See https://bugzilla.redhat.com/show_bug.cgi?id=1175997
Specifically we need https://git.fedorahosted.org/cgit/spin-kickstarts.git/commit/?h=f21
(Also, make sure the equivalent commit ends up in F22 Final)
The request should come from the security response team
According to the bug, SRT agrees this issue needs to be fixed (q.v. https://bugzilla.redhat.com/show_bug.cgi?id=1175997#c5). I don't understand why the reporter of the ticket matters, if the change is necessary to fix an ack'd security issue. That just costs time.
Replying to [ticket:6170 walters]:
See https://bugzilla.redhat.com/show_bug.cgi?id=1175997 Specifically we need https://git.fedorahosted.org/cgit/spin-kickstarts.git/commit/?h=f21 (Also, make sure the equivalent commit ends up in F22 Final)
Yes, this problem exists and should be remedied.
--Eric "Sparks" Red Hat SRT
Just that it seems like Security Respone would be the ones coming and saying hey we need this bug fixed which means we need a new compose of foo. rather than getting requests for such things from all over the place.
http://dl.fedoraproject.org/pub/alt/stage/21-20150506/
there is new cloud images and a f21 docker base image there. F22 will be fixed with the nightly compose and next compose, and the rawhide images will get fixed with the next nightly compose. once they are verified I can move them to a live location.
Was any action taken on this for F21 to upload it to the Docker Hub?
We don't at the moment have a changelog on https://registry.hub.docker.com/_/fedora/
How this sausage gets made is pretty opaque to me at the moment. Is https://github.com/fedora-cloud/docker-brew-fedora still involved?
The kickstart there is clearly vulnerable...but on the other hand, from what I can tell "docker pull fedora:21" on the Hub isn't vulnerable. Did it get fixed some other way?
Did the content from here get uploaded? Who did that if so?
The tarball from Fedora-Docker-Base-21-20150506.x86_64 looks good to me.
{{{
root:x:0:0:root:/root:/bin/bash operator:x:11:0:operator:/root:/sbin/nologin
}}}
releng has no ability to upload anything to the docker hub, you will need to ask those responsible. I have no idea what https://github.com/fedora-cloud/docker-brew-fedora is. I also have no idea if the update was pushed there, I have cc'd lsm5 who has been uploading to the docker registry. sadly docker does not provide a way to automatically upload the base images, no client or api.
I found out some more information on this.
https://github.com/docker-library/official-images/issues/527 https://github.com/docker-library/official-images/pull/497
are some useful threads. The latter in particular starts to describe how we can improve the Fedora -> Hub flow.
So...there may not be an emergency here, although I want to understand why that is.
{{{ https://dl.fedoraproject.org/pub/fedora/linux/releases/21/Docker/x86_64/Fedora-Docker-Base-20141203-21.x86_64.tar.gz curl https://dl.fedoraproject.org/pub/fedora/linux/releases/21/Docker/x86_64/Fedora-Docker-Base-20141203-21.x86_64.tar.gz | docker load docker run --rm -ti Fedora-Docker-Base-20141203-21.x86_64 grep root /etc/passwd root:x:0:0:root:/root:/bin/bash }}}
So that image is not vulnerable. Yet if you go to the f21 spin-kickstarts branch: https://git.fedorahosted.org/cgit/spin-kickstarts.git/log/?h=f21 The click on the parent of my security fix, then tree and look at the kickstart, I see: https://git.fedorahosted.org/cgit/spin-kickstarts.git/tree/fedora-docker-base.ks?h=f21&id=843b6a344e30c2cc4b4c5261849c161c725f5965#n9
And there's nothing locking it.
Dennis, is there a way to know which Koji task (that would have a link to the kickstart) was used to generate that image? I'm not seeing a way to query this in the web UI at least.
So I'm a moron and have been looking at /etc/passwd when obviously I meant /etc/shadow. Let's try this again!
Current F21 respun Docker image: FIXED!
root:locked::0:99999:7::: }}}
root:$6$DoHwMNPipK/gAVGn$qseLnsvYNGkBBQQDoKfuYWdHR/b6jLMjDwbT32ad97.EvspmbtfqhyQezyYFrqN0Bk/iNTey1upR5i816bGMR1::0:99999:7::: }}}
So we do need to get this new base image published.
https://github.com/docker-library/official-images/pull/736
The Docker hub now has secure images for fedora:20, fedora:21, and fedora:rawhide.
(However, this ticket should be used as a record of current operating procedure for Hub uploads)
Metadata Update from @walters: - Issue set to the milestone: Fedora 22 Final
Log in to comment on this ticket.