Erich (<email address hidden>) reported the following:
> - The CVE-2019-5736[0] affects runc which is used by docker another systems.
> - Currently StarlingX ship an affected version of docker-ce[1]
> - There's a new release of docker-ce with a patch[2] and there's an rpm available[3].
> - It's not clear yet what other systems might be affected by this vulnerability and if we ship it in starlingx.
>
> Erich
>
> [0] https://nvd.nist.gov/vuln/detail/CVE-2019-5736
> [1]
> https://github.com/openstack/stx-tools/blob/master/centos-mirror-tools
> /rpms_centos3rdparties.lst#L19 [2]
> https://github.com/docker/docker-ce/releases/tag/v18.09.2
> [3]
> https://download.docker.com/linux/centos/7/source/stable/Packages/dock
> er-ce-18.09.2-3.el7.src.rpm
On Feb 11, 2019, at 8:18 PM, Rowsell, Brent <email address hidden> wrote:
>
> We are running the affected version. There is no NIST score so until
> that is available, we have to see if this meets our CVE criteria Note our k8s version has not been validated upstream with docker-ce 18.09 so we can’t blindly update to it.
Ken Young replied:
> A couple of other points based on RHEL:
> 1/ This required local access and has high complexity. This is unlikely to match big criteria.
> 2/ there is no upstream fix at the moment
Cindy Xie replied:
> I agree on the assessment, but I think it will be necessary that we create a security bug to track this issue. Once the CVE NIST score and upstream fix available, we can make sure we upgrade the package in StarlingX.
https:/
Base Score: 9.3 HIGH
Vector: (AV:N/AC:
Note that this does not match patch-back criteria...
/KenY