Bug 923958 (CVE-2014-0048)

Summary: VUL-0: CVE-2014-0048: Docker: multiple files downloaded over HTTP and executed or used unsafely
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Flavio Castelli <fcastelli>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/115008/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2015-03-24 11:04:04 UTC
via rh bugzilla

Kurt Seifried of the Red Hat Security Response Team reports:

There are a number of programs and scripts in Docker that download content via 
HTTP and then execute the content or use it in other unsafe ways (e.g. signing
keys used to further verify content that is downloaded and executed).

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1063550
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0048

This probably was already cleaned up (1.3.1?) and released by us.
Comment 1 Swamp Workflow Management 2015-03-24 23:00:46 UTC
bugbot adjusting priority
Comment 2 Flavio Castelli 2015-03-25 08:33:53 UTC
As stated also on the Red Hat bug entry this does not apply to docker 1.5.0, which is the version we have currently released.

Closing.