Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

glibc: CVE-2015-7547 #1448

Closed
9 of 12 tasks
tianon opened this issue Feb 16, 2016 · 44 comments
Closed
9 of 12 tasks

glibc: CVE-2015-7547 #1448

tianon opened this issue Feb 16, 2016 · 44 comments

Comments

@tianon
Copy link
Member Author

@tianon tianon commented Feb 16, 2016

RHEL 6 and RHEL 7 have fixes (cc @jperrin)

Fedora has an update submitted (cc @maxamillion)

openSUSE update is in-progress (cc @flavio)

@tianon
Copy link
Member Author

@tianon tianon commented Feb 16, 2016

Debian tarballs are in-progress (almost complete -- just waiting on the sid/unstable packages to propagate)

Ubuntu doesn't have updated packages yet

@jperrin
Copy link
Contributor

@jperrin jperrin commented Feb 16, 2016

our packages are syncing to the mirrors now. I'll have an updated build shortly.

@Djelibeybi
Copy link
Contributor

@Djelibeybi Djelibeybi commented Feb 16, 2016

OL6 and OL7 have fixes and a new build has been requested from our build team.

@ThiefMaster
Copy link

@ThiefMaster ThiefMaster commented Feb 16, 2016

will all the official docker-library images be rebuilt automatically?

@tianon
Copy link
Member Author

@tianon tianon commented Feb 16, 2016

@ThiefMaster yes, they're in-progress right now

@jperrin @Djelibeybi thanks for the updates! 👍

@diogomonica
Copy link

@diogomonica diogomonica commented Feb 16, 2016

@tianon this has the patched packages http://www.ubuntu.com/usn/usn-2900-1/

@tianon
Copy link
Member Author

@tianon tianon commented Feb 16, 2016

@diogomonica nice -- wonder why they didn't update http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7547.html yet

I'll give our Canonical contacts a poke and see what the ETA for updated tarballs is.

(At their request, we consume their tarballs from https://partner-images.canonical.com/core/, built by Canonical on their official infra, so as soon as those are updated I can update the image.)

@diogomonica
Copy link

@diogomonica diogomonica commented Feb 16, 2016

@tianon yeah, I didn't understand that either. I was checking the CVE page too.

@tianon
Copy link
Member Author

@tianon tianon commented Feb 16, 2016

Heard back and Ubuntu rebuilds are in progress downstream! 👍

@diogomonica
Copy link

@diogomonica diogomonica commented Feb 16, 2016

Great!

patch all the things

@tianon
Copy link
Member Author

@tianon tianon commented Feb 17, 2016

As a minor update, there was a snag in Canonical's update process that's delayed the artifact generation on their side -- I'll keep an eye on things, but it looks like we likely won't get those artifacts until early tomorrow (relative to PST).

@Djelibeybi
Copy link
Contributor

@Djelibeybi Djelibeybi commented Feb 17, 2016

Oracle images updated in #1453

@ThiefMaster
Copy link

@ThiefMaster ThiefMaster commented Feb 17, 2016

What's the best way to see whether an official image has already been updated or not? For example the mongo image on docker hub still shows "last pushed 14d ago" so i guess it's still vulnerable?

@macropin
Copy link

@macropin macropin commented Feb 17, 2016

@tianon when can we expect all the major images to be rebuilt eg centos and secondary eg mariadb, nginx etc? It looks like you guys have gone to bed. We are sitting around waiting for this to happen so we can patch production systems. Thanks.

@tianon
Copy link
Member Author

@tianon tianon commented Feb 17, 2016

@macropin for CentOS, we're waiting for the image maintainer to provide an updated rootfs; for the Debian-based portion of the library, we're waiting for the images themselves to finish rebuilding (there are a ton of them, and it takes quite a while to rebuild them all)

Ubuntu is going to have a PR shortly.

@tianon
Copy link
Member Author

@tianon tianon commented Feb 17, 2016

Both ubuntu and buildpack-deps are now fully updated. Rebuilds of dependent images are still in-progress.

@flavio
Copy link
Contributor

@flavio flavio commented Feb 17, 2016

Just a quick update, openSUSE 42.1, 13.2 and tumbleweed packages are being rolled out at different paces. I'll update all the images as soon as the packages are there.

@ThiefMaster
Copy link

@ThiefMaster ThiefMaster commented Feb 17, 2016

Out of curiosity, why do the rebuilds take so long for the debian-based images?

