1063550 – (CVE-2014-0048) CVE-2014-0048 Docker: multiple files downloaded over HTTP and executed or used unsafely

Bug 1063550 (CVE-2014-0048) - CVE-2014-0048 Docker: multiple files downloaded over HTTP and executed or used unsafely

Summary: CVE-2014-0048 Docker: multiple files downloaded over HTTP and executed or use...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2014-0048
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1063553
Blocks:	1063551
TreeView+	depends on / blocked

Reported:	2014-02-11 01:33 UTC by Kurt Seifried
Modified:	2019-09-29 13:13 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-24 05:19:04 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kurt Seifried 2014-02-11 01:33:59 UTC

Kurt Seifried of the Red Hat Security Response Team reports:

There are a number of programs and scripts in Docker that download content via 
HTTP and then execute the content or use it in other unsafe ways (e.g. signing
keys used to further verify content that is downloaded and executed).

Comment 2 Trevor Jay 2015-03-24 05:19:04 UTC

I can't speak for the build process etc. but monitoring 1.5 on the network I no longer detect any http traffic when issuing a docker pull. Anything else (e.g. bad Dockerfile hygeine) is a separate issue.

Note You need to log in before you can comment on or make changes to this bug.