[SECURITY] Fedora 20 Update: docker-io-1.4.1-6.fc20

updates at fedoraproject.org updates at fedoraproject.org
Mon Jan 26 02:35:37 UTC 2015 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-1128
2015-01-25 23:41:54
--------------------------------------------------------------------------------

Name        : docker-io
Product     : Fedora 20
Version     : 1.4.1
Release     : 6.fc20
URL         : http://www.docker.com
Summary     : Automates deployment of containerized applications
Description :
Docker is an open-source engine that automates the deployment of any
application as a lightweight, portable, self-sufficient container that will
run virtually anywhere.

Docker containers can encapsulate any payload, and will run consistently on
and between virtually any server. The same container that a developer builds
and tests on a laptop will run at scale, in production*, on VMs, bare-metal
servers, OpenStack clusters, public instances, or combinations of the above.

--------------------------------------------------------------------------------
Update Information:

run tests inside a docker repo
allow unitfile to use /etc/sysconfig/docker-network
Security fix for CVE-2014-9357, CVE-2014-9358, CVE-2014-9356
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jan 22 2015 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.4.1-6
- run tests inside a docker repo
- use vendored deps itself
* Tue Jan 13 2015 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.4.1-5
- Resolves: rhbz#1169593 patch to set DOCKER_CERT_PATH regardless of config file
* Thu Jan  8 2015 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.4.1-4
- allow unitfile to use /etc/sysconfig/docker-network
- MountFlags private
* Fri Dec 19 2014 Dan Walsh <dwalsh at redhat.com> - 1.4.1-3
- Add check to run unit tests
* Thu Dec 18 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.4.1-2
- update and rename logrotate cron script
- install /etc/sysconfig/docker-network
* Wed Dec 17 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.4.1-1
- Resolves: rhbz#1175144 - update to upstream v1.4.1
- Resolves: rhbz#1175097, rhbz#1127570 - subpackages
for fish and zsh completion and vim syntax highlighting
- Provide subpackage to run logrotate on running containers as a daily cron
job
* Thu Dec 11 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.4.0-2
- update metaprovides
* Thu Dec 11 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.4.0-1
- Resolves: rhbz#1173324
- Resolves: rhbz#1172761 - CVE-2014-9356
- Resolves: rhbz#1172782 - CVE-2014-9357
- Resolves: rhbz#1172787 - CVE-2014-9358
- update to upstream v1.4.0
- override DOCKER_CERT_PATH in sysconfig instead of patching the source
- create dockerroot user if doesn't exist prior
- update metaprovides
* Mon Dec  1 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.3.2-4
- Revert to using upstream v1.3.2 release
* Sun Nov 30 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.3.2-3.git353ff40
- Resolves: rhbz#1169035, rhbz#1169151
- bring back golang deps (except libcontainer)
* Tue Nov 25 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.3.2-2
- install sources skipped prior
* Tue Nov 25 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.3.2-1
- Resolves: rhbz#1167642 - Update to upstream v1.3.2
- Resolves: rhbz#1167505, rhbz#1167507 - CVE-2014-6407
- Resolves: rhbz#1167506 - CVE-2014-6408
- use vendor/ dir for golang deps for this NVR (fix deps soon after)
* Wed Nov 19 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.3.1-3
- Resolves: rhbz#1165615
* Fri Oct 31 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.3.1-2
- Remove pandoc from build reqs
* Fri Oct 31 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.3.1-1
- update to v1.3.1
* Mon Oct 20 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.3.0-1
- Resolves: rhbz#1153936 - update to v1.3.0
- don't install zsh files
- iptables=false => ip-masq=false
* Wed Oct  8 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.2.0-5
- Resolves: rhbz#1149882 - systemd unit and socket file updates
* Tue Sep 30 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.2.0-4
- Resolves: rhbz#1139415 - correct path for bash completion
    /usr/share/bash-completion/completions
- versioned provides for docker
- golang versioned requirements for devel and pkg-devel
- remove macros from changelog
- don't own dirs owned by vim, systemd, bash
* Thu Sep 25 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.2.0-3
- Resolves: rhbz#1145660 - support /etc/sysconfig/docker-storage 
  From: Colin Walters <walters at redhat.com>
- patch to ignore selinux if it's disabled
  https://github.com/docker/docker/commit/9e2eb0f1cc3c4ef000e139f1d85a20f0e00971e6
  From: Dan Walsh <dwalsh at redhat.com>
* Sun Aug 24 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.2.0-2
- Provides docker only for f21 and above
* Sat Aug 23 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.2.0-1
- Resolves: rhbz#1132824 - update to v1.2.0
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1172761 - CVE-2014-9356 docker: Path traversal during processing of absolute symlinks
        https://bugzilla.redhat.com/show_bug.cgi?id=1172761
  [ 2 ] Bug #1172782 - CVE-2014-9357 docker: Escalation of privileges during decompression of LZMA archives
        https://bugzilla.redhat.com/show_bug.cgi?id=1172782
  [ 3 ] Bug #1172787 - CVE-2014-9358 docker: Path traversal and spoofing opportunities presented through image identifiers
        https://bugzilla.redhat.com/show_bug.cgi?id=1172787
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update docker-io' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list