Merge pull request #9627 from jfrazelle/release-notes

Include Fred's release notes for 1.4.0.

docs/sources/release-notes.md

@@ -4,6 +4,76 @@ page_keywords: docker, documentation, about, technology, understanding, release
 
 #Release Notes
 
+You can view release notes for earlier version of Docker by selecting the
+desired version from the drop-down list at the top right of this page.
+
+##Version 1.4.0
+(2014-12-11)
+ 
+This release provides a number of new features, but is mainly focused on bug
+fixes and improvements to platform stability and security.
+
+For a complete list of patches, fixes, and other improvements, see <todo: link>
+ 
+*New Features*
+
+* You can now add labels to the Docker daemon using key=value pairs defined with
+the new `--label` flag. The labels are displayed by running `docker info`. In
+addition, `docker info` also now returns an ID and hostname field. For more
+information, see  the 
+[command line reference](http://docs.docker.com/reference/commandline/cli/#daemon).
+* The `ENV` instruction in the `Dockerfile` now supports arguments in the form 
+of `ENV name=value name2=value2..`. For more information, see the 
+[command line reference](http://docs.docker.com/reference/builder/#env)
+* Introducing a new, still 
+[experimental, overlayfs storage driver](https://github.com/docker/docker/pull/7619/).
+* You can now add filters to `docker events` to filter events by event name, 
+container, or image. For more information, see  the 
+[command line reference](http://docs.docker.com/reference/commandline/cli/#events).
+* The `docker cp` command now supports copying files from the filesystem of a
+container's volumes. For more information, see  the 
+[remote API reference](http://docs.docker.com/reference/api/docker_remote_api/).
+* The `docker tag` command has been fixed so that it correctly honors `--force`
+when overriding a tag for existing image. For more information, see 
+the [command line reference](http://docs.docker.com/reference/commandline/cli/#tag).
+
+* Container volumes are now initialized during `docker create`. For more information, see 
+the [command line reference](http://docs.docker.com/reference/commandline/cli/#create). 
+
+*Security Fixes*
+
+Patches and changes were made to address the following vulnerabilities:
+
+* CVE-2014-9356: Path traversal during processing of absolute symlinks. 
+Absolute symlinks were not adequately checked for  traversal which created a
+vulnerability via image extraction and/or volume mounts.
+* CVE-2014-9357: Escalation of privileges during decompression of LZMA (.xz)
+archives. Docker 1.3.2 added `chroot` for archive extraction. This created a
+vulnerability that could allow malicious images or builds to write files to the
+host system and escape containerization, leading to privilege escalation.
+* CVE-2014-9358: Path traversal and spoofing opportunities via image
+identifiers. Image IDs passed either via `docker load` or registry communications
+were not sufficiently validated. This created a vulnerability to path traversal
+attacks wherein malicious images or repository spoofing could lead to graph
+corruption and manipulation.
+
+Note that the above CVE's are also in Docker 1.3.3, which was released
+concurrently with 1.4.0.
+ 
+*Runtime fixes*
+ 
+* Fixed an issue that caused image archives to be read slowly.
+ 
+*Client fixes*
+ 
+* Fixed a regression related to STDIN redirection.
+* Fixed a regression involving `docker cp` when the current directory is the
+destination.
+
+> **Note**
+> Development history prior to version 1.0 can be found by
+> searching in [GitHub](https://github.com/docker/docker).
+
 ##Version 1.3.3
 (2014-12-11)