Bug 1063550 (CVE-2014-0048)

Summary: CVE-2014-0048 Docker: multiple files downloaded over HTTP and executed or used unsafely
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bsarathy, carnil, ccoleman, dwalsh, jkeck, jrieden, jrusnack, lwang, pfrields, sct, security-response-team, tjay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-24 05:19:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1063553    
Bug Blocks: 1063551    

Description Kurt Seifried 2014-02-11 01:33:59 UTC 
Kurt Seifried of the Red Hat Security Response Team reports:

There are a number of programs and scripts in Docker that download content via 
HTTP and then execute the content or use it in other unsafe ways (e.g. signing
keys used to further verify content that is downloaded and executed).
Comment 2 Trevor Jay 2015-03-24 05:19:04 UTC 
I can't speak for the build process etc. but monitoring 1.5 on the network I no longer detect any http traffic when issuing a docker pull. Anything else (e.g. bad Dockerfile hygeine) is a separate issue.