Rebuild Debian images to address DSA 2972-1

[yonkeltron]

In response to CVE-2014-4699 (reserved but not yet filled out at time of this issue according to NVD) the Debian project has released DSA 2972-1.

http://seclists.org/bugtraq/2014/Jul/12

This (very cute) vulnerability allows an unprivileged user to execute a nasty ptrace trick on x86_64 chips and crash the kernel. I assume that this can happen from docker containers as well.

At the time of this writing, the DSA mentions fixes for wheezy but explicitly not for sid while leaving out jessie entirely.

For the stable distribution (wheezy), this problem has been fixed in version 3.2.60-1+deb7u1. In addition, this update contains several bugfixes originally targeted for the upcoming Wheezy point release.

For the unstable distribution (sid), this problem will be fixed soon.

Therefore, rebuilding all images right now might not fix things but a stable image rebuild would fix things there.

NINJA EDIT: @tianon

[tianon]

Nice writeup! :heart:

So, does this actually apply to our base images, or just the kernel? From what I understood when I saw the notification on the list, it was a kernel bug, but our images don't actually include the kernel and just inherit the host-kernel and of course thus all the vulnerabilities therein and this'd have to be a host update instead of an image update.

[yonkeltron]

So, does this actually apply to our base images, or just the kernel?

Ok, so this question rocks and I don't have the answer entirely. From what I can tell, this does exist mostly in the kernel however since tools like debuggers and actual tracers (notably strace and ltrace) make use of the ptrace API, I think that some userland stuff has been affected. I reason this way since binaries would need to have been recompiled. Moreover, would this not affect linux-libc-dev and other linguistic equivalents which bind to libc or use something else to make system calls?

[tianon]

From the DSA, it looks like they only recommend updating your "linux" package:

For the stable distribution (wheezy), this problem has been fixed in version 3.2.60-1+deb7u1. In addition, this update contains several bugfixes originally targeted for the upcoming Wheezy point release.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your linux packages.

So now we just need to figure out whether anything else is affected. I can't imagine that users of the API could be expected to recompile, since then I just don't update my kernel API client and bam, I've got escalation, which is obviously bad, so I have to believe this fix is 100% in the kernel, especially since I can statically compile libc into my application. We just need something more substantial than my gut feeling and a single "recommend XYZ" sentence in a DSA to help confirm that. :smile:

[yonkeltron]

Considering that there exists no package called just "linux" does this not refer to the general linux-* packages?

Side note: I've been learning a ton from checking this out.

[tianon]

This would be referring to the "linux" source package (https://packages.debian.org/source/sid/linux), so I think this still only applies to the kernel packages.

[yonkeltron]

Oh wow, didn't know about that. You might have it right. How can we check for sure?

[tianon]

hmm, we could cross-reference the list of installed packages in the base image with that list, but there might be a dpkg-query incantation that does something like that (ie, check for installed packages from source package XYZ)

[tianon]

Ok, I have a fun one-liner:

