github.com/jogo/docker@v1.7.0-rc1/docs/sources/docker-hub-enterprise/release-notes.md (about) 1 page_title: Docker Hub Enterprise: Release notes 2 page_description: Release notes for Docker Hub Enterprise 3 page_keywords: docker, documentation, about, technology, understanding, enterprise, hub, registry, release 4 5 # Release Notes 6 7 ## Docker Hub Enterprise 8 9 ### DHE 1.0.1 10 (11 May 2015) 11 12 - Addresses compatibility issue with 1.6.1 CS Docker Engine 13 14 ### DHE 1.0.0 15 (23 Apr 2015) 16 17 - First release 18 19 ## Commercially Supported Docker Engine 20 21 ### CS Docker Engine 1.6.2-cs5 22 (21 May 2015) 23 24 For customers running Docker Engine on [supported versions of RedHat Enterprise 25 Linux](https://www.docker.com/enterprise/support/) with [SELinux 26 enabled](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/ 27 6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux 28 -Enabling_and_Disabling_SELinux.html), the `docker build` and `docker run` 29 commands will not have DNS host name resolution and bind-mounted volumes may 30 not be accessible. 31 As a result, customers with SELinux will be unable to use hostname-based network 32 access in either `docker build` or `docker run`, nor will they be able to 33 `docker run` containers 34 that use `--volume` or `-v` bind-mounts (with an incorrect SELinux label) in 35 their environment. By installing Docker 36 Engine 1.6.2-cs5, customers can use Docker as intended on RHEL with SELinux enabled. 37 38 For example, you see will failures like: 39 40 ``` 41 [root@dhe ~]# docker -v 42 Docker version 1.6.0-cs2, build b8dd430 43 [root@dhe ~]# ping dhe.home.org.au 44 PING dhe.home.org.au (10.10.10.104) 56(84) bytes of data. 45 64 bytes from dhe.home.gateway (10.10.10.104): icmp_seq=1 ttl=64 time=0.663 ms 46 ^C 47 --- dhe.home.org.au ping statistics --- 48 2 packets transmitted, 2 received, 0% packet loss, time 1001ms 49 rtt min/avg/max/mdev = 0.078/0.370/0.663/0.293 ms 50 [root@dhe ~]# docker run --rm -it debian ping dhe.home.org.au 51 ping: unknown host 52 [root@dhe ~]# docker run --rm -it debian cat /etc/resolv.conf 53 cat: /etc/resolv.conf: Permission denied 54 [root@dhe ~]# docker run --rm -it debian apt-get update 55 Err http://httpredir.debian.org jessie InRelease 56 57 Err http://security.debian.org jessie/updates InRelease 58 59 Err http://httpredir.debian.org jessie-updates InRelease 60 61 Err http://security.debian.org jessie/updates Release.gpg 62 Could not resolve 'security.debian.org' 63 Err http://httpredir.debian.org jessie Release.gpg 64 Could not resolve 'httpredir.debian.org' 65 Err http://httpredir.debian.org jessie-updates Release.gpg 66 Could not resolve 'httpredir.debian.org' 67 [output truncated] 68 69 ``` 70 71 or when running a `docker build`: 72 73 ``` 74 [root@dhe ~]# docker build . 75 Sending build context to Docker daemon 11.26 kB 76 Sending build context to Docker daemon 77 Step 0 : FROM fedora 78 ---> e26efd418c48 79 Step 1 : RUN yum install httpd 80 ---> Running in cf274900ea35 81 82 One of the configured repositories failed (Fedora 21 - x86_64), 83 and yum doesn't have enough cached data to continue. At this point the only 84 safe thing yum can do is fail. There are a few ways to work "fix" this: 85 86 [output truncated] 87 ``` 88 89 90 **Affected Versions**: All previous versions of Docker Engine when SELinux 91 is enabled. 92 93 Docker **highly recommends** that all customers running previous versions of 94 Docker Engine update to this release. 95 96 #### **How to workaround this issue** 97 98 Customers who choose not to install this update have two options. The 99 first option is to disable SELinux. This is *not recommended* for production 100 systems where SELinux is typically required. 101 102 The second option is to pass the following parameter in to `docker run`. 103 104 --security-opt=label:type:docker_t 105 106 This parameter cannot be passed to the `docker build` command. 107 108 #### **Upgrade notes** 109 110 When upgrading, make sure you stop DHE first, perform the Engine upgrade, and 111 then restart DHE. 112 113 If you are running with SELinux enabled, previous Docker Engine releases allowed 114 you to bind-mount additional volumes or files inside the container as follows: 115 116 $ docker run -it -v /home/user/foo.txt:/foobar.txt:ro <imagename> 117 118 In the 1.6.2-cs5 release, you must ensure additional bind-mounts have the correct 119 SELinux context. For example, if you want to mount `foobar.txt` as read-only 120 into the container, do the following to create and test your bind-mount: 121 122 1. Add the `z` option to the bind mount when you specify `docker run`. 123 124 $ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z <imagename> 125 126 2. Exec into your new container. 127 128 For example, if your container is `bashful_curie`, open a shell on the 129 container: 130 131 $ docker exec -it bashful_curie bash 132 133 3. Use `cat` to check the permissions on the mounted file. 134 135 $ cat /foobar.txt 136 the contents of foobar appear 137 138 If you see the file's contents, your mount succeeded. If you receive a 139 `Permission denied` message and/or the `/var/log/audit/audit.log` file on 140 your Docker host contains an AVC Denial message, the mount did not succeed. 141 142 type=AVC msg=audit(1432145409.197:7570): avc: denied { read } for pid=21167 comm="cat" name="foobar.txt" dev="xvda2" ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file 143 144 Recheck your command line to make sure you passed in the `z` option. 145 146 147 ### CS Docker Engine 1.6.2-cs4 148 (13 May 2015) 149 150 Fix mount regression for `/sys`. 151 152 ### CS Docker Engine 1.6.1-cs3 153 (11 May 2015) 154 155 Docker Engine version 1.6.1 has been released to address several vulnerabilities 156 and is immediately available for all supported platforms. Users are advised to 157 upgrade existing installations of the Docker Engine and use 1.6.1 for new installations. 158 159 It should be noted that each of the vulnerabilities allowing privilege escalation 160 may only be exploited by a malicious Dockerfile or image. Users are advised to 161 run their own images and/or images built by trusted parties, such as those in 162 the official images library. 163 164 Please send any questions to security@docker.com. 165 166 167 #### **[CVE-2015-3629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3629) Symlink traversal on container respawn allows local privilege escalation** 168 169 Libcontainer version 1.6.0 introduced changes which facilitated a mount namespace 170 breakout upon respawn of a container. This allowed malicious images to write 171 files to the host system and escape containerization. 172 173 Libcontainer and Docker Engine 1.6.1 have been released to address this 174 vulnerability. Users running untrusted images are encouraged to upgrade Docker Engine. 175 176 Discovered by Tõnis Tiigi. 177 178 179 #### **[CVE-2015-3627](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3627) Insecure opening of file-descriptor 1 leading to privilege escalation** 180 181 The file-descriptor passed by libcontainer to the pid-1 process of a container 182 has been found to be opened prior to performing the chroot, allowing insecure 183 open and symlink traversal. This allows malicious container images to trigger 184 a local privilege escalation. 185 186 Libcontainer and Docker Engine 1.6.1 have been released to address this 187 vulnerability. Users running untrusted images are encouraged to upgrade 188 Docker Engine. 189 190 Discovered by Tõnis Tiigi. 191 192 #### **[CVE-2015-3630](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3630) Read/write proc paths allow host modification & information disclosure** 193 194 Several paths underneath /proc were writable from containers, allowing global 195 system manipulation and configuration. These paths included `/proc/asound`, 196 `/proc/timer_stats`, `/proc/latency_stats`, and `/proc/fs`. 197 198 By allowing writes to `/proc/fs`, it has been noted that CIFS volumes could be 199 forced into a protocol downgrade attack by a root user operating inside of a 200 container. Machines having loaded the timer_stats module were vulnerable to 201 having this mechanism enabled and consumed by a container. 202 203 We are releasing Docker Engine 1.6.1 to address this vulnerability. All 204 versions up to 1.6.1 are believed vulnerable. Users running untrusted 205 images are encouraged to upgrade. 206 207 Discovered by Eric Windisch of the Docker Security Team. 208 209 #### **[CVE-2015-3631](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3631) Volume mounts allow LSM profile escalation** 210 211 By allowing volumes to override files of `/proc` within a mount namespace, a user 212 could specify arbitrary policies for Linux Security Modules, including setting 213 an unconfined policy underneath AppArmor, or a `docker_t` policy for processes 214 managed by SELinux. In all versions of Docker up until 1.6.1, it is possible for 215 malicious images to configure volume mounts such that files of proc may be overridden. 216 217 We are releasing Docker Engine 1.6.1 to address this vulnerability. All versions 218 up to 1.6.1 are believed vulnerable. Users running untrusted images are encouraged 219 to upgrade. 220 221 Discovered by Eric Windisch of the Docker Security Team. 222 223 #### **AppArmor policy improvements** 224 225 The 1.6.1 release also marks preventative additions to the AppArmor policy. 226 Recently, several CVEs against the kernel have been reported whereby mount 227 namespaces could be circumvented through the use of the sys_mount syscall from 228 inside of an unprivileged Docker container. In all reported cases, the 229 AppArmor policy included in libcontainer and shipped with Docker has been 230 sufficient to deflect these attacks. However, we have deemed it prudent to 231 proactively tighten the policy further by outright denying the use of the 232 `sys_mount` syscall. 233 234 Because this addition is preventative, no CVE-ID is requested. 235 236 ### CS Docker Engine 1.6.0-cs2 237 (23 Apr 2015) 238 239 - First release, please see the [Docker Engine 1.6.0 Release notes](/release-notes/) 240 for more details.