Hello everyone,
Docker CE is at an older version, a few months old, and contains security vulnerabilities.
What (where and how) is the proper way to request a package (Docker in this case) in the official repositories to be upgraded to the latest version by the maintainers?
This would be for Tumbleweed.
Thank you!
and contains security vulnerabilities.
You get this from?
If there are vulnerabilities, the openSUSE team are backporting the patches to all openSUSE Versions.
From the release notes for the newer versions of docker engine. For example, the current version in the repository is 20.10.17, but here is a security vulnerability fix from 20.10.18:
Daemon
Fix a security vulnerability relating to supplementary group permissions, which could allow a container process to bypass primary group restrictions within the container CVE-2022-36109, GHSA-rc4r-wh2q-q6c4.
FYI, the latest version is 20.10.21. So there have been 5 months worth of updates and bug fixes.
Hence why I was wondering how to ask the maintainers to release the latest version.
Thank you.
Hi
A bug report openSUSE:Submitting bug reports - openSUSE, or comment on the OBS page https://build.opensuse.org/package/show/Virtualization%3Acontainers/docker or branch, patch, submit…
I see on the CVE a workaround;
For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT "su", "-", "user"]` the supplementary groups will be set up properly.
Patch is here: https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
Enhancement report in bugzilla seems like the most appropriate action.
Thank you!