Bugzilla – Bug 909709
VUL-0: CVE-2014-9358: docker: Path traversal and spoofing opportunities presented through image identifiers
Last modified: 2018-12-14 15:10:16 UTC
rh#1172787 Docker Inc. has reported that it is possible to spoof images on the central registry. From the report: "It has been discovered that Docker does not sufficiently validate Image IDs as provided either via 'docker load' or through registry communications. This allows for path traversal attacks, causing graph corruption and manipulation by malicious images, as well as repository spoofing attacks." References: https://groups.google.com/forum/#!topic/docker-user/nFAz-B-n4Bw https://bugzilla.redhat.com/show_bug.cgi?id=1172787 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9358 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9358
CVE-2014-9358 was assigned to this issue.
This is an autogenerated message for OBS integration: This bug (909709) was mentioned in https://build.opensuse.org/request/show/265019 13.2 / docker
accepted to sle12 and 13.2. do not forget factory
Thanks. The package is already inside of the Virtualization project, which is automatically pulled by Factory for updates. However, given all the security implications, I'll file a SR. In the meantime, closing as resolved.
This is an autogenerated message for OBS integration: This bug (909709) was mentioned in https://build.opensuse.org/request/show/265920 Factory / docker
openSUSE-SU-2014:1722-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 909709,909710,909712 CVE References: CVE-2014-9356,CVE-2014-9357,CVE-2014-9358 Sources used: openSUSE 13.2 (src): docker-1.4.0-13.1
SUSE-SU-2015:0082-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 909709,909710,909712,913211,913213 CVE References: CVE-2014-9356,CVE-2014-9357,CVE-2014-9358 Sources used: SUSE Linux Enterprise Server 12 (src): docker-1.4.1-16.1