Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2015-1843

Published: 6 April 2015

The Red Hat docker package before 1.5.0-28, when using the --add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. NOTE: this vulnerability exists because of a CVE-2014-5277 regression.

Notes

AuthorNote
tyhicks 
This is a Red Hat specific issue

Priority

Medium

Status

Package Release Status
docker.io
Launchpad, Ubuntu, Debian 		lucid Does not exist

precise Does not exist

trusty Does not exist
(trusty was not-affected [Red Hat specific])
upstream Not vulnerable
(Red Hat specific)
utopic Not vulnerable
(Red Hat specific)

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading