[ubuntu/hirsute-security] docker.io 20.10.7-0ubuntu5~21.04.2 (Accepted)

Ray Veldkamp ray.veldkamp at canonical.com
Mon Nov 8 04:46:22 UTC 2021

docker.io (20.10.7-0ubuntu5~21.04.2) hirsute-security; urgency=medium

  * SECURITY UPDATE: docker cli information disclosure on misconfiguration
    - d/p/CVE-2021-41092.patch: Ensure that default authentication config has
      an address, to prevent credentials being leaked on failure to
      execute an external credential store.
    - CVE-2021-41092

docker.io (20.10.7-0ubuntu5~21.04.1) hirsute; urgency=medium

  * Backport version 20.10.7-0ubuntu5 from Impish (LP: #1938908).

docker.io (20.10.7-0ubuntu5) impish; urgency=medium

  [ Sergio Durigan Junior ]
  * d/t/docker-in-lxd:
    Improve dep8 test.  Make it run a more complex test against an
    ubuntu:devel docker container, especially because glibc updates might
    break docker.io.  Improve test reliability when running autopkgtest

  [ Steve Beattie ]
  * SECURITY UPDATE: insufficiently restricted directory permissions
    - d/p/CVE-2021-41091.patch: Lock down docker root dir perms.
    - CVE-2021-41091
  * SECURITY UPDATE: permissions modifications outside of install directory
    - d/p/CVE-2021-41089.patch: chrootarchive: don't create parent dirs
      outside of chroot.
    - CVE-2021-41089

docker.io (20.10.7-0ubuntu4) impish; urgency=medium

  * d/p/seccomp-add-support-for-clone3-syscall-in-default-policy.patch: Fix
    failure with new glibc clone3 syscall adding it to the default seccomp
    policy (LP: #1943049).

docker.io (20.10.7-0ubuntu3) impish; urgency=medium

  * d/t/docker-in-lxd:
    Perform a full upgrade and restart of the container before attempting
    to install docker.io. (LP: #1942276)

docker.io (20.10.7-0ubuntu2) impish; urgency=medium

  * Ship libnetwork into the golang-github-docker-docker-dev package.
    - d/golang-github-docker-docker-dev.install: add libnetwork directories.
    - d/control: add runtime dependency on golang-github-ishidawataru-sctp-dev

docker.io (20.10.7-0ubuntu1) impish; urgency=medium

  * New upstream release.
    - Among new features and bug fixes, the CVE-2021-21284 and CVE-2021-21285
      were addressed.
  * d/watch: adjust regex to correctly match the tarball files.
  * d/rules: make some improvements.
    - Adjust regex in the build-manpages target due to some upstream changes.
    - Separately install the systemd service and socket.
    - Tell dh_installsystemd to not stop the service during the upgrade.
      The previous implementation worked fine until debhelper compat 10 where
      dh_systemd_start was still a thing. In compat 11, it was deprecated
      which means that piece of code was not called.

Date: 2021-11-01 00:08:09.575840+00:00
Changed-By: Ray Veldkamp <ray.veldkamp at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Hirsute-changes mailing list