Bug 1510348 (CVE-2017-14992)

Summary: CVE-2017-14992 docker: Lack of content verification
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adimania, admiller, amurdaca, dwalsh, fkluknav, ichavero, jcajka, jchaloup, lsm5, marianne, nalin, santiago, vbatts
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-18 01:27:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1510351, 1510352    
Bug Blocks: 1510354    

Description Andrej Nemec 2017-11-07 09:30:45 UTC
Lack of content verification in Docker allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.

References:

https://blog.cloudpassage.com/2017/10/13/discovering-docker-cve-2017-14992/

Upstream issue:

https://github.com/moby/moby/issues/35075

Comment 1 Andrej Nemec 2017-11-07 09:31:26 UTC
Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1510351]


Created docker-latest tracking bugs for this issue:

Affects: fedora-all [bug 1510352]

Comment 2 Antonio Murdaca 2017-11-08 08:30:18 UTC
CVE fix back ported to all docker branches, moving to POST for rebuild