On Nov. 24, the Docker open-source project released version 1.3.2, fixing a pair of critical security vulnerabilities. One of the issues, identified as CVE-2014-6407, is a host privilege escalation flaw.
“The Docker engine, up to and including version 1.3.1, was vulnerable to extracting files to arbitrary paths on the host during ‘docker pull’ and ‘docker load’ operations,” Docker warned in its security advisory. “This vulnerability could be leveraged to perform remote code execution and privilege escalation.”
The second issue patched in Docker 1.3.2, identified as CVE-2014-6408, is vulnerability related to how security options were connected to images.