CVE-2015-1843

Publication date 6 April 2015

Last updated 24 July 2024

Ubuntu priority

Description

The Red Hat docker package before 1.5.0-28, when using the --add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. NOTE: this vulnerability exists because of a CVE-2014-5277 regression.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
docker.io	14.10 utopic	Not affected
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
	10.04 LTS lucid	Not in release

How can I get the fixes?
What do statuses mean?

Notes

tyhicks

This is a Red Hat specific issue

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2015-1843