You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa docker

Sigurnosni nedostaci programskog paketa docker

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

Fedora Update Notification
2014-12-13 08:32:22

Name : docker-io
Product : Fedora 21
Version : 1.4.0
Release : 1.fc21
Summary : Automates deployment of containerized applications
Description :
Docker is an open-source engine that automates the deployment of any
application as a lightweight, portable, self-sufficient container that will
run virtually anywhere.

Docker containers can encapsulate any payload, and will run consistently on
and between virtually any server. The same container that a developer builds
and tests on a laptop will run at scale, in production*, on VMs, bare-metal
servers, OpenStack clusters, public instances, or combinations of the above.

Update Information:

Security fix for CVE-2014-9357, CVE-2014-9358, CVE-2014-9356
Revert to using upstream v1.3.2 release
Resolves: rhbz#1169035, rhbz#1169151

* Thu Dec 11 2014 Lokesh Mandvekar <> – 1.4.0-1
– Resolves: rhbz#1173324
– Resolves: rhbz#1172761 – CVE-2014-9356
– Resolves: rhbz#1172782 – CVE-2014-9357
– Resolves: rhbz#1172787 – CVE-2014-9358
– update to upstream v1.4.0
– override DOCKER_CERT_PATH in sysconfig instead of patching the source
– create dockerroot user if doesn’t exist prior
– update metaprovides
* Mon Dec 1 2014 Lokesh Mandvekar <> – 1.3.2-4
– Revert to using upstream v1.3.2 release
* Sun Nov 30 2014 Lokesh Mandvekar <> – 1.3.2-3.git353ff40
– Resolves: rhbz#1169035, rhbz#1169151
– bring back golang deps (except libcontainer)

[ 1 ] Bug #1172761 – CVE-2014-9356 docker: Path traversal during processing of absolute symlinks
[ 2 ] Bug #1172782 – CVE-2014-9357 docker: Escalation of privileges during decompression of LZMA archives
[ 3 ] Bug #1172787 – CVE-2014-9358 docker: Path traversal and spoofing opportunities presented through image identifiers

This update can be installed with the “yum” update program. Use
su -c ‘yum update docker-io’ at the command line.
For more information, refer to “Managing Software with yum”,
available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list

AutorMarko Stanec
Cert idNCERT-REF-2014-12-0047-ADV
More in Preporuke
Ranjivosti programskog paketa icecast

Otkrivene su dvije ranjivosti programskog paketa icecast za Fedoru. Prva ranjivost uzrokovana je nemijenjanjem privilegija grupe "supplementary" kada je konfiguriran...