"
},
{
"name": "openSUSE-SU-2020:0554",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.11.3",
"versionStartIncluding": "1.11.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.10.6",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-16873"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\"."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873"
},
{
"name": "106226",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106226"
},
{
"name": "GLSA-201812-09",
"refsource": "GENTOO",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201812-09"
},
{
"name": "openSUSE-SU-2019:1079",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"name": "openSUSE-SU-2019:1444",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1499",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"name": "openSUSE-SU-2019:1506",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"name": "openSUSE-SU-2019:1703",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"
},
{
"name": "openSUSE-SU-2020:0554",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9
}
},
"lastModifiedDate": "2021-03-25T16:43Z",
"publishedDate": "2018-12-14T14:29Z"
}
}
}
OPENSUSE-SU-2019:0170-1
Vulnerability from csaf_opensuse - Published: 2019-02-13 16:51 - Updated: 2019-02-13 16:51Summary
Security update for runc
Severity
Important
Notes
Title of the patch: Security update for runc
Description of the patch: This update for runc fixes the following issues:
Security vulnerabilities addressed:
- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid
write attacks to the host runc binary, which could lead to a container
breakout (bsc#1121967)
- CVE-2018-16873: Fix a remote command execution during 'go get -u'
(boo#1118897)
- CVE-2018-16874: Fix a directory traversal in 'go get' via curly braces in
import paths (boo#1118898)
- CVE-2018-16875: Fix a CPU denial of service issue (boo#1118899)
Other changes and bug fixes:
- Update go requirements to >= go1.10
- Create a symlink in /usr/bin/runc to enable rootless Podman and Buildah.
- Make use of %license macro
- Remove 'go test' from %check section, as it has only ever caused us problems
and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke
testing has been far more useful. (boo#1095817)
- Upgrade to runc v1.0.0~rc6. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc6
Patchnames: openSUSE-2019-170
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for runc",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for runc fixes the following issues:\n\nSecurity vulnerabilities addressed:\n\n- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid\n write attacks to the host runc binary, which could lead to a container\n breakout (bsc#1121967)\n- CVE-2018-16873: Fix a remote command execution during \u0027go get -u\u0027\n (boo#1118897)\n- CVE-2018-16874: Fix a directory traversal in \u0027go get\u0027 via curly braces in\n import paths (boo#1118898)\n- CVE-2018-16875: Fix a CPU denial of service issue (boo#1118899)\n\nOther changes and bug fixes:\n\n- Update go requirements to \u003e= go1.10\n- Create a symlink in /usr/bin/runc to enable rootless Podman and Buildah.\n- Make use of %license macro\n- Remove \u0027go test\u0027 from %check section, as it has only ever caused us problems\n and hasn\u0027t (as far as I remember) ever caught a release-blocking issue. Smoke\n testing has been far more useful. (boo#1095817)\n- Upgrade to runc v1.0.0~rc6. Upstream changelog is available from\n https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc6\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2019-170",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_0170-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2019:0170-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K5SY7VBRVPPL5WRVFFIC7CSECFNB3NGY/#K5SY7VBRVPPL5WRVFFIC7CSECFNB3NGY"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2019:0170-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K5SY7VBRVPPL5WRVFFIC7CSECFNB3NGY/#K5SY7VBRVPPL5WRVFFIC7CSECFNB3NGY"
},
{
"category": "self",
"summary": "SUSE Bug 1095817",
"url": "https://bugzilla.suse.com/1095817"
},
{
"category": "self",
"summary": "SUSE Bug 1118897",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "self",
"summary": "SUSE Bug 1118898",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "self",
"summary": "SUSE Bug 1118899",
"url": "https://bugzilla.suse.com/1118899"
},
{
"category": "self",
"summary": "SUSE Bug 1121967",
"url": "https://bugzilla.suse.com/1121967"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16873 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16873/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16874 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16874/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16875 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16875/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-5736 page",
"url": "https://www.suse.com/security/cve/CVE-2019-5736/"
}
],
"title": "Security update for runc",
"tracking": {
"current_release_date": "2019-02-13T16:51:49Z",
"generator": {
"date": "2019-02-13T16:51:49Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2019:0170-1",
"initial_release_date": "2019-02-13T16:51:49Z",
"revision_history": [
{
"date": "2019-02-13T16:51:49Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"product": {
"name": "runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"product_id": "runc-1.0.0~rc6-bp150.2.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-test-1.0.0~rc6-bp150.2.3.1.noarch",
"product": {
"name": "runc-test-1.0.0~rc6-bp150.2.3.1.noarch",
"product_id": "runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"product": {
"name": "runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"product_id": "runc-1.0.0~rc6-bp150.2.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-1.0.0~rc6-bp150.2.3.1.s390x",
"product": {
"name": "runc-1.0.0~rc6-bp150.2.3.1.s390x",
"product_id": "runc-1.0.0~rc6-bp150.2.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"product": {
"name": "runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"product_id": "runc-1.0.0~rc6-bp150.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15",
"product": {
"name": "SUSE Package Hub 15",
"product_id": "SUSE Package Hub 15"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.0.0~rc6-bp150.2.3.1.aarch64 as component of SUSE Package Hub 15",
"product_id": "SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64"
},
"product_reference": "runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.0.0~rc6-bp150.2.3.1.ppc64le as component of SUSE Package Hub 15",
"product_id": "SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le"
},
"product_reference": "runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.0.0~rc6-bp150.2.3.1.s390x as component of SUSE Package Hub 15",
"product_id": "SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x"
},
"product_reference": "runc-1.0.0~rc6-bp150.2.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.0.0~rc6-bp150.2.3.1.x86_64 as component of SUSE Package Hub 15",
"product_id": "SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64"
},
"product_reference": "runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-test-1.0.0~rc6-bp150.2.3.1.noarch as component of SUSE Package Hub 15",
"product_id": "SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
},
"product_reference": "runc-test-1.0.0~rc6-bp150.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16873",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16873"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16873",
"url": "https://www.suse.com/security/cve/CVE-2018-16873"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-13T16:51:49Z",
"details": "important"
}
],
"title": "CVE-2018-16873"
},
{
"cve": "CVE-2018-16874",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16874"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both \u0027{\u0027 and \u0027}\u0027 characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16874",
"url": "https://www.suse.com/security/cve/CVE-2018-16874"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-13T16:51:49Z",
"details": "moderate"
}
],
"title": "CVE-2018-16874"
},
{
"cve": "CVE-2018-16875",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16875"
}
],
"notes": [
{
"category": "general",
"text": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16875",
"url": "https://www.suse.com/security/cve/CVE-2018-16875"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-13T16:51:49Z",
"details": "moderate"
}
],
"title": "CVE-2018-16875"
},
{
"cve": "CVE-2019-5736",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-5736"
}
],
"notes": [
{
"category": "general",
"text": "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-5736",
"url": "https://www.suse.com/security/cve/CVE-2019-5736"
},
{
"category": "external",
"summary": "SUSE Bug 1121967 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1121967"
},
{
"category": "external",
"summary": "SUSE Bug 1122185 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1122185"
},
{
"category": "external",
"summary": "SUSE Bug 1173421 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1173421"
},
{
"category": "external",
"summary": "SUSE Bug 1218894 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1218894"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.aarch64",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.ppc64le",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.s390x",
"SUSE Package Hub 15:runc-1.0.0~rc6-bp150.2.3.1.x86_64",
"SUSE Package Hub 15:runc-test-1.0.0~rc6-bp150.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-13T16:51:49Z",
"details": "important"
}
],
"title": "CVE-2019-5736"
}
]
}
OPENSUSE-SU-2019:0189-1
Vulnerability from csaf_opensuse - Published: 2019-03-23 11:00 - Updated: 2019-03-23 11:00Summary
Security update for docker
Severity
Moderate
Notes
Title of the patch: Security update for docker
Description of the patch: This update for containerd, docker, docker-runc and golang-github-docker-libnetwork fixes the following issues:
Security issues fixed for containerd, docker, docker-runc and golang-github-docker-libnetwork:
- CVE-2018-16873: cmd/go: remote command execution during 'go get -u' (bsc#1118897)
- CVE-2018-16874: cmd/go: directory traversal in 'go get' via curly braces in import paths (bsc#1118898)
- CVE-2018-16875: crypto/x509: CPU denial of service (bsc#1118899)
Non-security issues fixed for docker:
- Disable leap based builds for kubic flavor (bsc#1121412)
- Allow users to explicitly specify the NIS domainname of a container (bsc#1001161)
- Update docker.service to match upstream and avoid rlimit problems (bsc#1112980)
- Allow docker images larger then 23GB (bsc#1118990)
- Docker version update to version 18.09.0-ce (bsc#1115464)
This update was imported from the SUSE:SLE-15:Update update project.
Patchnames: openSUSE-2019-189
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
27 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for docker",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for containerd, docker, docker-runc and golang-github-docker-libnetwork fixes the following issues:\n\nSecurity issues fixed for containerd, docker, docker-runc and golang-github-docker-libnetwork:\n\n- CVE-2018-16873: cmd/go: remote command execution during \u0027go get -u\u0027 (bsc#1118897)\n- CVE-2018-16874: cmd/go: directory traversal in \u0027go get\u0027 via curly braces in import paths (bsc#1118898)\n- CVE-2018-16875: crypto/x509: CPU denial of service (bsc#1118899)\n\nNon-security issues fixed for docker:\n\n- Disable leap based builds for kubic flavor (bsc#1121412)\n- Allow users to explicitly specify the NIS domainname of a container (bsc#1001161)\n- Update docker.service to match upstream and avoid rlimit problems (bsc#1112980)\n- Allow docker images larger then 23GB (bsc#1118990)\n- Docker version update to version 18.09.0-ce (bsc#1115464)\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2019-189",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_0189-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2019:0189-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XWOQPNXXBRMZ3GUIAPIJWBLSX4C6UKIN/#XWOQPNXXBRMZ3GUIAPIJWBLSX4C6UKIN"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2019:0189-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XWOQPNXXBRMZ3GUIAPIJWBLSX4C6UKIN/#XWOQPNXXBRMZ3GUIAPIJWBLSX4C6UKIN"
},
{
"category": "self",
"summary": "SUSE Bug 1001161",
"url": "https://bugzilla.suse.com/1001161"
},
{
"category": "self",
"summary": "SUSE Bug 1112980",
"url": "https://bugzilla.suse.com/1112980"
},
{
"category": "self",
"summary": "SUSE Bug 1115464",
"url": "https://bugzilla.suse.com/1115464"
},
{
"category": "self",
"summary": "SUSE Bug 1118897",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "self",
"summary": "SUSE Bug 1118898",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "self",
"summary": "SUSE Bug 1118899",
"url": "https://bugzilla.suse.com/1118899"
},
{
"category": "self",
"summary": "SUSE Bug 1118990",
"url": "https://bugzilla.suse.com/1118990"
},
{
"category": "self",
"summary": "SUSE Bug 1121412",
"url": "https://bugzilla.suse.com/1121412"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16873 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16873/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16874 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16874/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16875 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16875/"
}
],
"title": "Security update for docker",
"tracking": {
"current_release_date": "2019-03-23T11:00:22Z",
"generator": {
"date": "2019-03-23T11:00:22Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2019:0189-1",
"initial_release_date": "2019-03-23T11:00:22Z",
"revision_history": [
{
"date": "2019-03-23T11:00:22Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "containerd-test-1.1.2-lp150.4.6.1.noarch",
"product": {
"name": "containerd-test-1.1.2-lp150.4.6.1.noarch",
"product_id": "containerd-test-1.1.2-lp150.4.6.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"product": {
"name": "docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"product_id": "docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"product": {
"name": "docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"product_id": "docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"product": {
"name": "docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"product_id": "docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.1.2-lp150.4.6.1.x86_64",
"product": {
"name": "containerd-1.1.2-lp150.4.6.1.x86_64",
"product_id": "containerd-1.1.2-lp150.4.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"product": {
"name": "containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"product_id": "containerd-ctr-1.1.2-lp150.4.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-18.09.0_ce-lp150.5.9.1.x86_64",
"product": {
"name": "docker-18.09.0_ce-lp150.5.9.1.x86_64",
"product_id": "docker-18.09.0_ce-lp150.5.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"product": {
"name": "docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"product_id": "docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"product": {
"name": "docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"product_id": "docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"product": {
"name": "docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"product_id": "docker-test-18.09.0_ce-lp150.5.9.1.x86_64"
}
},
{
"category": "product_version",
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"product": {
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"product_id": "golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.0",
"product": {
"name": "openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.1.2-lp150.4.6.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64"
},
"product_reference": "containerd-1.1.2-lp150.4.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.1.2-lp150.4.6.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64"
},
"product_reference": "containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-test-1.1.2-lp150.4.6.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch"
},
"product_reference": "containerd-test-1.1.2-lp150.4.6.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-18.09.0_ce-lp150.5.9.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64"
},
"product_reference": "docker-18.09.0_ce-lp150.5.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch"
},
"product_reference": "docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
},
"product_reference": "docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64"
},
"product_reference": "docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch"
},
"product_reference": "docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-test-18.09.0_ce-lp150.5.9.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64"
},
"product_reference": "docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch"
},
"product_reference": "docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
},
"product_reference": "golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16873",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16873"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch",
"openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16873",
"url": "https://www.suse.com/security/cve/CVE-2018-16873"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch",
"openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch",
"openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:00:22Z",
"details": "important"
}
],
"title": "CVE-2018-16873"
},
{
"cve": "CVE-2018-16874",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16874"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both \u0027{\u0027 and \u0027}\u0027 characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch",
"openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16874",
"url": "https://www.suse.com/security/cve/CVE-2018-16874"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch",
"openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch",
"openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:00:22Z",
"details": "moderate"
}
],
"title": "CVE-2018-16874"
},
{
"cve": "CVE-2018-16875",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16875"
}
],
"notes": [
{
"category": "general",
"text": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch",
"openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16875",
"url": "https://www.suse.com/security/cve/CVE-2018-16875"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch",
"openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.0:containerd-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.1.2-lp150.4.6.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.1.2-lp150.4.6.1.noarch",
"openSUSE Leap 15.0:docker-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.6.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.0_ce-lp150.5.9.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.0_ce-lp150.5.9.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2704_6da50d197830-lp150.3.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:00:22Z",
"details": "moderate"
}
],
"title": "CVE-2018-16875"
}
]
}
OPENSUSE-SU-2019:0208-1
Vulnerability from csaf_opensuse - Published: 2019-03-23 11:03 - Updated: 2019-03-23 11:03Summary
Security update for runc
Severity
Important
Notes
Title of the patch: Security update for runc
Description of the patch: This update for runc fixes the following issues:
Security vulnerablities addressed:
- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid
write attacks to the host runc binary, which could lead to a container
breakout (bsc#1121967)
- CVE-2018-16873: Fix a remote command execution during 'go get -u'
(boo#1118897)
- CVE-2018-16874: Fix a directory traversal in 'go get' via curly braces in
import paths (boo#1118898)
- CVE-2018-16875: Fix a CPU denial of service issue (boo#1118899)
Other changes and bug fixes:
- Update go requirements to >= go1.10
- Create a symlink in /usr/bin/runc to enable rootless Podman and Buildah.
- Make use of %license macro
- Remove 'go test' from %check section, as it has only ever caused us problems
and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke
testing has been far more useful. (boo#1095817)
- Upgrade to runc v1.0.0~rc6. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc6
Patchnames: openSUSE-2019-208
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for runc",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for runc fixes the following issues:\n\nSecurity vulnerablities addressed:\n\n- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid\n write attacks to the host runc binary, which could lead to a container\n breakout (bsc#1121967)\n- CVE-2018-16873: Fix a remote command execution during \u0027go get -u\u0027\n (boo#1118897)\n- CVE-2018-16874: Fix a directory traversal in \u0027go get\u0027 via curly braces in\n import paths (boo#1118898)\n- CVE-2018-16875: Fix a CPU denial of service issue (boo#1118899)\n\nOther changes and bug fixes:\n\n- Update go requirements to \u003e= go1.10\n- Create a symlink in /usr/bin/runc to enable rootless Podman and Buildah.\n- Make use of %license macro\n- Remove \u0027go test\u0027 from %check section, as it has only ever caused us problems\n and hasn\u0027t (as far as I remember) ever caught a release-blocking issue. Smoke\n testing has been far more useful. (boo#1095817)\n- Upgrade to runc v1.0.0~rc6. Upstream changelog is available from\n https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc6\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2019-208",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_0208-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2019:0208-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VC6NILQ66VPYH6KMNXONQWSWQWZS3YDD/#VC6NILQ66VPYH6KMNXONQWSWQWZS3YDD"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2019:0208-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VC6NILQ66VPYH6KMNXONQWSWQWZS3YDD/#VC6NILQ66VPYH6KMNXONQWSWQWZS3YDD"
},
{
"category": "self",
"summary": "SUSE Bug 1095817",
"url": "https://bugzilla.suse.com/1095817"
},
{
"category": "self",
"summary": "SUSE Bug 1118897",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "self",
"summary": "SUSE Bug 1118898",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "self",
"summary": "SUSE Bug 1118899",
"url": "https://bugzilla.suse.com/1118899"
},
{
"category": "self",
"summary": "SUSE Bug 1121967",
"url": "https://bugzilla.suse.com/1121967"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16873 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16873/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16874 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16874/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16875 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16875/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-5736 page",
"url": "https://www.suse.com/security/cve/CVE-2019-5736/"
}
],
"title": "Security update for runc",
"tracking": {
"current_release_date": "2019-03-23T11:03:28Z",
"generator": {
"date": "2019-03-23T11:03:28Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2019:0208-1",
"initial_release_date": "2019-03-23T11:03:28Z",
"revision_history": [
{
"date": "2019-03-23T11:03:28Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "runc-test-1.0.0~rc6-lp150.2.3.1.noarch",
"product": {
"name": "runc-test-1.0.0~rc6-lp150.2.3.1.noarch",
"product_id": "runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"product": {
"name": "runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"product_id": "runc-1.0.0~rc6-lp150.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.0",
"product": {
"name": "openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.0.0~rc6-lp150.2.3.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64"
},
"product_reference": "runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-test-1.0.0~rc6-lp150.2.3.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
},
"product_reference": "runc-test-1.0.0~rc6-lp150.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16873",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16873"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16873",
"url": "https://www.suse.com/security/cve/CVE-2018-16873"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:03:28Z",
"details": "important"
}
],
"title": "CVE-2018-16873"
},
{
"cve": "CVE-2018-16874",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16874"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both \u0027{\u0027 and \u0027}\u0027 characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16874",
"url": "https://www.suse.com/security/cve/CVE-2018-16874"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:03:28Z",
"details": "moderate"
}
],
"title": "CVE-2018-16874"
},
{
"cve": "CVE-2018-16875",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16875"
}
],
"notes": [
{
"category": "general",
"text": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16875",
"url": "https://www.suse.com/security/cve/CVE-2018-16875"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:03:28Z",
"details": "moderate"
}
],
"title": "CVE-2018-16875"
},
{
"cve": "CVE-2019-5736",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-5736"
}
],
"notes": [
{
"category": "general",
"text": "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-5736",
"url": "https://www.suse.com/security/cve/CVE-2019-5736"
},
{
"category": "external",
"summary": "SUSE Bug 1121967 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1121967"
},
{
"category": "external",
"summary": "SUSE Bug 1122185 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1122185"
},
{
"category": "external",
"summary": "SUSE Bug 1173421 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1173421"
},
{
"category": "external",
"summary": "SUSE Bug 1218894 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1218894"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.3.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:03:28Z",
"details": "important"
}
],
"title": "CVE-2019-5736"
}
]
}
OPENSUSE-SU-2019:0295-1
Vulnerability from csaf_opensuse - Published: 2019-03-23 11:11 - Updated: 2019-03-23 11:11Summary
Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc
Severity
Important
Notes
Title of the patch: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc
Description of the patch: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:
Security issues fixed:
- CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
- CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
- CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container
breakout (bsc#1121967).
Other changes and fixes:
- Update shell completion to use Group: System/Shells.
- Add daemon.json file with rotation logs configuration (bsc#1114832)
- Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84.
See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
- Update go requirements to >= go1.10
- Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
- Remove the usage of 'cp -r' to reduce noise in the build logs.
This update was imported from the SUSE:SLE-15:Update update project.
Patchnames: openSUSE-2019-295
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
33 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:\n\nSecurity issues fixed: \n\n- CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).\n- CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).\n- CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).\n- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container\n breakout (bsc#1121967).\n\nOther changes and fixes: \n\n- Update shell completion to use Group: System/Shells.\n- Add daemon.json file with rotation logs configuration (bsc#1114832)\n- Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84.\n See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.\n- Update go requirements to \u003e= go1.10 \n- Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).\n- Remove the usage of \u0027cp -r\u0027 to reduce noise in the build logs.\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2019-295",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_0295-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2019:0295-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UBFTSNKGB464HWO65FTEXANGAGVXV4XW/#UBFTSNKGB464HWO65FTEXANGAGVXV4XW"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2019:0295-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UBFTSNKGB464HWO65FTEXANGAGVXV4XW/#UBFTSNKGB464HWO65FTEXANGAGVXV4XW"
},
{
"category": "self",
"summary": "SUSE Bug 1048046",
"url": "https://bugzilla.suse.com/1048046"
},
{
"category": "self",
"summary": "SUSE Bug 1051429",
"url": "https://bugzilla.suse.com/1051429"
},
{
"category": "self",
"summary": "SUSE Bug 1114832",
"url": "https://bugzilla.suse.com/1114832"
},
{
"category": "self",
"summary": "SUSE Bug 1118897",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "self",
"summary": "SUSE Bug 1118898",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "self",
"summary": "SUSE Bug 1118899",
"url": "https://bugzilla.suse.com/1118899"
},
{
"category": "self",
"summary": "SUSE Bug 1121967",
"url": "https://bugzilla.suse.com/1121967"
},
{
"category": "self",
"summary": "SUSE Bug 1124308",
"url": "https://bugzilla.suse.com/1124308"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16873 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16873/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16874 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16874/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16875 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16875/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-5736 page",
"url": "https://www.suse.com/security/cve/CVE-2019-5736/"
}
],
"title": "Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc",
"tracking": {
"current_release_date": "2019-03-23T11:11:59Z",
"generator": {
"date": "2019-03-23T11:11:59Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2019:0295-1",
"initial_release_date": "2019-03-23T11:11:59Z",
"revision_history": [
{
"date": "2019-03-23T11:11:59Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "containerd-test-1.2.2-lp150.4.10.1.noarch",
"product": {
"name": "containerd-test-1.2.2-lp150.4.10.1.noarch",
"product_id": "containerd-test-1.2.2-lp150.4.10.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"product": {
"name": "docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"product_id": "docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"product": {
"name": "docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"product_id": "docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"product": {
"name": "docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"product_id": "docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch"
}
},
{
"category": "product_version",
"name": "runc-test-1.0.0~rc6-lp150.2.7.1.noarch",
"product": {
"name": "runc-test-1.0.0~rc6-lp150.2.7.1.noarch",
"product_id": "runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.2.2-lp150.4.10.1.x86_64",
"product": {
"name": "containerd-1.2.2-lp150.4.10.1.x86_64",
"product_id": "containerd-1.2.2-lp150.4.10.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"product": {
"name": "containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"product_id": "containerd-ctr-1.2.2-lp150.4.10.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-18.09.1_ce-lp150.5.13.1.x86_64",
"product": {
"name": "docker-18.09.1_ce-lp150.5.13.1.x86_64",
"product_id": "docker-18.09.1_ce-lp150.5.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"product": {
"name": "docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"product_id": "docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"product": {
"name": "docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"product_id": "docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"product": {
"name": "docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"product_id": "docker-test-18.09.1_ce-lp150.5.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"product": {
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"product_id": "golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64"
}
},
{
"category": "product_version",
"name": "runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"product": {
"name": "runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"product_id": "runc-1.0.0~rc6-lp150.2.7.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.0",
"product": {
"name": "openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.2.2-lp150.4.10.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64"
},
"product_reference": "containerd-1.2.2-lp150.4.10.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.2.2-lp150.4.10.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64"
},
"product_reference": "containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-test-1.2.2-lp150.4.10.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch"
},
"product_reference": "containerd-test-1.2.2-lp150.4.10.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-18.09.1_ce-lp150.5.13.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64"
},
"product_reference": "docker-18.09.1_ce-lp150.5.13.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch"
},
"product_reference": "docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64"
},
"product_reference": "docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64"
},
"product_reference": "docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch"
},
"product_reference": "docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-test-18.09.1_ce-lp150.5.13.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64"
},
"product_reference": "docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch"
},
"product_reference": "docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64"
},
"product_reference": "golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.0.0~rc6-lp150.2.7.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64"
},
"product_reference": "runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-test-1.0.0~rc6-lp150.2.7.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
},
"product_reference": "runc-test-1.0.0~rc6-lp150.2.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16873",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16873"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16873",
"url": "https://www.suse.com/security/cve/CVE-2018-16873"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:11:59Z",
"details": "important"
}
],
"title": "CVE-2018-16873"
},
{
"cve": "CVE-2018-16874",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16874"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both \u0027{\u0027 and \u0027}\u0027 characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16874",
"url": "https://www.suse.com/security/cve/CVE-2018-16874"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:11:59Z",
"details": "moderate"
}
],
"title": "CVE-2018-16874"
},
{
"cve": "CVE-2018-16875",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16875"
}
],
"notes": [
{
"category": "general",
"text": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16875",
"url": "https://www.suse.com/security/cve/CVE-2018-16875"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:11:59Z",
"details": "moderate"
}
],
"title": "CVE-2018-16875"
},
{
"cve": "CVE-2019-5736",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-5736"
}
],
"notes": [
{
"category": "general",
"text": "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-5736",
"url": "https://www.suse.com/security/cve/CVE-2019-5736"
},
{
"category": "external",
"summary": "SUSE Bug 1121967 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1121967"
},
{
"category": "external",
"summary": "SUSE Bug 1122185 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1122185"
},
{
"category": "external",
"summary": "SUSE Bug 1173421 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1173421"
},
{
"category": "external",
"summary": "SUSE Bug 1218894 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1218894"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.0:containerd-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-ctr-1.2.2-lp150.4.10.1.x86_64",
"openSUSE Leap 15.0:containerd-test-1.2.2-lp150.4.10.1.noarch",
"openSUSE Leap 15.0:docker-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-bash-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.x86_64",
"openSUSE Leap 15.0:docker-runc-test-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1.noarch",
"openSUSE Leap 15.0:docker-test-18.09.1_ce-lp150.5.13.1.x86_64",
"openSUSE Leap 15.0:docker-zsh-completion-18.09.1_ce-lp150.5.13.1.noarch",
"openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1.x86_64",
"openSUSE Leap 15.0:runc-1.0.0~rc6-lp150.2.7.1.x86_64",
"openSUSE Leap 15.0:runc-test-1.0.0~rc6-lp150.2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T11:11:59Z",
"details": "important"
}
],
"title": "CVE-2019-5736"
}
]
}
OPENSUSE-SU-2019:1444-1
Vulnerability from csaf_opensuse - Published: 2019-05-27 05:09 - Updated: 2019-05-27 05:09Summary
Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork
Severity
Important
Notes
Title of the patch: Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork
Description of the patch: This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues:
Security issues fixed:
- CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967).
- CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013).
- CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897).
- CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898).
- CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899).
Other changes and bug fixes:
- Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068).
- Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068).
- Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068).
- docker-test: Improvements to test packaging (bsc#1128746).
- Move daemon.json file to /etc/docker directory (bsc#1114832).
- Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209).
- Fix go build failures (bsc#1121397).
