In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container. References: https://docs.docker.com/engine/release-notes/ https://github.com/moby/moby/issues/39449
Created docker tracking bugs for this issue: Affects: fedora-all [bug 1747223] Affects: openstack-rdo [bug 1747224]
Upstream PR: https://github.com/moby/moby/pull/39612 Upstream patches: https://github.com/moby/moby/commit/11e48badcb67554b3d795241855028f28d244545
According to upstream this flaw affects only versions that use Go 1.11 (see https://github.com/moby/moby/pull/39612#issuecomment-517999360).
Statement: This issue did not affect the versions of docker as shipped with Red Hat Enterprise Linux 7 as they did not use Go 1.11.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14271