File _patchinfo of Package patchinfo
<patchinfo incident="3326">
<issue id="909709" tracker="bnc">VUL-0: CVE-2014-9358: docker: Path traversal and spoofing opportunities presented through image identifiers</issue>
<issue id="909712" tracker="bnc">VUL-0: CVE-2014-9356: docker: Path traversal during processing of absolute symlinks</issue>
<issue id="909710" tracker="bnc">VUL-0: CVE-2014-9357: docker: Escalation of privileges during decompression of LZMA archives</issue>
<issue id="CVE-2014-9357" tracker="cve" />
<issue id="CVE-2014-9356" tracker="cve" />
<issue id="CVE-2014-9358" tracker="cve" />
<category>security</category>
<rating>moderate</rating>
<packager>flavio_castelli</packager>
<description>This docker version update fixes the following security and non security
issues and adds additional features.
- Updated to 1.4.0 (2014-12-11):
* Notable Features since 1.3.0:
- Set key=value labels to the daemon (displayed in `docker info`), applied with
new `-label` daemon flag
- Add support for `ENV` in Dockerfile of the form:
`ENV name=value name2=value2...`
- New Overlayfs Storage Driver
- `docker info` now returns an `ID` and `Name` field
- Filter events by event name, container, or image
- `docker cp` now supports copying from container volumes
- Fixed `docker tag`, so it honors `--force` when overriding a tag for existing
image.
- Changes introduced by 1.3.3 (2014-12-11):
* Security:
- Fix path traversal vulnerability in processing of absolute symbolic links (CVE-2014-9356) - (bnc#909709)
- Fix decompression of xz image archives, preventing privilege escalation (CVE-2014-9357) - (bnc#909710)
- Validate image IDs (CVE-2014-9358) - (bnc#909712)
* Runtime:
- Fix an issue when image archives are being read slowly
* Client:
- Fix a regression related to stdin redirection
- Fix a regression with `docker cp` when destination is the current directory
</description>
<summary>Security update for docker</summary>
</patchinfo>