@tianon
Copy link
Member Author

@tianon tianon commented Feb 17, 2016

That'd mostly be because we have over 300 officially supported tags based directly on debian, and over 200 based indirectly on it via buildpack-deps (not to mention further chains going through language images).

@tianon
Copy link
Member Author

@tianon tianon commented Feb 17, 2016

Thanks @flavio! ❤️

@jperrin
Copy link
Contributor

@jperrin jperrin commented Feb 17, 2016

Sorry for the delay on getting this one in. #1455

@tianon
Copy link
Member Author

@tianon tianon commented Feb 18, 2016

https://bugzilla.redhat.com/show_bug.cgi?id=1308943#c7 claims the update is available 😄

@macropin
Copy link

@macropin macropin commented Feb 18, 2016

And the latest fedora:23 image still contains the vulnerable glibc.

[root@docker docker-cve]# docker pull fedora:23 
Trying to pull repository docker.io/library/fedora ... 23: Pulling from library/fedora
b0082ba983ef: Already exists 
a7a02e6029ae: Already exists 
Digest: sha256:f538e5517cb2160e869647f0bff049e4ee38d5dde4ba75b50ff213831426ba05
Status: Image is up to date for docker.io/fedora:23
[root@docker docker-cve]# docker images |grep fedora
docker.io/fedora                     23                  a7a02e6029ae        8 hours ago         204.4 MB
docker.io/fedora                     latest              a7a02e6029ae        8 hours ago         204.4 MB
[root@docker docker-cve]# docker run --rm -ti fedora:23 bash
[root@db80f371f2e1 /]# rpm -qva |grep glibc
glibc-common-2.22-7.fc23.x86_64
glibc-2.22-7.fc23.x86_64

@tianon
Copy link
Member Author

@tianon tianon commented Feb 18, 2016

@macropin thanks for the additional info and testing -- @maxamillion thoughts on what might've happened? 😕

@tianon
Copy link
Member Author

@tianon tianon commented Feb 18, 2016

@frapposelli just realized I need to add photon to my template 😄 Is there an official "security tracker" for the OS yet, or is the best place to look for updates just going to be the SPECS directory in https://github.com/vmware/photon ? It doesn't look like glibc there is updated yet (https://github.com/vmware/photon/tree/master/SPECS/glibc).

flavio added a commit to flavio/official-images that referenced this issue Feb 18, 2016
Fixes glibc and libssl issues (see issue docker-library#1448)

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
@maxamillion
Copy link
Contributor

@maxamillion maxamillion commented Feb 18, 2016

@macropin @tianon - yup, totally my fault. I'm getting that fixed up and the Fedora 22 image built, will have a pull request asap. Apologies.

@frapposelli
Copy link
Contributor

@frapposelli frapposelli commented Feb 18, 2016

@tianon no security tracker at the moment (working on that), best way is to look at the SPEC dir (either master or dev branch).

Seems like the guys already pushed a patch: vmware/photon@fdf30fa

@maxamillion
Copy link
Contributor

@maxamillion maxamillion commented Feb 18, 2016

@tianon Apologies for the mistake on the Fedora 23 image and the delay on the Fedora 22 image. #1461

@tianon
Copy link
Member Author

@tianon tianon commented Feb 18, 2016

Ok, Fedora fix is pushed. 😄 👍

@tianon
Copy link
Member Author

@tianon tianon commented Feb 18, 2016

@frapposelli nice! 😄 Does that mean it's ready for an image rootfs rebuild, or is there further process it has to go through first?

@frapposelli
Copy link
Contributor

@frapposelli frapposelli commented Feb 18, 2016

@tianon they have an automated process that uploads the new artifacts, I'm checking with them for a timeline, once they're up I will send a PR with the update 👍

@tianon
Copy link
Member Author

@tianon tianon commented Feb 18, 2016

@frapposelli rock on, sounds great ❤️

@tianon
Copy link
Member Author

@tianon tianon commented Feb 20, 2016

@juanluisbaptiste
Copy link
Contributor

@juanluisbaptiste juanluisbaptiste commented Feb 20, 2016

@tianon yes I already did the image update locally, but it seems I got distracted by something and totally forgot to finish it, probably I saw a squirrel through the window or something hehe. I'll finish the update later today when I'm back home.

@juanluisbaptiste
Copy link
Contributor

@juanluisbaptiste juanluisbaptiste commented Feb 21, 2016

@tianon Ready, please check.

@tianon
Copy link
Member Author

@tianon tianon commented Aug 29, 2016

I think this is likely as good as it's going to get at this point. 👍

@tianon tianon closed this Aug 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet