Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

CVE-2019-5736 (runc vulnerability with docker)

Featured Replies

Thanks @repomanz, I was just coming here to post on this. 

 

More info in case the vendor specific info may be of assistance to anyone...
I know my brain works off of keyword recognition much of the time ;-) :
Amazon/AWS - https://aws.amazon.com/security/security-bulletins/AWS-2019-002/
Kubernetes - https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

redhat - https://access.redhat.com/security/vulnerabilities/runcescape

Ubuntu - https://www.ubuntuupdates.org/package/core/bionic/universe/updates/runc

Kubernetes - https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

US_CERT release - https://www.us-cert.gov/ncas/current-activity/2019/02/11/runc-Open-Source-Container-Vulnerability

Thanks for the reports.  We did see a new docker release, 18.09.02 that addresses this.  We are trying to determine if it warrants Unraid 6.6.7 patch release.

37 minutes ago, limetech said:

Thanks for the reports.  We did see a new docker release, 18.09.02 that addresses this.  We are trying to determine if it warrants Unraid 6.6.7 patch release.

 

Security comes first. I'd say it does.

  • 2 weeks later...
12 minutes ago, Koden said:

Is there any update with the possibility of updating docker? I only run a few, and I'm generally careful about what images I run, but as evidenced by PEAR's issue's last month even a reputable source can have malware slid in:
https://blog.cpanel.com/when-php-went-pear-shaped-the-php-pear-compromise/

That didn't have anything to do with docker though, right?

 

That said, I think we will publish 6.6.7 with an update to docker used in that release.

19 minutes ago, limetech said:

That didn't have anything to do with docker though, right?

No, not directly; unless unRAID uses the PEAR PHP package and implemented a compromised copy... 
I mentioned that only as an example of how easily compromise *could* happen, even using only reputable sources (which is the #1 response when talking about vm or docker vulnerabilities usually). 

As a more direct example, I run a Plex docker. So if Plex's software has, or developed, a bug that allowed exploitation of the runc vulnerability, I could end up riding the proverbial smelly creek without a poop-stick!
 

19 minutes ago, limetech said:

That said, I think we will publish 6.6.7 with an update to docker used in that release.

Thank you 🙂 I for one will sleep easier with that decision. 
Thank you for the support, and once again I am thankful for the responsiveness of this community!

On 2/20/2019 at 1:29 PM, limetech said:

That didn't have anything to do with docker though, right?

 

That said, I think we will publish 6.6.7 with an update to docker used in that release.

Thank you.

 

6.6.7 has been released. Upgraded with no issues. Much appreciated.

I concur - upgrade successful and most appreciated 👍

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.