Bugzilla – Bug 904165
VUL-0: CVE-2014-5277: docker: HTTP downgrade attack against registry
Last modified: 2015-01-26 12:01:14 UTC
The Docker engine and the Python module, docker-py, first attempt to contact the registry using HTTPS. If that attempt fails, they will fall back to using in-the-clear HTTP connections. This facilitates the possibility of a downgrade attack by allowing attackers to force registry connections into using insecure communications to transmit authentication and image data. To avoid this vulnerability, users should upgrade to Docker 1.3.1. Users of docker-py should upgrade to version 0.5.3 or higher. Discovered by Solomon Hykes of Docker, Inc. We would also like to credit Florian Weimer of Red Hat Product Security with independent discovery. Already covered in https://build.suse.de/request/show/45873 but there was no bug open. Feel free to assign to security-team if there's nothing left to do References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5277 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5277.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5277
bugbot adjusting priority
Maintenance request submitted
accepted and merged, thanks
was released