Bugzilla – Bug 949660
VUL-0: CVE-2014-8178 CVE-2014-8179: docker: 1.8.3 fixes security issues
Last modified: 2018-12-14 15:11:17 UTC
I'm on it.
Have received full patch set now.
public at https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/ [...]a vulnerability was discovered that affects the way content is stored and retrieved within the Docker Engine.[...] https://www.docker.com/docker-cve-database CVE-2014-8178 Attacker controlled layer IDs lead to local graph content poisoning Oct 12, 2015 Engine 1.8.3, 1.6.2-CS7 CVE-2014-8179 Manifest validation and parsing logic errors allow pull-by-digest validation bypass Oct 12, 2015 Engine 1.8.3, 1.6.2-CS7 https://github.com/docker/docker/releases/tag/v1.8.3
Commits: https://github.com/docker/docker/compare/v1.8.2...v1.8.3 We'll do a straight version update. https://groups.google.com/d/msg/docker-dev/bWVVtLNbFy8/UaefOqMOCAAJ Docker Engine version 1.8.3 has been released to address several vulnerabilities and is immediately available for all supported platforms. Users are advised to upgrade existing installations of the Docker Engine and use 1.8.3 for new installations. Please send any questions to secu...@docker.com. ============================================================== [CVE-2014-8178] Attacker controlled layer IDs lead to local graph content poisoning ============================================================== Docker image layers are stored with a non-globally unique identifier vulnerable to a collision attack. These identifiers are shared during docker pull and push, allowing poisoning of a host’s image cache. This allows maliciously crafted images to poison subsequently pulled images. Independently discovered by Florian Weimer of Red Hat and Tõnis Tiigi of the Docker Engine Team ============================================================== [CVE-2014-8179] - Manifest validation and parsing logic errors allow pull-by-digest validation bypass ============================================================== During Docker pulls validation and extraction of the manifest object from its JSON representation are done in separate steps. The digest that represents the manifest corresponds to a hash of the payload portion of the JSON blob returned by the remote registry. Even though the validity of the payload portion is being verified, an injection of new attributes in the surrounding JSON object is possible. This allows an override of the verified content at JSON deserialization time leading to pulling unverified layers. Users are advised to upgrade to Docker 1.8.3.
Assigned to Jordi. The package is already building inside of IBS and OBS, we have to finish a quick round of tests before submitting it to maintenance.
SUSE-SU-2015:1757-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 949660 CVE References: CVE-2014-8178,CVE-2014-8179 Sources used: SUSE Linux Enterprise Module for Containers 12 (src): docker-1.8.3-49.1
Releasing openSUSE update, all done
openSUSE-SU-2015:1773-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 949660 CVE References: CVE-2014-8178,CVE-2014-8179 Sources used: openSUSE 13.2 (src): docker-1.8.3-43.1
openSUSE-SU-2015:2073-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 949660,954737,954812 CVE References: CVE-2014-8178,CVE-2014-8179 Sources used: openSUSE Leap 42.1 (src): docker-1.9.0-4.1