This update was imported from the SUSE:SLE-15:Update update project.
Patchnames: openSUSE-2019-1444
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
39 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967).\n- CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013).\n- CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897).\n- CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898).\n- CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899).\n\nOther changes and bug fixes:\n\n- Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068).\n- Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068).\n- Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068).\n- docker-test: Improvements to test packaging (bsc#1128746).\n- Move daemon.json file to /etc/docker directory (bsc#1114832).\n- Revert golang(API) removal since it turns out this breaks \u003e= requires in certain cases (bsc#1114209).\n- Fix go build failures (bsc#1121397).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2019-1444",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_1444-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2019:1444-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CER2ESZ3IMKBBAWOVTY65MHSHQAI2UVB/#CER2ESZ3IMKBBAWOVTY65MHSHQAI2UVB"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2019:1444-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CER2ESZ3IMKBBAWOVTY65MHSHQAI2UVB/#CER2ESZ3IMKBBAWOVTY65MHSHQAI2UVB"
},
{
"category": "self",
"summary": "SUSE Bug 1114209",
"url": "https://bugzilla.suse.com/1114209"
},
{
"category": "self",
"summary": "SUSE Bug 1114832",
"url": "https://bugzilla.suse.com/1114832"
},
{
"category": "self",
"summary": "SUSE Bug 1118897",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "self",
"summary": "SUSE Bug 1118898",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "self",
"summary": "SUSE Bug 1118899",
"url": "https://bugzilla.suse.com/1118899"
},
{
"category": "self",
"summary": "SUSE Bug 1121397",
"url": "https://bugzilla.suse.com/1121397"
},
{
"category": "self",
"summary": "SUSE Bug 1121967",
"url": "https://bugzilla.suse.com/1121967"
},
{
"category": "self",
"summary": "SUSE Bug 1123013",
"url": "https://bugzilla.suse.com/1123013"
},
{
"category": "self",
"summary": "SUSE Bug 1128376",
"url": "https://bugzilla.suse.com/1128376"
},
{
"category": "self",
"summary": "SUSE Bug 1128746",
"url": "https://bugzilla.suse.com/1128746"
},
{
"category": "self",
"summary": "SUSE Bug 1134068",
"url": "https://bugzilla.suse.com/1134068"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16873 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16873/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16874 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16874/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16875 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16875/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-5736 page",
"url": "https://www.suse.com/security/cve/CVE-2019-5736/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-6486 page",
"url": "https://www.suse.com/security/cve/CVE-2019-6486/"
}
],
"title": "Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork",
"tracking": {
"current_release_date": "2019-05-27T05:09:20Z",
"generator": {
"date": "2019-05-27T05:09:20Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2019:1444-1",
"initial_release_date": "2019-05-27T05:09:20Z",
"revision_history": [
{
"date": "2019-05-27T05:09:20Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "go-1.12-lp151.2.3.1.i586",
"product": {
"name": "go-1.12-lp151.2.3.1.i586",
"product_id": "go-1.12-lp151.2.3.1.i586"
}
},
{
"category": "product_version",
"name": "go-doc-1.12-lp151.2.3.1.i586",
"product": {
"name": "go-doc-1.12-lp151.2.3.1.i586",
"product_id": "go-doc-1.12-lp151.2.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-test-1.2.5-lp151.2.3.1.noarch",
"product": {
"name": "containerd-test-1.2.5-lp151.2.3.1.noarch",
"product_id": "containerd-test-1.2.5-lp151.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"product": {
"name": "docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"product_id": "docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"product": {
"name": "docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"product_id": "docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"product": {
"name": "docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"product_id": "docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.2.5-lp151.2.3.1.x86_64",
"product": {
"name": "containerd-1.2.5-lp151.2.3.1.x86_64",
"product_id": "containerd-1.2.5-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"product": {
"name": "containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"product_id": "containerd-ctr-1.2.5-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-18.09.6_ce-lp151.2.3.1.x86_64",
"product": {
"name": "docker-18.09.6_ce-lp151.2.3.1.x86_64",
"product_id": "docker-18.09.6_ce-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"product": {
"name": "docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"product_id": "docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"product": {
"name": "docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"product_id": "docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"product": {
"name": "docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"product_id": "docker-test-18.09.6_ce-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "go-1.12-lp151.2.3.1.x86_64",
"product": {
"name": "go-1.12-lp151.2.3.1.x86_64",
"product_id": "go-1.12-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "go-doc-1.12-lp151.2.3.1.x86_64",
"product": {
"name": "go-doc-1.12-lp151.2.3.1.x86_64",
"product_id": "go-doc-1.12-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "go-race-1.12-lp151.2.3.1.x86_64",
"product": {
"name": "go-race-1.12-lp151.2.3.1.x86_64",
"product_id": "go-race-1.12-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.11-1.11.9-lp151.2.3.1.x86_64",
"product": {
"name": "go1.11-1.11.9-lp151.2.3.1.x86_64",
"product_id": "go1.11-1.11.9-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"product": {
"name": "go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"product_id": "go1.11-doc-1.11.9-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"product": {
"name": "go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"product_id": "go1.11-race-1.11.9-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.12-1.12.4-lp151.2.3.1.x86_64",
"product": {
"name": "go1.12-1.12.4-lp151.2.3.1.x86_64",
"product_id": "go1.12-1.12.4-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"product": {
"name": "go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"product_id": "go1.12-doc-1.12.4-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"product": {
