Confusing release notes for addressing the CVE-2019-5736

[singhjagmohan1000]

Problem description

Update runc for addressing the cve-2019-5736.

Problem location

https://docs.docker.com/engine/release-notes/#18062

• I couldn't find the information I wanted. I expected to find it near the following URL:

The latest release documents says "Update runc to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. CVE-2019-5736".
I think runc is part of the docker engine, as I have not installed runc on my systems explicitly. So How do we update this.
Maybe it meant to say the runc has been updated with current release. So it is really confusing. Can I get more explanation.

[ryujisnote]

please see this docker blog
https://blog.docker.com/2019/02/docker-security-update-cve-2018-5736-and-container-security-best-practices/

[sujaypillai]

If you are Docker EE customer you should have received separate communication about it and here is the list of various engine version -

Versions	Recommendations
Engine 17.06	Upgrade recommended to version 17.06.2-ee-19
Engine 18.03	Upgrade recommended to version 18.03.1-ee-6
Engine 18.09	Upgrade recommended to version 18.09.2

*18.09.2 has a upgrade dependency on containerd.io to latest version (1.2.2-3)

If you are using Docker Desktop update to 2.0.0.3

[paigehargrave]

@singhjagmohan1000 - Thank you for your feedback! I'm adding the blog link to the release notes: #8293.

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked