CVE-2019-0211

[yosifkit]

Opening new issue rather than muddying the separate issue of updating apache for new features.

CVE-2019-0211, as the vulnerability is indexed, is a local privilege escalation, meaning it allows a person or software that already has limited access to the Web server to elevate privileges to root.

arstechnica (emphasis added)

As such, I don't think it requires us to immediately rework the PHP apache images to pull in the new version (via apt version pinning). This will automatically be fixed on the next Debian base image rebuild which should be about 30 days after the last build (docker-library/official-images#5609) and is currently scheduled for about April. 27th (the release of Debian 9.9).

---

For those that want to secure their containers, they can use --user as mentioned in the docs and there will be no process running as root to escalate to.

TLDR:

$ docker run -d --name apache --user 33:33 -sysctl net.ipv4.ip_unprivileged_port_start=0 php:apache
...
$ docker top apache
UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
33                  25097               25079               4                   14:28               pts/0               00:00:00            apache2 -DFOREGROUND
33                  25150               25097               0                   14:28               pts/0               00:00:00            apache2 -DFOREGROUND
33                  25151               25097               0                   14:28               pts/0               00:00:00            apache2 -DFOREGROUND
33                  25152               25097               0                   14:28               pts/0               00:00:00            apache2 -DFOREGROUND
33                  25153               25097               0                   14:28               pts/0               00:00:00            apache2 -DFOREGROUND
33                  25154               25097               0                   14:28               pts/0               00:00:00            apache2 -DFOREGROUND

It might also be that --security-opt no-new-privileges would work but I am unfamiliar with how the bug works to know if that would be enough.

[yosifkit]

Context from other issue:

This is more pressing now with the highly publicized
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211

#619 (comment)

This is more pressing now with the highly publicized https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211

See https://security-tracker.debian.org/tracker/CVE-2019-0211; stretch (security) is good.

Just not sure if this is using stretch or stretch (security).

#619 (comment)

[tianon]

This should be fixed now, and as such I'm going to close.