安全公告详情

NS-SA-2022-0010

2022-05-08 17:55:03

简介

important: flatpak/docker-ce security update

严重级别

important

主题

An update for flatpak/docker-ce is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

flatpak: flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.
docker-ce: Docker is an open source project to build, ship and run any application as a lightweight container. Docker containers are both hardware-agnostic and platform-agnostic. This means they can run anywhere, from your laptop to the largest EC2 compute instance and everything in between - and they don't require you to use a particular language, framework or packaging system. That makes them great building blocks for deploying and scaling web apps, databases, and backend services without depending on a particular stack or provider.


Security Fix(es):
flatpak: A sandbox escape flaw was found in the way flatpak handled special tokens in ".desktop" files. This flaw allows an attacker to gain access to files that are not ordinarily allowed by the app's permissions. The highest threat from this vulnerability is to confidentiality and integrity.(CVE-2021-21381)
flatpak: bugfix
docker-ce: net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.(CVE-2019-14809)
docker-ce: It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.(CVE-2019-16276)
docker-ce: A flaw was found in the math/big package of Go's standard library that causes a denial of service. Applications written in Go that use math/big via cryptographic packages, including crypto/rsa and crypto/x509, are vulnerable and can potentially cause panic via a crafted certificate chain. The highest threat from this vulnerability is to system availability.(CVE-2020-28362)
docker-ce: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F36B4.

影响组件

  • flatpak
  • docker-ce

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["flatpak-builder-1.0.0-11.el7_9.x86_64.rpm","flatpak-libs-1.0.9-11.el7_9.x86_64.rpm","flatpak-devel-1.0.9-11.el7_9.x86_64.rpm","flatpak-debuginfo-1.0.9-11.el7_9.x86_64.rpm","flatpak-1.0.9-11.el7_9.x86_64.rpm"],"source":"flatpak-1.0.9-11.el7_9.src.rpm"},{"binary":["docker-ce-debuginfo-17.03.3-1.el7.2108201013git6da3bf6.x86_64.rpm","docker-ce-17.03.3-1.el7.2108201013git6da3bf6.x86_64.rpm"],"source":"docker-ce-17.03.3-1.el7.2108201013git6da3bf6.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["flatpak-builder-1.0.0-11.el7_9.x86_64.rpm","flatpak-libs-1.0.9-11.el7_9.x86_64.rpm","flatpak-devel-1.0.9-11.el7_9.x86_64.rpm","flatpak-debuginfo-1.0.9-11.el7_9.x86_64.rpm","flatpak-1.0.9-11.el7_9.x86_64.rpm"],"source":"flatpak-1.0.9-11.el7_9.src.rpm"},{"binary":["docker-ce-debuginfo-17.03.3-1.el7.2108201013git6da3bf6.x86_64.rpm","docker-ce-17.03.3-1.el7.2108201013git6da3bf6.x86_64.rpm"],"source":"docker-ce-17.03.3-1.el7.2108201013git6da3bf6.src.rpm"}]}]}

CVE

参考