You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by Joan Touzet <wo...@apache.org> on 2019/04/30 21:47:35 UTC
Docker Hub security breach and CouchDB image update
Hello there,
You may have read about the recent breach of security at Docker Hub[1].
In light of this breach, and in the interest of security for all of our
users, today we have taken the following actions:
* Reset all passwords and tokens that were in use with Docker Hub.
(Apache CouchDB never published anything to Docker Hub in an
automated fashion, by policy.)
* Rebuilt and republished all currently supported CouchDB images in use:
apache/couchdb:2.3.1 (aka "latest")
apache/couchdb:2.3.0
* Rebuilt and republished these images, which are no longer supported:
apache/couchdb:1.7.2
apache/couchdb:1.7.2-couchperuser
* Removed all tags that are no longer supported or have known security
issues. This includes versions 1.6.*, 1.7.1, 2.0.*, 2.1.*, and 2.2.*.
While there were no known issues with any of our published images, and
we were not notified that our password hash was potentially leaked, this
action was in the best interest of the project.
Note that the "official" Docker couchdb image (what you get if you run
`docker pull couchdb` instead of `docker pull apache/couchdb`) is
maintained by Docker staff, not us, and is auto-published using their
infrastructure based on the Dockerfile and scripts we provide. They are
already updating this image on a regular basis.
-Joan "Move over, Maersk" Touzet
[1]: https://success.docker.com/article/docker-hub-user-notification
Re: Docker Hub security breach and CouchDB image update
Posted by Jonathan Hall <fl...@flimzy.com>.
That's probably good enough. It doesn't seem to have a CouchDB 2.0
image, which I was testing against previously, but it does provide more
tags than the apache/couchdb.
Thanks,
Jonathan
On 5/4/19 7:33 PM, Joan Touzet wrote:
> You can use the downstream "official" images for that:
>
> https://hub.docker.com/_/couchdb?tab=tags
>
>
> On 2019-05-04 11:05 a.m., Jonathan Hall wrote:
>> I wonder if this step is strictly necessary? I was using many of
>> these old images in my CI/CD pipeline for kivik. Perhaps I'm the only
>> person doing such a thing, but I do find it valuable to test my
>> library against old versions, to ensure the highest level of
>> compatibility, even with unsupported images.
>>
>> Maybe a compromise, to discourage use of these images, would be to
>> make these old images still available, but with a different tag name
>> (unsupported-1.6.1, for example)?
>>
>> What do you think?
>>
>> Jonathan
>>
>>
>> On 4/30/19 11:47 PM, Joan Touzet wrote:
>>> * Removed all tags that are no longer supported or have known security
>>> issues. This includes versions 1.6.*, 1.7.1, 2.0.*, 2.1.*, and
>>> 2.2.*.
Re: Docker Hub security breach and CouchDB image update
Posted by Joan Touzet <wo...@apache.org>.
You can use the downstream "official" images for that:
https://hub.docker.com/_/couchdb?tab=tags
On 2019-05-04 11:05 a.m., Jonathan Hall wrote:
> I wonder if this step is strictly necessary? I was using many of these
> old images in my CI/CD pipeline for kivik. Perhaps I'm the only person
> doing such a thing, but I do find it valuable to test my library against
> old versions, to ensure the highest level of compatibility, even with
> unsupported images.
>
> Maybe a compromise, to discourage use of these images, would be to make
> these old images still available, but with a different tag name
> (unsupported-1.6.1, for example)?
>
> What do you think?
>
> Jonathan
>
>
> On 4/30/19 11:47 PM, Joan Touzet wrote:
>> * Removed all tags that are no longer supported or have known security
>> issues. This includes versions 1.6.*, 1.7.1, 2.0.*, 2.1.*, and 2.2.*.
Re: Docker Hub security breach and CouchDB image update
Posted by Jonathan Hall <fl...@flimzy.com>.
I wonder if this step is strictly necessary? I was using many of these
old images in my CI/CD pipeline for kivik. Perhaps I'm the only person
doing such a thing, but I do find it valuable to test my library against
old versions, to ensure the highest level of compatibility, even with
unsupported images.
Maybe a compromise, to discourage use of these images, would be to make
these old images still available, but with a different tag name
(unsupported-1.6.1, for example)?
What do you think?
Jonathan
On 4/30/19 11:47 PM, Joan Touzet wrote:
> * Removed all tags that are no longer supported or have known security
> issues. This includes versions 1.6.*, 1.7.1, 2.0.*, 2.1.*, and 2.2.*.
Re: Docker Hub security breach and CouchDB image update
Posted by Garren Smith <ga...@apache.org>.
Hi Joan,
Thanks for reacting so quickly and fixing it all. It’s really appreciated.
Cheers
Garren
On Tue, Apr 30, 2019 at 11:47 PM Joan Touzet <wo...@apache.org> wrote:
> Hello there,
>
> You may have read about the recent breach of security at Docker Hub[1].
>
> In light of this breach, and in the interest of security for all of our
> users, today we have taken the following actions:
>
> * Reset all passwords and tokens that were in use with Docker Hub.
> (Apache CouchDB never published anything to Docker Hub in an
> automated fashion, by policy.)
>
> * Rebuilt and republished all currently supported CouchDB images in use:
>
> apache/couchdb:2.3.1 (aka "latest")
> apache/couchdb:2.3.0
>
> * Rebuilt and republished these images, which are no longer supported:
> apache/couchdb:1.7.2
> apache/couchdb:1.7.2-couchperuser
>
> * Removed all tags that are no longer supported or have known security
> issues. This includes versions 1.6.*, 1.7.1, 2.0.*, 2.1.*, and 2.2.*.
>
> While there were no known issues with any of our published images, and
> we were not notified that our password hash was potentially leaked, this
> action was in the best interest of the project.
>
> Note that the "official" Docker couchdb image (what you get if you run
> `docker pull couchdb` instead of `docker pull apache/couchdb`) is
> maintained by Docker staff, not us, and is auto-published using their
> infrastructure based on the Dockerfile and scripts we provide. They are
> already updating this image on a regular basis.
>
> -Joan "Move over, Maersk" Touzet
>
> [1]: https://success.docker.com/article/docker-hub-user-notification
>
>
Re: Docker Hub security breach and CouchDB image update
Posted by Garren Smith <ga...@apache.org>.
Hi Joan,
Thanks for reacting so quickly and fixing it all. It’s really appreciated.
Cheers
Garren
On Tue, Apr 30, 2019 at 11:47 PM Joan Touzet <wo...@apache.org> wrote:
> Hello there,
>
> You may have read about the recent breach of security at Docker Hub[1].
>
> In light of this breach, and in the interest of security for all of our
> users, today we have taken the following actions:
>
> * Reset all passwords and tokens that were in use with Docker Hub.
> (Apache CouchDB never published anything to Docker Hub in an
> automated fashion, by policy.)
>
> * Rebuilt and republished all currently supported CouchDB images in use:
>
> apache/couchdb:2.3.1 (aka "latest")
> apache/couchdb:2.3.0
>
> * Rebuilt and republished these images, which are no longer supported:
> apache/couchdb:1.7.2
> apache/couchdb:1.7.2-couchperuser
>
> * Removed all tags that are no longer supported or have known security
> issues. This includes versions 1.6.*, 1.7.1, 2.0.*, 2.1.*, and 2.2.*.
>
> While there were no known issues with any of our published images, and
> we were not notified that our password hash was potentially leaked, this
> action was in the best interest of the project.
>
> Note that the "official" Docker couchdb image (what you get if you run
> `docker pull couchdb` instead of `docker pull apache/couchdb`) is
> maintained by Docker staff, not us, and is auto-published using their
> infrastructure based on the Dockerfile and scripts we provide. They are
> already updating this image on a regular basis.
>
> -Joan "Move over, Maersk" Touzet
>
> [1]: https://success.docker.com/article/docker-hub-user-notification
>
>