A security issue fixed upstream in lxc has been announced today (March 9): http://openwall.com/lists/oss-security/2017/03/09/4 The upstream commit that fixed the issue is linked in the message above.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing Thierry, who touched the package most often.
CC: (none) => marja11, thierry.vignaudAssignee: bugsquad => pkg-bugs
Ubuntu has issued an advisory for this on March 9: https://www.ubuntu.com/usn/usn-3224-1/
Freeze push requested for 2.0.8 to fix this.
Whiteboard: MGA5TOO => (none)Blocks: (none) => 19835
Fixed upstream in 1.0.10, committed to Mageia 5 SVN. It also fixes CVE-2016-10124: https://linuxcontainers.org/lxc/news/
Advisory: ======================== Updated lxc packages fix security vulnerabilities: Roman Fiedler discovered a directory traversal flaw in lxc-attach. An attacker with access to an LXC container could exploit this flaw to access files outside of the container (CVE-2016-8649). Jann Horn discovered that LXC incorrectly verified permissions when creating virtual network interfaces. A local attacker could possibly use this issue to create virtual network interfaces in network namespaces that they do not own (CVE-2017-5985). The lxc package has been updated to version 1.0.10 to fix these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8649 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5985 https://linuxcontainers.org/lxc/news/ https://www.ubuntu.com/usn/usn-3136-1/ https://www.ubuntu.com/usn/usn-3224-1/ https://bugs.mageia.org/show_bug.cgi?id=19835 https://bugs.mageia.org/show_bug.cgi?id=20439 ======================== Updated packages in core/updates_testing: ======================== lxc-1.0.10-1.mga5 liblxc1-1.0.10-1.mga5 liblxc-devel-1.0.10-1.mga5 from lxc-1.0.10-1.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
MGA5-32 on Asus A6000VM Xfce No installation issues Used bug 12760 to find testing procedure. Although Claire thought this could be run as a non-root user in bug 17260 Comment 3, I got at the CLI: $ lxc-create -n lxcsshd -t sshd lxc_container: conf.c: chown_mapped_root: 3860 No mapping for container root lxc_container: lxccontainer.c: do_bdev_create: 838 Error chowning /home/tester5/.local/share/lxc/lxcsshd/rootfs to container root lxc_container: conf.c: suggest_default_idmap: 4912 Your system is not configured with subuids lxc_container: lxccontainer.c: lxcapi_create: 1307 Error creating backing store type (none) for lxcsshd lxc_container: lxc_create.c: main: 274 Error creating container lxcsshd but as root # lxc-create -n lxcsshd -t sshd Generating public/private rsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: followed by key info, and further Generating public/private dsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key.pub. The key fingerprint is: etc.... Seems OK.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
Whiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => lewyssmith
Testing M5 64-bit using https://bugs.mageia.org/show_bug.cgi?id=12760#c2 Before the update: lxc-1.0.8-1.mga5 lib64lxc1-1.0.8-1.mga5 After the update: lxc-1.0.10-1.mga5 lib64lxc1-1.0.10-1.mga5 # lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Container already exists [left over from previous update test] # lxc-info -n lxcsshd Name: lxcsshd State: STOPPED # lxc-destroy -n lxcsshd # lxc-info -n lxcsshd lxcsshd doesn't exist --------------------- # lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Generating public/private rsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: 3d:42:5a:0e:00:07:a0:4b:ab:61:4b:35:3c:89:75:89 root@localhost.localdomain The key's randomart image is: ... Generating public/private dsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key.pub. The key fingerprint is: b8:27:22:2a:72:08:b7:d4:b4:3d:03:21:ac:f0:eb:8a root@localhost.localdomain The key's randomart image is: ... # lxc-info -n lxcsshd Name: lxcsshd State: STOPPED # lxc-destroy -n lxcsshd # lxc-info -n lxcsshd lxcsshd doesn't exist It looks OK. Validating, already advisoried.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0167.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
(In reply to David Walser from comment #4) > Fixed upstream in 1.0.10, committed to Mageia 5 SVN. > > It also fixes CVE-2016-10124: > https://linuxcontainers.org/lxc/news/ which Ubuntu issued an advisory for on August 2: https://usn.ubuntu.com/usn/usn-3375-1/