$ docker run -it --rm debian:wheezy bash -xc 'apt-get update && apt-get install -y debsecan && debsecan --only-fixed --suite "$(lsb_release -cs)"'
+ apt-get update
Get:1 http://security.debian.org wheezy/updates Release.gpg [836 B]
Get:2 http://security.debian.org wheezy/updates Release [102 kB]
Get:3 http://http.debian.net wheezy Release.gpg [1672 B]
Get:4 http://http.debian.net wheezy-updates Release.gpg [836 B]         
Get:5 http://security.debian.org wheezy/updates/main amd64 Packages [189 kB]   
Get:6 http://http.debian.net wheezy Release [168 kB]   
Get:7 http://http.debian.net wheezy-updates Release [124 kB]                   
Get:8 http://http.debian.net wheezy/main amd64 Packages [5843 kB]
Get:9 http://http.debian.net wheezy-updates/main amd64 Packages [5853 B]       
Fetched 6436 kB in 8s (722 kB/s)                                               
Reading package lists... Done
+ apt-get install -y debsecan
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  adduser cron exim4 exim4-base exim4-config exim4-daemon-light file
  heirloom-mailx iso-codes krb5-locales libapt-inst1.5 libclass-isa-perl
  libexpat1 libgcrypt11 libgdbm3 libgnutls26 libgpg-error0 libgpm2
  libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0
  libmagic1 libncursesw5 libp11-kit0 libpcre3 libsqlite3-0 libssl1.0.0
  libswitch-perl libtasn1-3 lsb-release mime-support perl perl-modules psmisc
  python python-apt python-apt-common python-minimal python2.7
  python2.7-minimal
Suggested packages:
  anacron logrotate checksecurity mail-reader eximon4 exim4-doc-html
  exim4-doc-info gnutls-bin openssl spf-tools-perl swaks isoquery rng-tools
  gpm krb5-doc krb5-user lsb perl-doc libterm-readline-gnu-perl
  libterm-readline-perl-perl make libpod-plainer-perl python-doc python-tk
  python-apt-dbg python-gtk2 python-vte python-apt-doc python2.7-doc binutils
  binfmt-support
Recommended packages:
  mailx
The following NEW packages will be installed:
  adduser cron debsecan exim4 exim4-base exim4-config exim4-daemon-light file
  heirloom-mailx iso-codes krb5-locales libapt-inst1.5 libclass-isa-perl
  libexpat1 libgcrypt11 libgdbm3 libgnutls26 libgpg-error0 libgpm2
  libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0
  libmagic1 libncursesw5 libp11-kit0 libpcre3 libsqlite3-0 libssl1.0.0
  libswitch-perl libtasn1-3 lsb-release mime-support perl perl-modules psmisc
  python python-apt python-apt-common python-minimal python2.7
  python2.7-minimal
0 upgraded, 43 newly installed, 0 to remove and 0 not upgraded.
Need to get 24.2 MB of archives.
After this operation, 85.2 MB of additional disk space will be used.
Get:1 http://security.debian.org/ wheezy/updates/main libapt-inst1.5 amd64 0.9.7.9+deb7u2 [167 kB]
Get:2 http://http.debian.net/debian/ wheezy/main adduser all 3.113+nmu3 [264 kB]
Get:3 http://security.debian.org/ wheezy/updates/main libgnutls26 amd64 2.12.20-8+deb7u2 [618 kB]
Get:4 http://http.debian.net/debian/ wheezy/main cron amd64 3.0pl1-124 [108 kB]
Get:5 http://http.debian.net/debian/ wheezy/main libgdbm3 amd64 1.8.3-11 [46.9 kB]
Get:6 http://http.debian.net/debian/ wheezy/main libgpg-error0 amd64 1.10-3.1 [77.9 kB]
Get:7 http://http.debian.net/debian/ wheezy/main libgcrypt11 amd64 1.5.0-5+deb7u1 [300 kB]
Get:8 http://security.debian.org/ wheezy/updates/main libssl1.0.0 amd64 1.0.1e-2+deb7u11 [1258 kB]
Get:9 http://http.debian.net/debian/ wheezy/main libp11-kit0 amd64 0.12-3 [52.8 kB]
Get:10 http://http.debian.net/debian/ wheezy/main libtasn1-3 amd64 2.13-2 [67.7 kB]
Get:11 http://http.debian.net/debian/ wheezy/main libncursesw5 amd64 5.9-10 [141 kB]
Get:12 http://http.debian.net/debian/ wheezy/main libgpm2 amd64 1.20.4-6 [35.8 kB]
Get:13 http://http.debian.net/debian/ wheezy/main libkeyutils1 amd64 1.5.5-3 [8552 B]
