Updated docker packages that fix one security issue are now available forRed Hat Enterprise Linux 7 Extras.Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.
Docker is a service providing container management on Linux.It was found that the fix for the CVE-2014-5277 issue was incomplete: thedocker client could under certain circumstances erroneously fall back toHTTP when an HTTPS connection to a registry failed. This could allow aman-in-the-middle attacker to obtain authentication and image data fromtraffic sent from a client to the registry. (CVE-2015-1843)Red Hat would like to thank Eric Windisch of Docker Inc. for reportingthis issue.All docker users are advised to upgrade to these updated packages, whichcorrect this issue.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258Red Hat Enterprise Linux Extras (v. 7)
MD5: 90699821501b8319674896fb44ab94bfSHA-256: 9798d6148d68811fcc3479cb11a533693d5f1d7b177853ac60ed595e097a931f
MD5: 0dd329bc97c891088551a259824a3dbcSHA-256: 80997c9015f869a4bb9fb05db60f54b03fff60c79cf7e00eb84bfa226364f0e2
MD5: fd53c94c526379705a9575abcef0955bSHA-256: 11013b79ef3c072cff8532de1fe4dcf464b0d58dede2c791273277349c572b2f
MD5: 779fdfb12fe9c8d4b651e711c3f1239bSHA-256: 9f497d51b49636c40549b45be9937e40849536825841f79009840c93857bfcb9
MD5: c1aae59a2c361a8ea50d07493e7a4385SHA-256: 6c3cf79c1e45c2b9e3d0d927253201f36dce74690b37674b3ec33b0e6ee8c437
MD5: f96620189b146514e691e2b3a2294e07SHA-256: d5180946613de94901a60957c0a28aca149f73ba533e6f979fe6de9f9d4dbd40
(The unlinked packages above are only available from the Red Hat Network)
1206443 – CVE-2015-1843 docker: regression of CVE-2014-5277
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from: