Debian Bug report logs -
#772909
docker.io: CVE-2014-9356 CVE-2014-9357 CVE-2014-9358
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 12 Dec 2014 05:45:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version docker.io/1.3.2~dfsg1-1
Fixed in version docker.io/1.3.3~dfsg1-1
Done: Tianon Gravi <admwiggin@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Tagliamonte <paultag@debian.org>:
Bug#772909; Package src:docker.io.
(Fri, 12 Dec 2014 05:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Tagliamonte <paultag@debian.org>.
(Fri, 12 Dec 2014 05:45:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: docker.io
Version: 1.3.2~dfsg1-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for docker.io.
CVE-2014-9356[0]:
Path traversal during processing of absolute symlinks
CVE-2014-9357[1]:
Escalation of privileges during decompression of LZMA (.xz) archives
CVE-2014-9358[2]:
Path traversal and spoofing opportunities presented through image identifiers
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-9356
[1] https://security-tracker.debian.org/tracker/CVE-2014-9357
[2] https://security-tracker.debian.org/tracker/CVE-2014-9358
[3] http://www.openwall.com/lists/oss-security/2014/12/12/1
Regards,
Salvatore
Reply sent
to Tianon Gravi <admwiggin@gmail.com>:
You have taken responsibility.
(Fri, 19 Dec 2014 05:21:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 19 Dec 2014 05:21:14 GMT) (full text, mbox, link).
Message #10 received at 772909-close@bugs.debian.org (full text, mbox, reply):
Source: docker.io
Source-Version: 1.3.3~dfsg1-1
We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 772909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tianon Gravi <admwiggin@gmail.com> (supplier of updated docker.io package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Dec 2014 21:54:12 -0700
Source: docker.io
Binary: docker.io vim-syntax-docker golang-docker-dev
Architecture: source amd64 all
Version: 1.3.3~dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Paul Tagliamonte <paultag@debian.org>
Changed-By: Tianon Gravi <admwiggin@gmail.com>
Description:
docker.io - Linux container runtime
golang-docker-dev - Externally reusable Go packages included with Docker
vim-syntax-docker - Docker container engine - Vim highlighting syntax files
Closes: 770293 772261 772909
Changes:
docker.io (1.3.3~dfsg1-1) unstable; urgency=medium
.
[ Tianon Gravi ]
* Update to 1.3.3 upstream release (Closes: #772909)
- Fix for CVE-2014-9356 (Path traversal during processing of absolute
symlinks)
- Fix for CVE-2014-9357 (Escalation of privileges during decompression of
LZMA (.xz) archives)
- Fix for CVE-2014-9358 (Path traversal and spoofing opportunities presented
through image identifiers)
* Fix bashism in nuke-graph-directory.sh (Closes: #772261)
.
[ Didier Roche ]
* Support starting systemd service without /etc/default/docker
(Closes: #770293)
Checksums-Sha1:
8fc0e44ba5eb8963e2a389a3a001e5d74eb3349e 3345 docker.io_1.3.3~dfsg1-1.dsc
62e31848f8dbad694bb9ee1fdaea246a5263f635 80510 docker.io_1.3.3~dfsg1.orig-libcontainer.tar.gz
6056e4913a936bc4605e853efc77d180ffda5c27 33904 docker.io_1.3.3~dfsg1.orig-libtrust.tar.gz
a6130b6d9a8fd238c6175e467cb723cc1390c8e7 617118 docker.io_1.3.3~dfsg1.orig.tar.gz
6aef2beefbeda13aaff55fafb04932f9f04055a6 13016 docker.io_1.3.3~dfsg1-1.debian.tar.xz
8827e5ba629f768e8b29537e7dde236e378f1bda 3736960 docker.io_1.3.3~dfsg1-1_amd64.deb
4053f874c6de74e4fd4c2ad95a9df4968420aae2 27706 vim-syntax-docker_1.3.3~dfsg1-1_all.deb
b3fb54f50147052736a9073e7960c30e3304e656 193440 golang-docker-dev_1.3.3~dfsg1-1_all.deb
Checksums-Sha256:
e69c96988160fb309738ee6e866b1e91216b580cf528c03af2d5a44410e0e3cd 3345 docker.io_1.3.3~dfsg1-1.dsc
e76588144c366c5c808ec7cac29cd1bf0e381f19f3ad26b0e9d5fde2da600db3 80510 docker.io_1.3.3~dfsg1.orig-libcontainer.tar.gz
954d13db1ba25caa99d843180ab76019052f478a9724eaa12e753b045d769aa9 33904 docker.io_1.3.3~dfsg1.orig-libtrust.tar.gz
b7e39087623a10fe10008ddc2c162aae6809e5eeb23a4f8ab9c9e64d0491dfc1 617118 docker.io_1.3.3~dfsg1.orig.tar.gz
ce84f90c4e698cd34d1368486b543a86c2ecb2f2ef07c98c0b4628fa5afdc73c 13016 docker.io_1.3.3~dfsg1-1.debian.tar.xz
d161b436be61580b308ee5edc09c2278b93fc085ad1a9d9d4f8548c667107725 3736960 docker.io_1.3.3~dfsg1-1_amd64.deb
c1c7748c5aad61114b21963a1ac359f6fd10a928a10df0b1108099ca467be607 27706 vim-syntax-docker_1.3.3~dfsg1-1_all.deb
529bf6830988770e5271121d72e34d8357c730f17cb5d6118b3df329f5f71147 193440 golang-docker-dev_1.3.3~dfsg1-1_all.deb
Files:
e228e2176fa95c0bea3840871aff7e34 3345 admin optional docker.io_1.3.3~dfsg1-1.dsc
677204567bbb6612cc257313c3c7426e 80510 admin optional docker.io_1.3.3~dfsg1.orig-libcontainer.tar.gz
dbf245903ba75f455f1473da6e49b3a9 33904 admin optional docker.io_1.3.3~dfsg1.orig-libtrust.tar.gz
0b3f4febb624dc4d510dda0715c429c5 617118 admin optional docker.io_1.3.3~dfsg1.orig.tar.gz
641ba9dacdaffd556c460001e16d3356 13016 admin optional docker.io_1.3.3~dfsg1-1.debian.tar.xz
9ac30bfb6b153d7ffb66fca87782be6a 3736960 admin optional docker.io_1.3.3~dfsg1-1_amd64.deb
9c85cafdbd85b32b4594ee14998e6a27 27706 admin optional vim-syntax-docker_1.3.3~dfsg1-1_all.deb
0e430a37547a699f631b95194a8becf8 193440 admin optional golang-docker-dev_1.3.3~dfsg1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUk7LlAAoJEANqnCW/NX3UtQEP/jntGQUsiI08YRj2YPwE2cUJ
jNi3cbjMTGRRFBV91x/Yuv9ToqgwwyXkuetBCiEf2CkUjVCwtSfOfiZZTa5XiPxk
PJ29UJtJihyLbcJRTpo0Zn0PdVRewb3hKMtdHTKAXxjwXgA7H9Ax+4zdMQt27/33
CU7Z/AO6ZnS2s1RZwqxQn3cfscdDP2Gl9VhX6MwnJ6y4KIhsYy0TK1/58DMRQvH0
R3ORAtfTfqX8TssDc2rNAi5k8T/3P8uYWEzid/vv85Z2tcNKymQ+PJvuq1TcaDp7
cJjWUW1IbpqiZyH+nBkTLdrk/xs+42gaTLSv+9+HlG19XGs8WgTQX1SShmKRINi9
F63ihqsbv547FMRHMkz/9XTnIMANXj9RoAt+Rd3cRysUyN4mNvvPsGw3ZqkSqOBs
1DWCGLxJxKYpV9uoe0c2CdKnownmBUGXDUjr9AL5tkWvo1N0FxxajOF+Sfix3jkz
a0ymfrZ8n26KUE2u1BMC+ZMboDTMy9oMoS2HbGyi+z3qrdNHju0yuwMtB41ZAAOf
tJvlKLnLGMD6M4IXov6B/66ivcjkTPb9Gfam1yBS8umHLdwlzw5xqz2eTu/17TSb
VE+iElzPuY4OHpT5WsJ1CRwa75duhp2AjCL/NysY3bMatRXJ+ptR6RMEJ2wkaj6+
W/tWLGJCzWmIkHQsA1fb
=5WKg
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 05 Feb 2015 07:25:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:58:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon