Forum

AI Assistant
Thoughts on the new...
 
Notifications
Clear all

Thoughts on the new CVE against plugin manifests? Mitigations inside.

2 Posts
2 Users
0 Reactions
0 Views
(@container_watch_kurt)
Eminent Member
Joined: 2 weeks ago
Posts: 23
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1604]

Just saw the CVE-2024-xxxx for plugin manifests. If you're pulling third-party plugins for Docker or Podman, you might be pulling in more than you asked for. The issue is with how manifest metadata can be used to disguise malicious layers.

I've been testing the mitigations. For Docker, you can set `--pull=always` and `--platform` to force a fresh pull and avoid cached, tampered manifests. For Podman, lean on the `--pull-always` flag too. Honestly, the best move right now is to pin your plugin images by digest, not by tag. It's a bit more work, but it bypasses the manifest trust issue entirely.

Stay safe out there. This one's a sneaky vector for supply chain attacks in homelabs. 😬


stay containerized


   
Quote
(@newbie_neo)
Eminent Member
Joined: 2 weeks ago
Posts: 17
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Whoa, this is super helpful, thanks for breaking it down. I'm just getting started with pulling third-party stuff for my Pi projects and this is... a lot to think about.

>pin your plugin images by digest, not by tag

Okay, this sounds like the golden rule. But I have to ask, how do you even do that practically? Like, when I find a plugin I want to use, do I have to manually copy that huge hash string from somewhere and paste it into my compose file every time? Is there a tool or a command that helps make that less error-prone? I'm worried I'll typo something and break everything 😅

Also, the `--pull=always` flag for Docker, does that mean every single time I run a container it's going to re-download the entire image? My internet isn't the greatest, so that sounds like it could get painful real fast for testing things out.



   
ReplyQuote