DescriptionMurray McAllister
2014-11-25 00:17:07 UTC
The following flaw has been fixed in Docker 1.3.2:
""
Docker versions 1.3.0 through 1.3.1 allowed security options to be applied
to images, allowing images to modify the default run profile of containers
executing these images. This vulnerability could allow a malicious image
creator to loosen the restrictions applied to a container’s processes,
potentially facilitating a break-out.
Docker 1.3.2 remedies this vulnerability. Security options applied to
images are no longer consumed by the Docker engine and will be ignored.
Users are advised to upgrade.
""
Acknowledgements:
Red Hat would like to thank the Docker project for reporting this issue.
Reference:
http://seclists.org/oss-sec/2014/q4/781
Comment 1Murray McAllister
2014-11-25 00:20:51 UTC
Created docker-io tracking bugs for this issue:
Affects: fedora-all [bug 1167507]
Affects: epel-6 [bug 1167508]
Statement:
This issue did not affect the version of Docker as shipped with Red Hat Enterprise Linux 7.
The next current release of Docker is < 1.30 and the next release will be based off of 1.3.2 or greater.
Comment 3Fedora Update System
2014-12-03 17:16:25 UTC
docker-io-1.3.2-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.