1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

docs: Add release notes

Signed-off-by: Tibor Vass <teabee89@gmail.com>
This commit is contained in:
Tibor Vass 2014-12-10 18:19:04 -05:00
parent 994e4a1c69
commit ee8504bc5a

View file

@ -4,6 +4,40 @@ understanding, release
#Release Notes
##Version 1.3.3
(2014-12-11)
This release fixes several security issues. In order to encourage immediate
upgrading, this release also patches some critical bugs. All users are highly
encouraged to upgrade as soon as possible.
*Security fixes*
Patches and changes were made to address the following vulnerabilities:
* CVE-2014-9356: Path traversal during processing of absolute symlinks.
Absolute symlinks were not adequately checked for traversal which created a
vulnerability via image extraction and/or volume mounts.
* CVE-2014-9357: Escalation of privileges during decompression of LZMA (.xz)
archives. Docker 1.3.2 added `chroot` for archive extraction. This created a
vulnerability that could allow malicious images or builds to write files to the
host system and escape containerization, leading to privilege escalation.
* CVE-2014-9358: Path traversal and spoofing opportunities via image
identifiers. Image IDs passed either via `docker load` or registry communications
were not sufficiently validated. This created a vulnerability to path traversal
attacks wherein malicious images or repository spoofing could lead to graph
corruption and manipulation.
*Runtime fixes*
* Fixed an issue that cause image archives to be read slowly.
*Client fixes*
* Fixed a regression related to STDIN redirection.
* Fixed a regression involving `docker cp` when the current directory is the
destination.
##Version 1.3.2
(2014-11-24)