En

Docker官网安全更新(2019-01-09)

来源:Docker官网 发布日期:2019-01-09 阅读次数:334 评论:0

基本信息

发布日期:2019-01-09(官方当地时间)

更新类型:安全更新

更新版本:18.09.1

感知时间:2019-12-05 19:41:37

风险等级:未知

情报贡献:TSRC

更新标题

Docker官网安全更新,18.09.1版本发布

更新详情



Important notes about this release

In Docker versions prior to 18.09, containerd was managed by the Docker engine daemon. In Docker Engine 18.09, containerd is managed by systemd. Since containerd is managed by systemd, any custom configuration to the docker.service systemd configuration which changes mount settings (for example, MountFlags=slave) breaks interactions between the Docker Engine daemon and containerd, and you will not be able to start containers.

Run the following command to get the current value of the MountFlags property for the docker.service:

sudo systemctl show --property=MountFlags docker.service
MountFlags=

Update your configuration if this command prints a non-empty value for MountFlags, and restart the docker service.

Security fixes for Docker Engine EE and CE

Upgraded Go language to 1.10.6 to resolve CVE-2018-16873, CVE-2018-16874, and CVE-2018-16875.
Fixed authz plugin for 0-length content and path validation.
Added /proc/asound to masked paths docker/engine#126


Improvements for Docker Engine EE and CE

Updated to BuildKit 0.3.3 docker/engine#122
Updated to containerd 1.2.2 docker/engine#144
Provided additional warnings for use of deprecated legacy overlay and devicemapper storage drivers docker/engine#85
prune: perform image pruning before build cache pruning docker/cli#1532
Added bash completion for experimental CLI commands (manifest) docker/cli#1542
Windows: allow process isolation on Windows 10 docker/engine#81


Fixes for Docker Engine EE and CE

Disable kmem accounting in runc on RHEL/CentOS (docker/escalation#614, docker/escalation#692) docker/engine#121
Fixed inefficient networking configuration docker/engine#123
Fixed docker system prune doesn’t accept until filter docker/engine#122
Avoid unset credentials in containerd docker/engine#122
Fixed iptables compatibility on Debian docker/engine#107
Fixed setting default schema to tcp for docker host docker/cli#1454
Fixed bash completion for service update --force docker/cli#1526
Windows: DetachVhd attempt in cleanup docker/engine#113
API: properly handle invalid JSON to return a 400 status docker/engine#110
API: ignore default address-pools on API < 1.39 docker/engine#118
API: add missing default address pool fields to swagger docker/engine#119
awslogs: account for UTF-8 normalization in limits docker/engine#112
Prohibit reading more than 1MB in HTTP error responses docker/engine#114
apparmor: allow receiving of signals from docker kill docker/engine#116
overlay2: use index=off if possible (fix EBUSY on mount) docker/engine#84


Packaging

Add docker.socket requirement for docker.service. docker/docker-ce-packaging#276
Add socket activation for RHEL-based distributions. docker/docker-ce-packaging#274
Add libseccomp requirement for RPM packages. docker/docker-ce-packaging#266


Known Issues

When upgrading from 18.09.0 to 18.09.1, containerd is not upgraded to the correct version on Ubuntu. Learn more.
There are important changes to the upgrade process that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.


软件描述

Docker 是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的镜像中,然后发布到任何流行的 Linux或Windows 机器上,也可以实现虚拟化。容器是完全使用沙箱机制,相互之间不会有任何接口。 [1]

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入