toolshed/docker-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update non-events

Browse Source 
Signed-off-by: Jess Frazelle <jessfraz@google.com>
Upstream-commit: 6837cfc13cba842186a7261aa9bbd3a8755fd11e
Component: engine
This commit is contained in:
Jess Frazelle
2016-07-25 10:45:45 -07:00
committed by Jess Frazelle
parent fb8417c213
commit c5246dacc1
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
components/engine/docs/security/non-events.md
View File

@ -73,6 +73,14 @@ seccomp profile.
A bug in eBPF -- the special in-kernel DSL used to express things like seccomp
filters -- allowed arbitrary reads of kernel memory. The `bpf()` system call
is blocked inside Docker containers using (ironically) seccomp.
* [CVE-2016-3134](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3134),
[4997](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4997),
[4998](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4998):
A bug in setsockopt with `IPT_SO_SET_REPLACE`, `ARPT_SO_SET_REPLACE`, and
`ARPT_SO_SET_REPLACE` causing memory corruption / local privilege escalation.
These arguments are blocked by `CAP_NET_ADMIN`, which Docker does not allow by
default.
Bugs *not* mitigated: