Summary: | app-emulation/docker: two vulnerabilities (CVE-2014-{9357,9358}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | admwiggin, proxy-maint, xarthisius |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-12-12 08:23:31 UTC
+*docker-1.4.0 (12 Dec 2014) + + 12 Dec 2014; Kacper Kowalik <xarthisius@gentoo.org> +docker-1.4.0.ebuild, + -docker-1.3.2.ebuild: + Version bump, drop vulnerable versions wrt #532344 (In reply to Kacper Kowalik (Xarthisius) from comment #1) > +*docker-1.4.0 (12 Dec 2014) > + > + 12 Dec 2014; Kacper Kowalik <xarthisius@gentoo.org> +docker-1.4.0.ebuild, > + -docker-1.3.2.ebuild: > + Version bump, drop vulnerable versions wrt #532344 Thanks! There are no stable versions affected, closed. CVE-2014-9358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9358): Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications." CVE-2014-9357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9357): Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction. |