Bug 1063550 (CVE-2014-0048) - CVE-2014-0048 Docker: multiple files downloaded over HTTP and executed or used unsafely
Summary: CVE-2014-0048 Docker: multiple files downloaded over HTTP and executed or use...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2014-0048
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1063553
Blocks: 1063551
TreeView+ depends on / blocked
 
Reported: 2014-02-11 01:33 UTC by Kurt Seifried
Modified: 2019-09-29 13:13 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-24 05:19:04 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2014-02-11 01:33:59 UTC
Kurt Seifried of the Red Hat Security Response Team reports:

There are a number of programs and scripts in Docker that download content via 
HTTP and then execute the content or use it in other unsafe ways (e.g. signing
keys used to further verify content that is downloaded and executed).

Comment 2 Trevor Jay 2015-03-24 05:19:04 UTC
I can't speak for the build process etc. but monitoring 1.5 on the network I no longer detect any http traffic when issuing a docker pull. Anything else (e.g. bad Dockerfile hygeine) is a separate issue.


Note You need to log in before you can comment on or make changes to this bug.