Get:14 http://http.debian.net/debian/ wheezy/main libkrb5support0 amd64 1.10.1+dfsg-5+deb7u1 [49.1 kB]
Get:15 http://http.debian.net/debian/ wheezy/main libk5crypto3 amd64 1.10.1+dfsg-5+deb7u1 [112 kB]
Get:16 http://http.debian.net/debian/ wheezy/main libkrb5-3 amd64 1.10.1+dfsg-5+deb7u1 [394 kB]
Get:17 http://http.debian.net/debian/ wheezy/main libgssapi-krb5-2 amd64 1.10.1+dfsg-5+deb7u1 [148 kB]
Get:18 http://http.debian.net/debian/ wheezy/main libmagic1 amd64 5.11-2+deb7u3 [202 kB]
Get:19 http://http.debian.net/debian/ wheezy/main libpcre3 amd64 1:8.30-5 [242 kB]
Get:20 http://http.debian.net/debian/ wheezy/main libsqlite3-0 amd64 3.7.13-1+deb7u1 [455 kB]
Get:21 http://http.debian.net/debian/ wheezy/main libexpat1 amd64 2.1.0-1+deb7u1 [139 kB]
Get:22 http://http.debian.net/debian/ wheezy/main exim4-config all 4.80-7 [478 kB]
Get:23 http://http.debian.net/debian/ wheezy/main exim4-base amd64 4.80-7 [1032 kB]
Get:24 http://http.debian.net/debian/ wheezy/main exim4-daemon-light amd64 4.80-7 [656 kB]
Get:25 http://http.debian.net/debian/ wheezy/main exim4 all 4.80-7 [7806 B]    
Get:26 http://http.debian.net/debian/ wheezy/main file amd64 5.11-2+deb7u3 [52.1 kB]
Get:27 http://http.debian.net/debian/ wheezy/main krb5-locales all 1.10.1+dfsg-5+deb7u1 [1503 kB]
Get:28 http://http.debian.net/debian/ wheezy/main libclass-isa-perl all 0.36-3 [12.3 kB]
Get:29 http://http.debian.net/debian/ wheezy/main perl-modules all 5.14.2-21+deb7u1 [3440 kB]
Get:30 http://http.debian.net/debian/ wheezy/main perl amd64 5.14.2-21+deb7u1 [4407 kB]
Get:31 http://http.debian.net/debian/ wheezy/main libswitch-perl all 2.16-2 [21.0 kB]
Get:32 http://http.debian.net/debian/ wheezy/main mime-support all 3.52-1 [35.5 kB]
Get:33 http://http.debian.net/debian/ wheezy/main python2.7-minimal amd64 2.7.3-6+deb7u2 [1785 kB]
Get:34 http://http.debian.net/debian/ wheezy/main python2.7 amd64 2.7.3-6+deb7u2 [2728 kB]
Get:35 http://http.debian.net/debian/ wheezy/main python-minimal all 2.7.3-4+deb7u1 [42.8 kB]
Get:36 http://http.debian.net/debian/ wheezy/main python all 2.7.3-4+deb7u1 [181 kB]
Get:37 http://http.debian.net/debian/ wheezy/main python-apt-common all 0.8.8.2 [115 kB]
Get:38 http://http.debian.net/debian/ wheezy/main python-apt amd64 0.8.8.2 [319 kB]
Get:39 http://http.debian.net/debian/ wheezy/main debsecan all 0.4.16+nmu1 [36.2 kB]
Get:40 http://http.debian.net/debian/ wheezy/main heirloom-mailx amd64 12.5-2 [274 kB]
Get:41 http://http.debian.net/debian/ wheezy/main iso-codes all 3.41-1 [2068 kB]
Get:42 http://http.debian.net/debian/ wheezy/main lsb-release all 4.1+Debian8+deb7u1 [27.2 kB]
Get:43 http://http.debian.net/debian/ wheezy/main psmisc amd64 22.19-1+deb7u1 [135 kB]
Fetched 24.2 MB in 21s (1115 kB/s)                                             
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package adduser.
(Reading database ... 6702 files and directories currently installed.)
Unpacking adduser (from .../adduser_3.113+nmu3_all.deb) ...
Selecting previously unselected package cron.
Unpacking cron (from .../cron_3.0pl1-124_amd64.deb) ...
Selecting previously unselected package libapt-inst1.5:amd64.
Unpacking libapt-inst1.5:amd64 (from .../libapt-inst1.5_0.9.7.9+deb7u2_amd64.deb) ...
Selecting previously unselected package libgdbm3:amd64.
Unpacking libgdbm3:amd64 (from .../libgdbm3_1.8.3-11_amd64.deb) ...
Selecting previously unselected package libgpg-error0:amd64.
Unpacking libgpg-error0:amd64 (from .../libgpg-error0_1.10-3.1_amd64.deb) ...
Selecting previously unselected package libgcrypt11:amd64.
Unpacking libgcrypt11:amd64 (from .../libgcrypt11_1.5.0-5+deb7u1_amd64.deb) ...
Selecting previously unselected package libp11-kit0:amd64.
Unpacking libp11-kit0:amd64 (from .../libp11-kit0_0.12-3_amd64.deb) ...
Selecting previously unselected package libtasn1-3:amd64.
Unpacking libtasn1-3:amd64 (from .../libtasn1-3_2.13-2_amd64.deb) ...
Selecting previously unselected package libgnutls26:amd64.
Unpacking libgnutls26:amd64 (from .../libgnutls26_2.12.20-8+deb7u2_amd64.deb) ...
Selecting previously unselected package libncursesw5:amd64.
Unpacking libncursesw5:amd64 (from .../libncursesw5_5.9-10_amd64.deb) ...
Selecting previously unselected package libssl1.0.0:amd64.
Unpacking libssl1.0.0:amd64 (from .../libssl1.0.0_1.0.1e-2+deb7u11_amd64.deb) ...
Selecting previously unselected package libgpm2:amd64.
Unpacking libgpm2:amd64 (from .../libgpm2_1.20.4-6_amd64.deb) ...
Selecting previously unselected package libkeyutils1:amd64.
Unpacking libkeyutils1:amd64 (from .../libkeyutils1_1.5.5-3_amd64.deb) ...
Selecting previously unselected package libkrb5support0:amd64.
Unpacking libkrb5support0:amd64 (from .../libkrb5support0_1.10.1+dfsg-5+deb7u1_amd64.deb) ...
Selecting previously unselected package libk5crypto3:amd64.
Unpacking libk5crypto3:amd64 (from .../libk5crypto3_1.10.1+dfsg-5+deb7u1_amd64.deb) ...
Selecting previously unselected package libkrb5-3:amd64.
Unpacking libkrb5-3:amd64 (from .../libkrb5-3_1.10.1+dfsg-5+deb7u1_amd64.deb) ...
Selecting previously unselected package libgssapi-krb5-2:amd64.
Unpacking libgssapi-krb5-2:amd64 (from .../libgssapi-krb5-2_1.10.1+dfsg-5+deb7u1_amd64.deb) ...
Selecting previously unselected package libmagic1:amd64.
Unpacking libmagic1:amd64 (from .../libmagic1_5.11-2+deb7u3_amd64.deb) ...
Selecting previously unselected package libpcre3:amd64.
Unpacking libpcre3:amd64 (from .../libpcre3_1%3a8.30-5_amd64.deb) ...
Selecting previously unselected package libsqlite3-0:amd64.
Unpacking libsqlite3-0:amd64 (from .../libsqlite3-0_3.7.13-1+deb7u1_amd64.deb) ...
Selecting previously unselected package libexpat1:amd64.
Unpacking libexpat1:amd64 (from .../libexpat1_2.1.0-1+deb7u1_amd64.deb) ...
Selecting previously unselected package exim4-config.
Unpacking exim4-config (from .../exim4-config_4.80-7_all.deb) ...
Selecting previously unselected package exim4-base.
Unpacking exim4-base (from .../exim4-base_4.80-7_amd64.deb) ...
Selecting previously unselected package exim4-daemon-light.
Unpacking exim4-daemon-light (from .../exim4-daemon-light_4.80-7_amd64.deb) ...
Selecting previously unselected package exim4.
Unpacking exim4 (from .../archives/exim4_4.80-7_all.deb) ...
Selecting previously unselected package file.
Unpacking file (from .../file_5.11-2+deb7u3_amd64.deb) ...
Selecting previously unselected package krb5-locales.
Unpacking krb5-locales (from .../krb5-locales_1.10.1+dfsg-5+deb7u1_all.deb) ...
Selecting previously unselected package libclass-isa-perl.
Unpacking libclass-isa-perl (from .../libclass-isa-perl_0.36-3_all.deb) ...
Selecting previously unselected package perl-modules.
Unpacking perl-modules (from .../perl-modules_5.14.2-21+deb7u1_all.deb) ...
Selecting previously unselected package perl.
Unpacking perl (from .../perl_5.14.2-21+deb7u1_amd64.deb) ...
Selecting previously unselected package libswitch-perl.
Unpacking libswitch-perl (from .../libswitch-perl_2.16-2_all.deb) ...
Selecting previously unselected package mime-support.
Unpacking mime-support (from .../mime-support_3.52-1_all.deb) ...
Selecting previously unselected package python2.7-minimal.
Unpacking python2.7-minimal (from .../python2.7-minimal_2.7.3-6+deb7u2_amd64.deb) ...
Selecting previously unselected package python2.7.
Unpacking python2.7 (from .../python2.7_2.7.3-6+deb7u2_amd64.deb) ...
Selecting previously unselected package python-minimal.
Unpacking python-minimal (from .../python-minimal_2.7.3-4+deb7u1_all.deb) ...
Selecting previously unselected package python.
Unpacking python (from .../python_2.7.3-4+deb7u1_all.deb) ...
Selecting previously unselected package python-apt-common.
Unpacking python-apt-common (from .../python-apt-common_0.8.8.2_all.deb) ...
Selecting previously unselected package python-apt.
Unpacking python-apt (from .../python-apt_0.8.8.2_amd64.deb) ...
Selecting previously unselected package debsecan.
Unpacking debsecan (from .../debsecan_0.4.16+nmu1_all.deb) ...
Selecting previously unselected package heirloom-mailx.
Unpacking heirloom-mailx (from .../heirloom-mailx_12.5-2_amd64.deb) ...
Selecting previously unselected package iso-codes.
Unpacking iso-codes (from .../iso-codes_3.41-1_all.deb) ...
Selecting previously unselected package lsb-release.
Unpacking lsb-release (from .../lsb-release_4.1+Debian8+deb7u1_all.deb) ...
Selecting previously unselected package psmisc.
Unpacking psmisc (from .../psmisc_22.19-1+deb7u1_amd64.deb) ...
Setting up adduser (3.113+nmu3) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
Setting up cron (3.0pl1-124) ...
Adding group `crontab' (GID 102) ...
Done.
invoke-rc.d: policy-rc.d denied execution of start.
Setting up libapt-inst1.5:amd64 (0.9.7.9+deb7u2) ...
Setting up libgdbm3:amd64 (1.8.3-11) ...
Setting up libgpg-error0:amd64 (1.10-3.1) ...
Setting up libgcrypt11:amd64 (1.5.0-5+deb7u1) ...
Setting up libp11-kit0:amd64 (0.12-3) ...
Setting up libtasn1-3:amd64 (2.13-2) ...
Setting up libgnutls26:amd64 (2.12.20-8+deb7u2) ...
Setting up libncursesw5:amd64 (5.9-10) ...
Setting up libssl1.0.0:amd64 (1.0.1e-2+deb7u11) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
Setting up libgpm2:amd64 (1.20.4-6) ...
Setting up libkeyutils1:amd64 (1.5.5-3) ...
Setting up libkrb5support0:amd64 (1.10.1+dfsg-5+deb7u1) ...
Setting up libk5crypto3:amd64 (1.10.1+dfsg-5+deb7u1) ...
Setting up libkrb5-3:amd64 (1.10.1+dfsg-5+deb7u1) ...
Setting up libgssapi-krb5-2:amd64 (1.10.1+dfsg-5+deb7u1) ...
Setting up libmagic1:amd64 (5.11-2+deb7u3) ...
Setting up libpcre3:amd64 (1:8.30-5) ...
Setting up libsqlite3-0:amd64 (3.7.13-1+deb7u1) ...
Setting up libexpat1:amd64 (2.1.0-1+deb7u1) ...
Setting up exim4-config (4.80-7) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
Adding system-user for exim (v4)
Setting up exim4-base (4.80-7) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
exim: DB upgrade, deleting hints-db
Setting up exim4-daemon-light (4.80-7) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
invoke-rc.d: policy-rc.d denied execution of start.
Setting up exim4 (4.80-7) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
Setting up file (5.11-2+deb7u3) ...
Setting up krb5-locales (1.10.1+dfsg-5+deb7u1) ...
Setting up libclass-isa-perl (0.36-3) ...
Setting up mime-support (3.52-1) ...
update-alternatives: using /usr/bin/see to provide /usr/bin/view (view) in auto mode
Setting up python2.7-minimal (2.7.3-6+deb7u2) ...
Linking and byte-compiling packages for runtime python2.7...
Setting up python2.7 (2.7.3-6+deb7u2) ...
Setting up python-minimal (2.7.3-4+deb7u1) ...
Setting up python (2.7.3-4+deb7u1) ...
Setting up python-apt-common (0.8.8.2) ...
Setting up python-apt (0.8.8.2) ...
Setting up debsecan (0.4.16+nmu1) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
Setting up heirloom-mailx (12.5-2) ...
update-alternatives: using /usr/bin/heirloom-mailx to provide /usr/bin/mailx (mailx) in auto mode
Setting up iso-codes (3.41-1) ...
Setting up lsb-release (4.1+Debian8+deb7u1) ...
Setting up psmisc (22.19-1+deb7u1) ...
Setting up perl-modules (5.14.2-21+deb7u1) ...
Setting up perl (5.14.2-21+deb7u1) ...
update-alternatives: using /usr/bin/prename to provide /usr/bin/rename (rename) in auto mode
Setting up libswitch-perl (2.16-2) ...
++ lsb_release -cs
+ debsecan --only-fixed --suite wheezy

So I think we're good, but I'm going to write up a script to do this across many images with simpler output just to be sure.

[tianon]

It looks like oldstable/squeeze could use an update, actually.

$ cat security-audit.sh
#!/bin/bash
set -e

images=( debian:{oldstable,stable} )

for image in "${images[@]}"; do
    echo >&2 '+ docker run' "$image" 'debsecan'
    docker run -it --rm "$image" bash -c '{ { apt-get update && apt-get install -y debsecan; } &> /lolapt.log || { cat >&2 /lolapt.log && false; }; } && debsecan --only-fixed --suite "$(lsb_release -cs)"'
done
$ ./security-audit.sh
+ docker run debian:oldstable debsecan
CVE-2014-4617 gpgv (fixed)
CVE-2012-4929 libssl0.9.8 (fixed, low urgency)
CVE-2014-0076 libssl0.9.8 (fixed, low urgency)
CVE-2014-0195 libssl0.9.8 (fixed)
CVE-2014-0221 libssl0.9.8 (fixed)
CVE-2014-0224 libssl0.9.8 (fixed)
CVE-2014-3470 libssl0.9.8 (fixed)
CVE-2011-3634 apt (fixed, low urgency)
CVE-2014-0478 apt (fixed)
CVE-2014-4617 gnupg (fixed)
CVE-2014-3466 libgnutls26 (fixed)
CVE-2011-3634 apt-utils (fixed, low urgency)
CVE-2014-0478 apt-utils (fixed)
+ docker run debian:stable debsecan

[tianon]

After testing against "debian:squeeze" instead of "debian:oldstable", I got a shorter list, which is the catalyst for dotcloud/docker#6897, and some new squeeze/oldstable base images coming up. :)