Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

glibc: CVE-2015-7547 #1448

Closed
tianon opened this Issue Feb 16, 2016 · 44 comments

Comments

Projects
None yet

@tianon tianon added the cve-tracker label Feb 16, 2016

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 16, 2016

RHEL 6 and RHEL 7 have fixes (cc @jperrin)

Fedora has an update submitted (cc @maxamillion)

openSUSE update is in-progress (cc @flavio)

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 16, 2016

Debian tarballs are in-progress (almost complete -- just waiting on the sid/unstable packages to propagate)

Ubuntu doesn't have updated packages yet

@jperrin

This comment has been minimized.

Copy link
Contributor

jperrin commented Feb 16, 2016

our packages are syncing to the mirrors now. I'll have an updated build shortly.

@Djelibeybi

This comment has been minimized.

Copy link
Contributor

Djelibeybi commented Feb 16, 2016

OL6 and OL7 have fixes and a new build has been requested from our build team.

@ThiefMaster

This comment has been minimized.

Copy link

ThiefMaster commented Feb 16, 2016

will all the official docker-library images be rebuilt automatically?

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 16, 2016

@ThiefMaster yes, they're in-progress right now

@jperrin @Djelibeybi thanks for the updates! 👍

@diogomonica

This comment has been minimized.

Copy link

diogomonica commented Feb 16, 2016

@tianon this has the patched packages http://www.ubuntu.com/usn/usn-2900-1/

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 16, 2016

@diogomonica nice -- wonder why they didn't update http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7547.html yet

I'll give our Canonical contacts a poke and see what the ETA for updated tarballs is.

(At their request, we consume their tarballs from https://partner-images.canonical.com/core/, built by Canonical on their official infra, so as soon as those are updated I can update the image.)

@diogomonica

This comment has been minimized.

Copy link

diogomonica commented Feb 16, 2016

@tianon yeah, I didn't understand that either. I was checking the CVE page too.

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 16, 2016

Heard back and Ubuntu rebuilds are in progress downstream! 👍

@diogomonica

This comment has been minimized.

Copy link

diogomonica commented Feb 16, 2016

Great!

patch all the things

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 17, 2016

As a minor update, there was a snag in Canonical's update process that's delayed the artifact generation on their side -- I'll keep an eye on things, but it looks like we likely won't get those artifacts until early tomorrow (relative to PST).

@Djelibeybi

This comment has been minimized.

Copy link
Contributor

Djelibeybi commented Feb 17, 2016

Oracle images updated in #1453

@ThiefMaster

This comment has been minimized.

Copy link

ThiefMaster commented Feb 17, 2016

What's the best way to see whether an official image has already been updated or not? For example the mongo image on docker hub still shows "last pushed 14d ago" so i guess it's still vulnerable?

@macropin

This comment has been minimized.

Copy link

macropin commented Feb 17, 2016

@tianon when can we expect all the major images to be rebuilt eg centos and secondary eg mariadb, nginx etc? It looks like you guys have gone to bed. We are sitting around waiting for this to happen so we can patch production systems. Thanks.

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 17, 2016

@macropin for CentOS, we're waiting for the image maintainer to provide an updated rootfs; for the Debian-based portion of the library, we're waiting for the images themselves to finish rebuilding (there are a ton of them, and it takes quite a while to rebuild them all)

Ubuntu is going to have a PR shortly.

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 17, 2016

Both ubuntu and buildpack-deps are now fully updated. Rebuilds of dependent images are still in-progress.

@flavio

This comment has been minimized.

Copy link
Contributor

flavio commented Feb 17, 2016

Just a quick update, openSUSE 42.1, 13.2 and tumbleweed packages are being rolled out at different paces. I'll update all the images as soon as the packages are there.

@ThiefMaster

This comment has been minimized.

Copy link

ThiefMaster commented Feb 17, 2016

Out of curiosity, why do the rebuilds take so long for the debian-based images?

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 17, 2016

That'd mostly be because we have over 300 officially supported tags based directly on debian, and over 200 based indirectly on it via buildpack-deps (not to mention further chains going through language images).

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 17, 2016

Thanks @flavio! ❤️

@jperrin

This comment has been minimized.

Copy link
Contributor

jperrin commented Feb 17, 2016

Sorry for the delay on getting this one in. #1455

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 18, 2016

@macropin thanks for the additional info and testing -- @maxamillion thoughts on what might've happened? 😕

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 18, 2016

@frapposelli just realized I need to add photon to my template 😄 Is there an official "security tracker" for the OS yet, or is the best place to look for updates just going to be the SPECS directory in https://github.com/vmware/photon ? It doesn't look like glibc there is updated yet (https://github.com/vmware/photon/tree/master/SPECS/glibc).

flavio added a commit to flavio/official-images that referenced this issue Feb 18, 2016

Update openSUSE 42.1 and tumbleweed
Fixes glibc and libssl issues (see issue docker-library#1448)

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
@maxamillion

This comment has been minimized.

Copy link
Contributor

maxamillion commented Feb 18, 2016

@macropin @tianon - yup, totally my fault. I'm getting that fixed up and the Fedora 22 image built, will have a pull request asap. Apologies.

@frapposelli

This comment has been minimized.

Copy link
Contributor

frapposelli commented Feb 18, 2016

@tianon no security tracker at the moment (working on that), best way is to look at the SPEC dir (either master or dev branch).

Seems like the guys already pushed a patch: vmware/photon@fdf30fa

@maxamillion

This comment has been minimized.

Copy link
Contributor

maxamillion commented Feb 18, 2016

@tianon Apologies for the mistake on the Fedora 23 image and the delay on the Fedora 22 image. #1461

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 18, 2016

Ok, Fedora fix is pushed. 😄 👍

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 18, 2016

@frapposelli nice! 😄 Does that mean it's ready for an image rootfs rebuild, or is there further process it has to go through first?

@frapposelli

This comment has been minimized.

Copy link
Contributor

frapposelli commented Feb 18, 2016

@tianon they have an automated process that uploads the new artifacts, I'm checking with them for a timeline, once they're up I will send a PR with the update 👍

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 18, 2016

@frapposelli rock on, sounds great ❤️

@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Feb 20, 2016

@juanluisbaptiste

This comment has been minimized.

Copy link
Contributor

juanluisbaptiste commented Feb 20, 2016

@tianon yes I already did the image update locally, but it seems I got distracted by something and totally forgot to finish it, probably I saw a squirrel through the window or something hehe. I'll finish the update later today when I'm back home.

@juanluisbaptiste

This comment has been minimized.

Copy link
Contributor

juanluisbaptiste commented Feb 21, 2016

@tianon Ready, please check.

juanluisbaptiste added a commit to juanluisbaptiste/official-images that referenced this issue Feb 22, 2016

juanluisbaptiste added a commit to juanluisbaptiste/official-images that referenced this issue Feb 22, 2016

Updated images glibc: CVE-2015-7547 docker-library#1448 and removed m…
…ageia 4 as it is EOL since september 2015.

tianon added a commit that referenced this issue Feb 22, 2016

Merge pull request #1469 from juanluisbaptiste/master
Updated images glibc: CVE-2015-7547 #1448

RichardScothern added a commit to RichardScothern/official-images that referenced this issue Jun 14, 2016

Update openSUSE 42.1 and tumbleweed
Fixes glibc and libssl issues (see issue docker-library#1448)

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
@tianon

This comment has been minimized.

Copy link
Member Author

tianon commented Aug 29, 2016

I think this is likely as good as it's going to get at this point. 👍

@tianon tianon closed this Aug 29, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.