docker-1.13.1-161.git64e9980.0.1.el7.AXS7

Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere.

Security Fix(es):

* runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc (CVE-2019-16884)

* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)

* containers/image: Container images read entire image manifest into memory (CVE-2020-1702)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Whitelist statx(2) in docker

* Upgrading docker resulting into increase Systemd logs

* docker should be linked against gpgme-pthread

* docker cannot be updated to 108 on rhos13 as a container fails to start with "pivot_root invalid argument" error.

* OVS pods are unable to stop when running under docker version 1.13.1-108

CVE-2019-16884
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.
CVE-2020-1702
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-8945
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.