| Summary: | containernetworking-plugins new security issues CVE-2021-20206, CVE-2021-34558, CVE-2023-39326 and CVE-2023-45287 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Joseph Wang <joequant> |
| Status: | REOPENED --- | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, joequant, mageia, nicolas.salguero, ouaurelien, qa-bugs |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9TOO | ||
| Source RPM: | containernetworking-plugins-1.1.1-1.mga9.src.rpm | CVE: | CVE-2021-20206, CVE-2021-34558, CVE-2023-39326, CVE-2023-45287 |
| Status comment: | |||
|
Description
David Walser
2021-02-27 20:28:49 CET
David Walser
2021-02-27 20:29:51 CET
Whiteboard:
(none) =>
MGA8TOO Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it) Assignee:
bugsquad =>
joequant in the bugreport this is told that the fixed version 0.8.1: https://bugzilla.redhat.com/show_bug.cgi?id=1919391 "Fixed In Version: containernetworking/cni 0.8.1 " Closing as fixed. Status:
NEW =>
RESOLVED containernetworking/cni is apparently some embedded golang module, but it has different versioning than the package itself. The package needed to be updated to 0.9.1 to include it. I think all of the packages actually need to be updated. Resolution:
FIXED =>
(none) New version pushed in cauldron.
Fixed version pushed in mga8:
src:
- containernetworking-plugins-0.9.1-1.mga8Assignee:
joequant =>
qa-bugs fails to build, i think a missing BR as it built locally. I take a look Are you certain that the other packages don't also contain the containernetworking/cni library?
David Walser
2021-03-09 16:28:06 CET
Assignee:
qa-bugs =>
mageia i think i looked everywhere and found nothing. Let's give this to QA :-) Assignee:
mageia =>
qa-bugs Advisory: ======================== Updated containernetworking-plugins package fixes security vulnerability: An improper limitation of path name flaw was found in containernetworking/cni. When specifying the plugin to load in the `type` field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as reboot. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (CVE-2021-20206). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20206 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O2K6F4S5TE5ZEI2ZEJGC4XEC5QW7JORX/ Source RPM:
-0.8.5-1.mga8.src.rpm =>
containernetworking-plugins-0.8.5-1.mga8.src.rpm Something is wrong here, but I'm not sure what. This package is about 16 levels above my pay grade, so I was going to settle for a clean install over the older packages. Lacking a specific package list, I used the one from http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/28478/application/0 That was this: containernetworking-plugins-0.9.1-1.mga8.x86_64.rpm containernetworking-plugins-devel-0.9.1-1.mga8.noarch.rpm containernetworking-plugins-unit-test-devel-0.9.1-1.mga8.x86_64.rpm Using MCC, installed the plugins, but I couldn't find either of the devel packages listed. OK, they're new, or something. It's happened before. So, I used the above list in qarepo, and it downloaded those three rpms. The plugins rpm updated OK, but when I went to use drakrpm to install the two devel packages (now listed), after OKing a long list of dependencies for the tests rpm, I got this: Sorry, the following package cannot be selected: - containernetworking-plugins-unit-test-devel-0.9.1-1.mga8.x86_64 (due to unsatisfied golang(github.com/d2g/dhcp4)) And when I tried to select the other devel rpm, I got this: Sorry, the following package cannot be selected: - containernetworking-plugins-devel-0.9.1-1.mga8.noarch (due to unsatisfied golang(github.com/vishvananda/netlink)) So, I haven't a clue about where to go from here. CC:
(none) =>
andrewsfarm Assigning to Joseph, who imported this package. Keywords:
feedback =>
(none) Fedora has issued an advisory today (August 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3XBQUFVI5TMV4KMKI7GKA223LHGPQISE/ The issue is caused by a bundled golang module. Version:
8 =>
Cauldron According to Fedora, this also needs to be rebuilt for CVE-2022-41717: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVRQOIKQAASY2DLU74TK3BWPT5J2C7QC/ RedHat has issued an advisory on April 30: https://lwn.net/Articles/971673/ CC:
(none) =>
nicolas.salguero I've got the bug rebuilt for cauldron. Will get it rebuilt for Mageia 9 and 8 as soon as I get a dev enviroment set up on a new machine. Mageia 8 is EOL. No need to build it for that one. |