1.1. 19.03.15

2021-02-01

1.1.1. Security

  • CVE-2021-21285 Prevent an invalid image from crashing docker daemon
  • CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state
  • Ensure AppArmor and SELinux profiles are applied when building with BuildKit

1.1.2. Client

  • Check contexts before importing them to reduce risk of extracted files escaping context store

1.2. 19.03.14

2020-12-01

1.2.1. Security

  • CVE-2020-15257: Update bundled static binaries of containerd to v1.3.9 moby/moby#41731. Package managers should update the containerd.io package.

1.2.2. Builder

  • Beta versions of apparmor are now parsed correctly preventing build failures moby/moby#41542

1.2.3. Networking

1.2.4. Runtime

1.2.5. Rootless

  • Lock state dir for preventing automatic clean-up by systemd-tmpfiles moby/moby#41635
  • dockerd-rootless.sh: support new containerd shim socket path convention moby/moby#41557

1.2.6. Logging

1.3. 19.03.13

2020-09-16

1.3.1. Builder

  • buildkit: Fix nil dereference in cache logic moby/moby#41279
  • buildkit: Treat Unix sockets as regular files during COPY/ADD moby/moby#41269
  • buildkit: Ignore system and security xattrs in calculation to ensure consistent COPY caching regardless of SELinux environment moby/moby#41222
  • buildkit: Make --cache-from behavior more reliable moby/moby#41222
  • buildkit: Fix infinite loop burning CPU when exporting cache moby/moby#41185

1.3.2. Client

1.3.3. Networking

1.3.4. Rootless

1.3.5. Runtime

1.3.6. Windows

  • Fix slow Windows container start time when using servercore image moby/moby#41192

1.4. 19.03.12

2020-06-18

1.4.1. Client

  • Fix bug preventing logout from registry when using multiple config files (e.g. Windows vs WSL2 when using Docker Desktop) docker/cli#2592
  • Fix regression preventing context metadata to be read docker/cli#2586
  • Bump Golang 1.13.12 docker/cli#2575

1.4.2. Networking

1.4.3. Runtime

1.5. 19.03.11

2020-06-01

1.5.1. Network

Disable IPv6 Router Advertisements to prevent address spoofing. CVE-2020-13401

Description

In the Docker default configuration, the container network interface is a virtual ethernet link going to the host (veth interface). In this configuration, an attacker able to run a process as root in a container can send and receive arbitrary packets to the host using the CAP_NET_RAW capability (present in the default configuration).

If IPv6 is not totally disabled on the host (via ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but it’s pretty likely that ipv6 forwarding is disabled, that is, /proc/sys/net/ipv6/conf//forwarding == 0. Also by default, /proc/sys/net/ipv6/conf//accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configures the IPv6 stack using them.

By sending “rogue” router advertisements from a container, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker-controlled container.

Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond. If by chance the host has a vulnerability like last year’s RCE in apt (CVE-2019-3462), the attacker can now escalate to the host.

As CAP_NET_ADMIN is not present by default for Docker containers, the attacker can’t configure the IPs they want to MitM, they can’t use iptables to NAT or REDIRECT the traffic, and they can’t use IP_TRANSPARENT. The attacker can however still use CAP_NET_RAW and implement a tcp/ip stack in user space.

See kubernetes/kubernetes#91507 for related issues.

1.6. 19.03.10

2020-05-29

1.6.1. Client

1.6.2. Networking

1.6.3. Runtime

  • Avoid potential panic on s390x by upgrading Go to 1.13.11. moby/moby#40978

1.6.4. Packaging

1.7. 19.03.9

2020-05-14

1.7.1. Builder

  • buildkit: Fix concurrent map write panic when building multiple images in parallel. moby/moby#40780
  • buildkit: Fix issue preventing chowning of non-root-owned files between stages with userns. moby/moby#40955
  • Avoid creation of irrelevant temporary files on Windows. moby/moby#40877

1.7.2. Client

1.7.3. Logging

  • Avoid situation preventing container logs to rotate due to closing a closed log file. moby/moby#40921

1.7.4. Networking

1.7.5. Runtime

1.7.6. Rootless

  • Now rootlesskit-docker-proxy returns detailed error message on exposing privileged ports. moby/moby#40863
  • Supports numeric ID in /etc/subuid and /etc/subgid. moby/moby#40951

1.7.7. Security

1.7.8. Swarm

  • Increase refill rate for logger to avoid hanging on service logs. moby/moby#40628
  • Fix issue where single swarm manager is stuck in Down state after reboot. moby/moby#40831
  • tasks.db no longer grows indefinitely. moby/moby#40831

1.8. 19.03.8

2020-03-10

1.8.1. Runtime

1.9. 19.03.7

2020-03-03

1.9.1. Builder

1.9.2. Runtime

1.9.3. Client

1.10. 19.03.6

2020-02-12

1.10.1. Builder

1.10.2. Networking

1.10.3. Runtime

1.11. 19.03.5

2019-11-14

1.11.1. Builder

  • builder-next: Added entitlements in builder config. docker/engine#412
  • Fix builder-next: permission errors on using build secrets or ssh forwarding with userns-remap. docker/engine#420
  • Fix builder-next: copying a symlink inside an already copied directory. docker/engine#420

1.11.2. Packaging

  • Support RHEL 8 packages

1.11.3. Runtime

1.12. 19.03.4

2019-10-17

1.12.1. Networking

  • Rollback libnetwork changes to fix DOCKER-USER iptables chain issue. docker/engine#404

1.12.2. Known Issues

Existing

  • In some circumstances with large clusters, Docker information might, as part of the Swarm section, include the error `code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304)`. This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many Swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.

    • Workaround: restart all tasks via docker service update --force.
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252

  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

1.13. 19.03.3

2019-10-08

1.13.1. Security

1.13.2. Builder

  • Fix builder-next: resolve digest for third party registries. docker/engine#339

  • Fix builder-next: user namespace builds when daemon started with socket activation. docker/engine#373

  • Fix builder-next; session: release forwarded ssh socket connection per connection. docker/engine#373

  • Fix build-next: llbsolver: error on multiple cache importers. docker/engine#373

1.13.3. Client

  • Added support for Docker Template 0.1.6.

  • Mitigate against YAML files that have excessive aliasing. docker/cli#2119

1.13.4. Runtime

1.13.5. Known Issues

New

  • DOCKER-USER iptables chain is missing: docker/for-linux#810. Users cannot perform additional container network traffic filtering on top of this iptables chain. You are not affected by this issue if you are not customizing iptable chains on top of DOCKER-USER.
    • Workaround: Insert the iptables chain after the docker daemon starts. For example:
      iptables -N DOCKER-USER
      iptables -I FORWARD -j DOCKER-USER
      iptables -A DOCKER-USER -j RETURN

Existing

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error `code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304)`. This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.

    • Workaround: restart all tasks via docker service update --force.
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252

  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

1.14. 19.03.2

2019-09-03

1.14.1. Builder

1.14.2. Client

  • Fix Windows absolute path detection on non-Windows docker/cli#1990

  • Fix to zsh completion script for docker login --username.

  • Fix context: produce consistent output on context create. docker/cli#1985

  • Fix support for HTTP proxy env variable. docker/cli#2059

1.14.3. Logging

1.14.4. Networking

  • Prevent panic on network attached to a container with disabled networking. moby/moby#39589

1.14.5. Runtime

  • Bump Golang to 1.12.8.

  • Fix a potential engine panic when using XFS disk quota for containers. moby/moby#39644

1.14.6. Swarm

1.14.7. Known issues

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error `code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304)`. This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.

    • Workaround: restart all tasks via docker service update --force.
  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are :

       /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' commands to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 18.09.1, 19.03.0
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252

  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

1.15. 19.03.1

2019-07-25

1.15.1. Security

  • Fixed loading of nsswitch based config inside chroot under Glibc. CVE-2019-14271

1.15.2. Known issues

  • In some circumstances, in large clusters, docker information might, as part of the Swarm section, include the error `code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304)`. This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.

    • Workaround: restart all tasks via docker service update --force.
  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are :

      /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' commands to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 18.09.1, 19.03.0
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252

  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.

1.16. 19.03.0

2019-07-22

1.16.1. Builder

1.16.2. Client

1.16.3. API

1.16.4. Experimental

1.16.5. Security

1.16.6. Runtime

1.16.7. Networking

1.16.8. Swarm

1.16.9. Logging

1.16.10. Deprecation

  • Deprecate image manifest v2 schema1 in favor of v2 schema2. Future version of Docker will remove support for v2 schema1 althogether. moby/moby#39365
  • Removed v1.10 migrator. moby/moby#38265
  • Now skipping deprecated storage-drivers in auto-selection. moby/moby#38019
  • Deprecated aufs storage driver and added warning. moby/moby#38090
  • Removed support for 17.09.

For more information on deprecated flags and APIs, refer to https://docs.docker.com/engine/deprecated/ for target removal dates.

1.16.11. Known issues

  • In some circumstances with large clusters, docker information might, as part of the Swarm section, include the error `code = ResourceExhausted desc = grpc: received message larger than max (5351376 vs. 4194304)`. This does not indicate any failure or misconfiguration by the user, and requires no response.
  • Orchestrator port conflict can occur when redeploying all services as new. Due to many swarm manager requests in a short amount of time, some services are not able to receive traffic and are causing a 404 error after being deployed.

    • Workaround: restart all tasks via docker service update --force.
  • Traffic cannot egress the HOST because of missing Iptables rules in the FORWARD chain The missing rules are :

      /sbin/iptables --wait -C FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      /sbin/iptables --wait -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • Workaround: Add these rules back using a script and cron definitions. The script must contain '-C' commands to check for the presence of a rule and '-A' commands to add rules back. Run the script on a cron in regular intervals, for example, every minutes.
    • Affected versions: 18.09.1, 19.03.0
  • CVE-2018-15664 symlink-exchange attack with directory traversal. Workaround until proper fix is available in upcoming patch release: docker pause container before doing file operations. moby/moby#39252

  • docker cp regression due to CVE mitigation. An error is produced when the source of docker cp is set to /.
Copyright © 温玉 2021 | 浙ICP备2020032454号 all right reserved,powered by Gitbook该文件修订时间: 2023-05-22 14:19:45

results matching ""

    No results matching ""