LWN.net's Journal
[Most Recent Entries]
[Calendar View]
Monday, October 17th, 2016
| Time |
Event |
| 3:40p |
Security advisories for Monday Arch Linux has updated guile (two vulnerabilities).
Debian has updated libgd2 (denial of service).
Debian-LTS has updated icedove (multiple vulnerabilities), libarchive (file overwrite), libdbd-mysql-perl (denial of service), and mpg123 (denial of service).
Fedora has updated chromium (F24:
multiple vulnerabilities).
Gentoo has updated oracle-jdk-bin (multiple vulnerabilities).
openSUSE has updated thunderbird
(13.1: multiple vulnerabilities) and tiff
(13.1: denial of service).
Oracle has updated openssl (OL5: multiple vulnerabilities).
Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities). | | 5:55p |
Secure Your Containers with this One Weird Trick (RHEL Blog) Over on the Red Hat Enterprise Linux Blog, Dan Walsh writes about using Linux capabilities to help secure Docker containers. " Let’s look at the default list of capabilities available to privileged processes in a docker container:
chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap.
In the OCI/runc spec they are even more drastic only retaining, audit_write, kill, and net_bind_service and users can use ocitools to add additional capabilities. As you can imagine, I like the approach of adding capabilities you need rather than having to remember to remove capabilities you don’t." He then goes through the capabilities listed describing what they govern and when they might need to be turned on for a container application. |
|