Updated docker packages that fix one security issue, several bugs, and addvarious enhancements are now available for Red Hat Enterprise Linux7 Extras.Red Hat Product Security has rated this update as having Low securityimpact. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section.
Docker is a service providing container management on Linux.A flaw was found in the way the Docker service unpacked images or buildsafter a “docker pull”. An attacker could use this flaw to provide amalicious image or build that, when unpacked, would escalate theirprivileges on the system. (CVE-2014-9357)(CVE-2014-9356)Red Hat would like to thank Docker Inc. for reporting these issues.The docker-python subpackage provides the new Atomic tool. The goal ofAtomic is to provide a high level, coherent entry point for Red HatEnterprise Linux Atomic Host. Atomic makes it easier to interact withspecial kinds of containers, such as super-privileged debugging tools.Comprehensive information and documentation is available in the atomicmanual pages.The docker packages have been upgraded to upstream version 1.4.1, whichprovides a number of bug fixes and enhancements over the previous version,most notably an experimental overlayfs storage driver. (BZ#1174351)Additionally, this update fixes the following bugs:* The JSON configuration files for containers and images were inconsistent.As a consequence, when these files were parsed by the “docker inspect”command, the output was unnecessarily complex. This update improves the keynaming schema in the configuration files and the output from “dockerinspect” is now uniform. (BZ#1092773)* Previously, the /run directory had an incorrect SELinux label. As aconsequence, containers could not access /run. This update corrects theSELinux label and containers now have access to /run. (BZ#1100009)* The Docker service contained an incorrect path for the secrets directory.As a consequence, executing “docker run” failed to create containers.This update fixes the default path to the secrets directory and “dockerrun” now executes successfully. (BZ#1102568)* Previously, it was not possible to specify a default repository in theconfiguration file in cases where all docker.io files are inaccessible.As a consequence, running docker commands failed because they could notcontact the default repositories. After this update, it is possible tospecify a local Docker repository, and commands no longer fail because theyare able to connect to a local private repository. (BZ#1106430)* When executing the “docker attach” command on a container which was inthe process of shutting down, the process did not fail, but becameunresponsive. This bug has been fixed, and running “docker attach” on acontainer which is shutting down causes the attach process to fail with aninformative error message that it is not possible to attach to a stoppedcontainer. (BZ#1113608)* Previously, the “docker run” sub-command incorrectly returned non-zeroexit codes, when they all should have been zero. As a consequence, it wasnot possible to differentiate between the exit codes of the docker commandline and exit codes of contained processes, which in turn made automatedcontrol of “docker run” impossible. This update fixes the inconsistencieswithin the exit codes of “docker run”. Additionally, this update also fixesinconsistencies of other docker sub-commands and improves the language inthe error and warning messages. (BZ#1162807)* Previously, adding a new registry with the “–registry-prepend” optiondid not follow the correct order to query and download an image. As aconsequence, it did not query the prepended new registry first, but ratherstarted with querying docker.io. The “–registry-prepend” option has beenrenamed to “–registry-add” and its behavior has been changed to query theregistries added in the given order, with docker.io queried last.(BZ#1186153)All docker users are advised to upgrade to these updated packages, whichcorrect these issues and add these enhancements.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258
1092773 – Image and container JSON keys have no consistency1100009 – /run is broken with SELinux1102568 – Wrong path of default secrets docker tries to open1113608 – `docker attach` hangs when attaching container, which is exiting1162807 – Docker CLI exit codes for errors?1172782 – CVE-2014-9357 docker: Escalation of privileges during decompression of LZMA archives1174351 – docker 1.4.1 is available
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from: