Summary: | <app-emulation/docker-1.3.1: fallback to HTTP when HTTPS connections to the registry fail (CVE-2014-5277) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | admwiggin, alunduil, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1164849 | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-11-18 09:16:48 UTC
alunduil has agreed to purge the old app-emulation/docker versions for me this weekend, time permitting. :) Shouldn't someone from the python herd handle removing the affected docker-py versions? I haven't been involved in docker-py at all, so I just want to make sure. :P + 19 Nov 2014; Yixun Lan <dlan@gentoo.org> -docker-1.0.0.ebuild, + -docker-1.0.1.ebuild, -docker-1.1.0.ebuild, -docker-1.2.0.ebuild: + clean vulnerable versions due to security bug 529670, proxy for maintainer + I think @alunduil wouldn't mind I do this, since it would cost same .. also clean docker-py, btw, not all ebuilds under dev-python category are maintained by python team ;-) thanks for your work Thank you for cleanup. No stable version (In reply to Yixun Lan from comment #2) > + 19 Nov 2014; Yixun Lan <dlan@gentoo.org> -docker-1.0.0.ebuild, > + -docker-1.0.1.ebuild, -docker-1.1.0.ebuild, -docker-1.2.0.ebuild: > + clean vulnerable versions due to security bug 529670, proxy for maintainer > + > Thank you for cleanup. No stable versions, closing noglsa CVE-2014-5277 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5277): Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. |