Two security issues in lxc have been announced: http://openwall.com/lists/oss-security/2015/07/22/4 CVE-2015-1331 also affects Mageia 5. CVE-2015-1334 also affects Mageia 4 and Mageia 5. The message above has links to commits to fix these issues. Reproducible: Steps to Reproduce:
CC: (none) => thierry.vignaudWhiteboard: (none) => MGA5TOO, MGA4TOO
Ubuntu has issued an advisory for this today (July 22): http://www.ubuntu.com/usn/usn-2675-1
URL: (none) => http://lwn.net/Vulnerabilities/652012/
Debian and Ubuntu have both only patched LXC 1.0.x or newer versions. I guess we can skip Mageia 4.
Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated lxc packages fix security vulnerabilities: Roman Fiedler discovered that LXC had a directory traversal flaw when creating lock files. A local attacker could exploit this flaw to create an arbitrary file as the root user (CVE-2015-1331). Roman Fiedler discovered that LXC incorrectly trusted the container's proc filesystem to set up AppArmor profile changes and SELinux domain transitions. A local attacker could exploit this flaw to run programs inside the container that are not confined by AppArmor or SELinux (CVE-2015-1334). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1331 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1334 http://www.ubuntu.com/usn/usn-2675-1 ======================== Updated packages in core/updates_testing: ======================== lxc-1.0.5-3.1.mga5 liblxc1-1.0.5-3.1.mga5 liblxc-devel-1.0.5-3.1.mga5 from lxc-1.0.5-3.1.mga5.src.rpm
CC: (none) => mageiaVersion: Cauldron => 5Assignee: mageia => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
In VirtualBox, M5, KDE, 32-bit Package(s) under test: lxc liblxc1 liblxc-devel default install of lxc liblxc1 & liblxc-devel [root@localhost wilcal]# urpmi lxc Package lxc-1.0.5-3.mga5.i586 is already installed [root@localhost wilcal]# urpmi liblxc1 Package liblxc1-1.0.5-3.mga5.i586 is already installed [root@localhost wilcal]# urpmi liblxc-devel Package liblxc-devel-1.0.5-3.mga5.i586 is already installed using Lewis Smith's Commment 2 in: https://bugs.mageia.org/show_bug.cgi?id=12760 [root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Generating public/private rsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: c8:ff:83:c7:a7:1b:fc:ec:ce:1d:66:84:ab:2c:17:50 root@localhost The key's randomart image is: +--[ RSA 2048]----+ | | | E |........... lxc seems to respond as expected. In a root terminal run: lxc-destroy -n lxcsshd install lxc liblxc1 & liblxc-devel from updates_testing [root@localhost wilcal]# urpmi lxc Package lxc-1.0.5-3.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi liblxc1 Package liblxc1-1.0.5-3.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi liblxc-devel Package liblxc-devel-1.0.5-3.1.mga5.i586 is already installed [root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Generating public/private rsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: 2b:d2:d8:5d:97:56:2d:a7:b4:08:e0:b1:86:39:90:c8 root@localhost The key's randomart image is: +--[ RSA 2048]----+ | . ... o | | E .. + + . |........ lxc continues to respond as expected. Note: you can go back and forth between: lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd and lxc-destroy -n lxcsshd as many times as you want to test.
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Package(s) under test: lxc lib64lxc1 lib64lxc-devel default install of lxc lib64lxc1 & lib64lxc-devel [root@localhost wilcal]# urpmi lxc Package lxc-1.0.5-3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64lxc1 Package lib64lxc1-1.0.5-3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64lxc-devel Package lib64lxc-devel-1.0.5-3.mga5.x86_64 is already installed using Lewis Smith's Commment 2 in: https://bugs.mageia.org/show_bug.cgi?id=12760 [root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Generating public/private rsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: 03:aa:13:98:75:99:9f:00:eb:7f:1c:e1:5b:6d:27:4a root@localhost The key's randomart image is: +--[ RSA 2048]----+ | . | | o o |........... lxc seems to respond as expected. In a root terminal run: lxc-destroy -n lxcsshd install lxc lib64lxc1 & lib64lxc-devel from updates_testing [root@localhost wilcal]# urpmi lxc Package lxc-1.0.5-3.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64lxc1 Package lib64lxc1-1.0.5-3.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64lxc-devel Package lib64lxc-devel-1.0.5-3.1.mga5.x86_64 is already installed [root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Generating public/private rsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: b9:bc:54:f2:df:43:67:95:bd:14:2a:b4:20:d9:c4:a8 root@localhost The key's randomart image is: +--[ RSA 2048]----+ | *. | | + + . . |........ lxc continues to respond as expected.
Whiteboard: advisory => advisory MGA5-32-OK MGA5-64-OK
I'd say unless someone wants to become an lxc expert on testing this thing this looks good to go. Agree David?
Yep, let's go.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0304.html
Status: NEW => RESOLVEDResolution: (none) => FIXED