Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Any action required for CVE-2015-7547? #286

Closed
PikachuEXE opened this issue Feb 23, 2016 · 7 comments
Closed

[Security] Any action required for CVE-2015-7547? #286

PikachuEXE opened this issue Feb 23, 2016 · 7 comments
Milestone
0.9.19

Comments

@PikachuEXE
Copy link
Contributor

Recently a security related CVE is published
https://www.kb.cert.org/vuls/id/457759

There is already an issue for docker official images
docker-library/official-images#1448

Anything required for this repo? Rebuild? Change of Dockerfiles/scripts?
@FooBarWidget
Copy link
Member

We'll update it eventually. In the mean time, you can run apt-get update && apt-get upgrade in your Dockerfile which does the same thing: /~https://github.com/phusion/baseimage-docker#upgrading_os

@PikachuEXE
Copy link
Contributor Author

Thanks
Should I keep this issue open?
Also the link should be /~https://github.com/phusion/baseimage-docker#upgrading-the-operating-system-inside-the-container (Yup I know it will be outdated again soon enough)

@FooBarWidget
Copy link
Member

Yes please do.

#upgrading_os works too. We have different anchor names in the readme.

brejoc added a commit to brejoc/docker-nextcloud that referenced this issue Feb 28, 2016
@brejoc
Fix for CVE-2015-7547
b8ea5ef 
Until the phusion baseimage will ship a fix, we'll just upgrade the packages:
phusion/baseimage-docker#286
@brejoc brejoc mentioned this issue Feb 28, 2016
Merged
@asokani
Copy link

asokani commented Mar 17, 2016

Is the apt-get upgrade really bulletproof? Official Docker documentation discourages this practice. See https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#apt-get

.. avoid apt-get upgrade ..., as many of the “essential” packages from the base images won’t upgrade inside an unprivileged container

Just asking. Is that an issue? Do anyone know which packages "won't upgrade"?

@FooBarWidget
Copy link
Member

I don't think it's a big issue.

Things like kernel packages or bootloader packages (grub) won't upgrade because they try to do things that require more privileges. But I think the document is exaggerating when they say that "many packages won't upgrade" -- I have yet to encounter even one case of a package not upgrading well due to lack of privileges. I think the kernel and bootloader packages are already disabled in the Docker base images.

And what that article says about upgrading applies equally to installing. If a package won't upgrade inside an unprivileged container, then it won't install either, so you would have noticed the issue long before you needed to upgrade.

@asokani
Copy link

asokani commented Mar 18, 2016

Thanks. Sounds reasonable. Another idea: I searched github for filename:Dockerfile "apt-get" with 113 000 results and then for filename:Dockerfile "apt-get upgrade" with 8000 results. It works for many others.

@FooBarWidget FooBarWidget mentioned this issue Apr 6, 2016
Closed
@FooBarWidget FooBarWidget added this to the 0.9.19 milestone Apr 6, 2016
@FooBarWidget
Copy link
Member

We've recently updated Baseimage-docker to Ubuntu 16.04. So the security update will also be released real soon now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.9.19
Development

No branches or pull requests
3 participants
@FooBarWidget @PikachuEXE @asokani