529670 – (CVE-2014-5277) <app-emulation/docker-1.3.1: fallback to HTTP when HTTPS connections to the registry fail (CVE-2014-5277)

Bug 529670 (CVE-2014-5277) - <app-emulation/docker-1.3.1: fallback to HTTP when HTTPS connections to the registry fail (CVE-2014-5277)

Summary: <app-emulation/docker-1.3.1: fallback to HTTP when HTTPS connections to the r...

Status:	RESOLVED FIXED

Alias:	CVE-2014-5277

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-11-18 09:16 UTC by Agostino Sarubbo
Modified:	2014-11-19 09:18 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-11-18 09:16:48 UTC

From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-5277 to
the following vulnerability:

Name: CVE-2014-5277
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5277
Assigned: 20140816
Reference: https://groups.google.com/forum/#!topic/docker-user/oYm0i3xShJU
Reference: http://lists.opensuse.org/opensuse-updates/2014-11/msg00048.html

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when
the HTTPS connection to the registry fails, which allows
man-in-the-middle attackers to conduct downgrade attacks and obtain
authentication and image data by leveraging a network position between
the client and the registry to block HTTPS traffic.


@maintainer(s): since the fixed version is already in the tree, please remove the affected versions.

Comment 1 Tianon 2014-11-18 19:06:59 UTC

alunduil has agreed to purge the old app-emulation/docker versions for me this weekend, time permitting. :)

Shouldn't someone from the python herd handle removing the affected docker-py versions?  I haven't been involved in docker-py at all, so I just want to make sure. :P

Comment 2 Yixun Lan archtester

2014-11-19 06:41:39 UTC

+  19 Nov 2014; Yixun Lan <dlan@gentoo.org> -docker-1.0.0.ebuild,
+  -docker-1.0.1.ebuild, -docker-1.1.0.ebuild, -docker-1.2.0.ebuild:
+  clean vulnerable versions due to security bug 529670, proxy for maintainer
+

I think @alunduil wouldn't mind I do this, since it would cost same ..

also clean docker-py, btw, not all ebuilds under dev-python category are maintained by python team ;-)

thanks for your work

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-11-19 09:17:59 UTC

Thank you for cleanup. No stable version (In reply to Yixun Lan from comment #2)
> +  19 Nov 2014; Yixun Lan <dlan@gentoo.org> -docker-1.0.0.ebuild,
> +  -docker-1.0.1.ebuild, -docker-1.1.0.ebuild, -docker-1.2.0.ebuild:
> +  clean vulnerable versions due to security bug 529670, proxy for maintainer
> +
> 


Thank you for cleanup. No stable versions, closing noglsa

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2014-11-19 09:18:40 UTC

CVE-2014-5277 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5277):
  Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the
  HTTPS connection to the registry fails, which allows man-in-the-middle
  attackers to conduct downgrade attacks and obtain authentication and image
  data by leveraging a network position between the client and the registry to
  block HTTPS traffic.