Debian Bug report logs -
#998292
docker.io: CVE-2021-41092: Docker CLI leaks private registry credentials to registry-1.docker.io
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
:
Bug#998292
; Package src:docker.io
.
(Mon, 01 Nov 2021 20:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
.
(Mon, 01 Nov 2021 20:42:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: docker.io
Version: 20.10.8+dfsg1-2
Severity: normal
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for docker.io.
CVE-2021-41092[0]:
| Docker CLI is the command line interface for the docker container
| runtime. A bug was found in the Docker CLI where running `docker login
| my-private-registry.example.com` with a misconfigured configuration
| file (typically `~/.docker/config.json`) listing a `credsStore` or
| `credHelpers` that could not be executed would result in any provided
| credentials being sent to `registry-1.docker.io` rather than the
| intended private registry. This bug has been fixed in Docker CLI
| 20.10.9. Users should update to this version as soon as possible. For
| users unable to update ensure that any configured credsStore or
| credHelpers entries in the configuration file reference an installed
| credential helper that is executable and on the PATH.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41092
[1] https://github.com/docker/cli/security/advisories/GHSA-99pg-grm5-qq3v
[2] https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Nov 2 14:36:55 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.