Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

               Security update for containerd, docker, runc
                              13 October 2021


        AusCERT Security Bulletin Summary

Product:           containerd
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Root Compromise          -- Existing Account
                   Access Confidential Data -- Existing Account
                   Reduced Security         -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-41103 CVE-2021-41092 CVE-2021-41091
                   CVE-2021-41089 CVE-2021-32760 CVE-2021-30465

Reference:         ESB-2021.2118

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for containerd, docker, runc


Announcement ID:   SUSE-SU-2021:3336-1
Rating:            important
References:        #1102408 #1185405 #1187704 #1188282 #1191015 #1191121
                   #1191334 #1191355 #1191434
Cross-References:  CVE-2021-30465 CVE-2021-32760 CVE-2021-41089 CVE-2021-41091
                   CVE-2021-41092 CVE-2021-41103
Affected Products:
                   SUSE Linux Enterprise Module for Containers 12

An update that solves 6 vulnerabilities and has three fixes is now available.


This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged /usr/share/doc/packages/docker/
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

  o CVE-2021-32760: Fixed that a archive package allows chmod of file outside
    of unpack target directory (bsc#1188282)

Update to runc v1.0.2. Upstream changelog is available from

  o Fixed a failure to set CPU quota period in some cases on cgroup v1.
  o Fixed the inability to start a container with the "adding seccomp filter
    rule for syscall ..." error, caused by redundant seccomp rules (i.e. those
    that has action equal to the default one). Such redundant rules are now
  o Made release builds reproducible from now on.
  o Fixed a rare debug log race in runc init, which can result in occasional
    harmful "failed to decode ..." errors from runc run or exec.
  o Fixed the check in cgroup v1 systemd manager if a container needs to be
    frozen before Set, and add a setting to skip such freeze unconditionally.
    The previous fix for that issue, done in runc 1.0.1, was not working.

Update to runc v1.0.1. Upstream changelog is available from

  o Fixed occasional runc exec/run failure ("interrupted system call") on an
    Azure volume.
  o Fixed "unable to find groups ... token too long" error with /etc/group
    containing lines longer than 64K characters.
  o cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup
    is frozen. This is a regression in 1.0.0, not affecting runc itself but
    some of libcontainer users (e.g Kubernetes).
  o cgroupv2: bpf: Ignore inaccessible existing programs in case of permission
    error when handling replacement of existing bpf cgroup programs. This fixes
    a regression in 1.0.0, where some SELinux policies would block runc from
    being able to run entirely.
  o cgroup/systemd/v2: don't freeze cgroup on Set.
  o cgroup/systemd/v1: avoid unnecessary freeze on Set.
  o fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

Update to runc v1.0.0. Upstream changelog is available from
! The usage of relative paths for mountpoints will now produce a warning (such
configurations are outside of the spec, and in future runc will produce an
error when given such configurations).

  o cgroupv2: devices: rework the filter generation to produce consistent
    results with cgroupv1, and always clobber any existing eBPF program(s) to
    fix runc update and avoid leaking eBPF programs (resulting in errors when
    managing containers).
  o cgroupv2: correctly convert "number of IOs" statistics in a
    cgroupv1-compatible way.
  o cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
  o cgroupv2: wait for freeze to finish before returning from the freezing
    code, optimize the method for checking whether a cgroup is frozen.
  o cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
  o cgroups/systemd: fixed returning "unit already exists" error from a systemd
    cgroup manager (regression in rc94)
  o cgroupv2: support SkipDevices with systemd driver
  o cgroup/systemd: return, not ignore, stop unit error from Destroy
  o Make "runc --version" output sane even when built with go get or otherwise
    outside of our build scripts.
  o cgroups: set SkipDevices during runc update (so we don't modify cgroups at
    all during runc update).
  o cgroup1: blkio: support BFQ weights.
  o cgroupv2: set per-device io weights if BFQ IO scheduler is available.

Update to runc v1.0.0~rc95. Upstream changelog is available from https://
This release of runc contains a fix for CVE-2021-30465, and users are strongly
recommended to update (especially if you are providing semi-limited access to
spawn containers to untrusted users). (bsc#1185405)
Update to runc v1.0.0~rc94. Upstream changelog is available from https://
Breaking Changes:

  o cgroupv1: kernel memory limits are now always ignored, as kmemcg has been
    effectively deprecated by the kernel. Users should make use of regular
    memory cgroup controls.

Regression Fixes:

  o seccomp: fix 32-bit compilation errors
  o runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
  o runc start: fix "chdir to cwd: permission denied" for some setups

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for Containers 12:
    zypper in -t patch SUSE-SLE-Module-Containers-12-2021-3336=1

Package List:

  o SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64):


  o https://www.suse.com/security/cve/CVE-2021-30465.html
  o https://www.suse.com/security/cve/CVE-2021-32760.html
  o https://www.suse.com/security/cve/CVE-2021-41089.html
  o https://www.suse.com/security/cve/CVE-2021-41091.html
  o https://www.suse.com/security/cve/CVE-2021-41092.html
  o https://www.suse.com/security/cve/CVE-2021-41103.html
  o https://bugzilla.suse.com/1102408
  o https://bugzilla.suse.com/1185405
  o https://bugzilla.suse.com/1187704
  o https://bugzilla.suse.com/1188282
  o https://bugzilla.suse.com/1191015
  o https://bugzilla.suse.com/1191121
  o https://bugzilla.suse.com/1191334
  o https://bugzilla.suse.com/1191355
  o https://bugzilla.suse.com/1191434

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967