"name": "go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"product_id": "go1.12-race-1.12.4-lp151.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"product": {
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"product_id": "golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.2.5-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64"
},
"product_reference": "containerd-1.2.5-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.2.5-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64"
},
"product_reference": "containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-test-1.2.5-lp151.2.3.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch"
},
"product_reference": "containerd-test-1.2.5-lp151.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-18.09.6_ce-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64"
},
"product_reference": "docker-18.09.6_ce-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch"
},
"product_reference": "docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
},
"product_reference": "docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64"
},
"product_reference": "docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch"
},
"product_reference": "docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-test-18.09.6_ce-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64"
},
"product_reference": "docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch"
},
"product_reference": "docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-1.12-lp151.2.3.1.i586 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586"
},
"product_reference": "go-1.12-lp151.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-1.12-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64"
},
"product_reference": "go-1.12-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-doc-1.12-lp151.2.3.1.i586 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586"
},
"product_reference": "go-doc-1.12-lp151.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-doc-1.12-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64"
},
"product_reference": "go-doc-1.12-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-race-1.12-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64"
},
"product_reference": "go-race-1.12-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.11-1.11.9-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64"
},
"product_reference": "go1.11-1.11.9-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.11-doc-1.11.9-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64"
},
"product_reference": "go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.11-race-1.11.9-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64"
},
"product_reference": "go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.12-1.12.4-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64"
},
"product_reference": "go1.12-1.12.4-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.12-doc-1.12.4-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64"
},
"product_reference": "go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.12-race-1.12.4-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64"
},
"product_reference": "go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
},
"product_reference": "golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16873",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16873"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16873",
"url": "https://www.suse.com/security/cve/CVE-2018-16873"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-05-27T05:09:20Z",
"details": "important"
}
],
"title": "CVE-2018-16873"
},
{
"cve": "CVE-2018-16874",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16874"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both \u0027{\u0027 and \u0027}\u0027 characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16874",
"url": "https://www.suse.com/security/cve/CVE-2018-16874"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-05-27T05:09:20Z",
"details": "moderate"
}
],
"title": "CVE-2018-16874"
},
{
"cve": "CVE-2018-16875",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16875"
}
],
"notes": [
{
"category": "general",
"text": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16875",
"url": "https://www.suse.com/security/cve/CVE-2018-16875"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-05-27T05:09:20Z",
"details": "moderate"
}
],
"title": "CVE-2018-16875"
},
{
"cve": "CVE-2019-5736",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-5736"
}
],
"notes": [
{
"category": "general",
"text": "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-5736",
"url": "https://www.suse.com/security/cve/CVE-2019-5736"
},
{
"category": "external",
"summary": "SUSE Bug 1121967 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1121967"
},
{
"category": "external",
"summary": "SUSE Bug 1122185 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1122185"
},
{
"category": "external",
"summary": "SUSE Bug 1173421 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1173421"
},
{
"category": "external",
"summary": "SUSE Bug 1218894 for CVE-2019-5736",
"url": "https://bugzilla.suse.com/1218894"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-05-27T05:09:20Z",
"details": "important"
}
],
"title": "CVE-2019-5736"
},
{
"cve": "CVE-2019-6486",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-6486"
}
],
"notes": [
{
"category": "general",
"text": "Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-6486",
"url": "https://www.suse.com/security/cve/CVE-2019-6486"
},
{
"category": "external",
"summary": "SUSE Bug 1123013 for CVE-2019-6486",
"url": "https://bugzilla.suse.com/1123013"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:containerd-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-ctr-1.2.5-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:containerd-test-1.2.5-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-bash-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.x86_64",
"openSUSE Leap 15.1:docker-runc-test-1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:docker-test-18.09.6_ce-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:docker-zsh-completion-18.09.6_ce-lp151.2.3.1.noarch",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.i586",
"openSUSE Leap 15.1:go-doc-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go-race-1.12-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-doc-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.11-race-1.11.9-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-doc-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:go1.12-race-1.12.4-lp151.2.3.1.x86_64",
"openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-05-27T05:09:20Z",
"details": "important"
}
],
"title": "CVE-2019-6486"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…