安全公告详情

NS-SA-2021-0181

2021-09-24 11:25:36

简介

important: flatpak/docker-ce security update

严重级别

important

主题

An update for flatpak/docker-ce is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

flatpak: flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.
docker-ce: Docker is an open source project to build, ship and run any application as a lightweight container. Docker containers are both hardware-agnostic and platform-agnostic. This means they can run anywhere, from your laptop to the largest EC2 compute instance and everything in between - and they don't require you to use a particular language, framework or packaging system. That makes them great building blocks for deploying and scaling web apps, databases, and backend services without depending on a particular stack or provider.


Security Fix(es):
flatpak: A flaw was found in Flatpak. The Flatpak portal D-Bus service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is outside the sandbox. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-21261)
flatpak: bugfix
docker-ce: A flaw was found in Docker. Pulling an intentionally malformed Docker image manifest could lead to a crash of the `dockerd` daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2021-21285)
docker-ce: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F12B2.

影响组件

  • flatpak
  • docker-ce

影响产品

  • CGSL MAIN 5.05
  • CGSL CORE 5.05

更新包

{"fix":[{"product":"CGSL MAIN 5.05","pkgs":[{"binary":["flatpak-1.0.9-10.el7_9.x86_64.rpm","flatpak-libs-1.0.9-10.el7_9.x86_64.rpm","flatpak-debuginfo-1.0.9-10.el7_9.x86_64.rpm","flatpak-builder-1.0.0-10.el7_9.x86_64.rpm","flatpak-devel-1.0.9-10.el7_9.x86_64.rpm"],"source":"flatpak-1.0.9-10.el7_9.src.rpm"},{"binary":["docker-ce-17.03.3-1.el7.2103050614git20db173.x86_64.rpm","docker-ce-debuginfo-17.03.3-1.el7.2103050614git20db173.x86_64.rpm"],"source":"docker-ce-17.03.3-1.el7.2103050614git20db173.src.rpm"}]},{"product":"CGSL CORE 5.05","pkgs":[{"binary":["flatpak-1.0.9-10.el7_9.x86_64.rpm","flatpak-libs-1.0.9-10.el7_9.x86_64.rpm","flatpak-debuginfo-1.0.9-10.el7_9.x86_64.rpm","flatpak-builder-1.0.0-10.el7_9.x86_64.rpm","flatpak-devel-1.0.9-10.el7_9.x86_64.rpm"],"source":"flatpak-1.0.9-10.el7_9.src.rpm"},{"binary":["docker-ce-17.03.3-1.el7.2103050614git20db173.x86_64.rpm","docker-ce-debuginfo-17.03.3-1.el7.2103050614git20db173.x86_64.rpm"],"source":"docker-ce-17.03.3-1.el7.2103050614git20db173.src.rpm"}]}]}

CVE

参考