Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: docker #1337

Closed
t-lo opened this issue Feb 1, 2024 · 2 comments
Closed

update: docker #1337

t-lo opened this issue Feb 1, 2024 · 2 comments
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns

Comments

@t-lo
Copy link
Member

t-lo commented Feb 1, 2024

Name: app-containers/docker
CVEs: CVE-2024-24557, GHSA-xw73-rw38-6vjc
CVSSs: 6.9 (Medium)
Action Needed: Update to 24.0.9 or higher. 20.x will not be patched by upstream.

Summary: In Moby <= v25.0.1 and <= v24.0.8, the classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered a valid cache candidate for some build steps.

refmap.gentoo: TBD
@t-lo t-lo added security security concerns advisory security advisory labels Feb 1, 2024
@t-lo t-lo moved this from 📝 Needs Triage to 🌱 Upcoming / Focus in Flatcar tactical, release planning, and roadmap Feb 1, 2024
@t-lo t-lo added the cvss/MEDIUM >= 4 && < 7 assessed CVSS label Feb 1, 2024
@t-lo
Copy link
Member Author

t-lo commented Feb 1, 2024

The latest sysext bakery release ships a Docker sysext that includes a fix (docker 24.0.9): https://github.com/flatcar/sysext-bakery/releases/tag/latest. Using the sysext can mitigate the issue until we publish new OS releases later in February.
Check out the readme in the sysext bakery https://github.com/flatcar/sysext-bakery as well as our documentation on sysexts https://www.flatcar.org/docs/latest/provisioning/sysext/ for more information

@krnowak
Copy link
Member

krnowak commented Feb 7, 2024

Next alpha, beta and stable will have docker 24.0.9.

@krnowak krnowak closed this as completed Feb 7, 2024
@github-project-automation github-project-automation bot moved this from 🌱 Upcoming / Focus to Implemented in Flatcar tactical, release planning, and roadmap Feb 7, 2024
@github-actions github-actions bot mentioned this issue Feb 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t-lo @krnowak