Overview

File _patchinfo of Package patchinfo.261

<patchinfo incident="261">
  <issue id="909709" tracker="bnc">VUL-0: CVE-2014-9358: docker: Path traversal and spoofing opportunities presented through image identifiers</issue>
  <issue id="909712" tracker="bnc">VUL-0: CVE-2014-9356: docker: Path traversal during processing of absolute symlinks</issue>
  <issue id="909710" tracker="bnc">VUL-0: CVE-2014-9357: docker: Escalation of privileges during decompression of LZMA archives</issue>
  <issue id="913213" tracker="bnc">Fix issue with volumes-from and bind mounts not being honored after create</issue>
  <issue id="913211" tracker="bnc">Added e2fsprogs as runtime dependency, this is required when the devicemapper driver is used.</issue>
  <issue id="CVE-2014-9357" tracker="cve" />
  <issue id="CVE-2014-9356" tracker="cve" />
  <issue id="CVE-2014-9358" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>flavio_castelli</packager>
  <description>This docker version upgrade fixes the following security and non
security issues, and adds the also additional features:

- Updated to 1.4.1 (2014-12-15):
  * Runtime:
    - Fix issue with volumes-from and bind mounts not being honored after
      create (fixes bnc#913213)

- Added e2fsprogs as runtime dependency, this is required when the
  devicemapper driver is used. (bnc#913211).
- Fixed owner &amp; group for docker.socket (thanks to Andrei Dziahel and
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752555#5)

- Updated to 1.4.0 (2014-12-11):
  * Notable Features since 1.3.0:
    - Set key=value labels to the daemon (displayed in `docker info`), applied with
      new `-label` daemon flag
    - Add support for `ENV` in Dockerfile of the form: 
      `ENV name=value name2=value2...`
    - New Overlayfs Storage Driver
    - `docker info` now returns an `ID` and `Name` field
    - Filter events by event name, container, or image
    - `docker cp` now supports copying from container volumes
    - Fixed `docker tag`, so it honors `--force` when overriding a tag for existing
      image.
- Changes introduced by 1.3.3 (2014-12-11):
  * Security:
    - Fix path traversal vulnerability in processing of absolute symbolic links (CVE-2014-9356) - (bnc#909709)
    - Fix decompression of xz image archives, preventing privilege escalation (CVE-2014-9357) - (bnc#909710)
    - Validate image IDs (CVE-2014-9358) - (bnc#909712)
  * Runtime:
    - Fix an issue when image archives are being read slowly
  * Client:
    - Fix a regression related to stdin redirection
    - Fix a regression with `docker cp` when destination is the current directory
</description>
  <summary>Security update for docker</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places