Fedora has issued an advisory on February 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O2K6F4S5TE5ZEI2ZEJGC4XEC5QW7JORX/ buildah, containers-common, podman, and skopeo were also updated: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RAX6QM2U6UNK37KXRHYC53FAM2FIBDJK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DJKISXPHWVVWEZKL4ZYF465YTGC45B4Q/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7AHSFWFJ6BTK4DJKJLXDZU762YRPSAT3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7WIB77IOGIKRTRPQ7WKXNZ4FAJEI34QK/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 0.9.1
Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => joequantCC: (none) => ouaurelienCVE: (none) => CVE-2021-20206
in the bugreport this is told that the fixed version 0.8.1: https://bugzilla.redhat.com/show_bug.cgi?id=1919391 "Fixed In Version: containernetworking/cni 0.8.1 " Closing as fixed.
Status: NEW => RESOLVEDResolution: (none) => FIXEDCC: (none) => mageia
containernetworking/cni is apparently some embedded golang module, but it has different versioning than the package itself. The package needed to be updated to 0.9.1 to include it. I think all of the packages actually need to be updated.
Resolution: FIXED => (none)Status: RESOLVED => REOPENED
New version pushed in cauldron. Fixed version pushed in mga8: src: - containernetworking-plugins-0.9.1-1.mga8
Assignee: joequant => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)
fails to build, i think a missing BR as it built locally. I take a look
Are you certain that the other packages don't also contain the containernetworking/cni library?
Assignee: qa-bugs => mageia
i think i looked everywhere and found nothing. Let's give this to QA :-)
Assignee: mageia => qa-bugsSource RPM: containernetworking-plugins-0.8.5-1.mga8.src.rpm => -0.8.5-1.mga8.src.rpm
Advisory: ======================== Updated containernetworking-plugins package fixes security vulnerability: An improper limitation of path name flaw was found in containernetworking/cni. When specifying the plugin to load in the `type` field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as reboot. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (CVE-2021-20206). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20206 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O2K6F4S5TE5ZEI2ZEJGC4XEC5QW7JORX/
Source RPM: -0.8.5-1.mga8.src.rpm => containernetworking-plugins-0.8.5-1.mga8.src.rpmStatus comment: Fixed upstream in 0.9.1 => (none)
Something is wrong here, but I'm not sure what. This package is about 16 levels above my pay grade, so I was going to settle for a clean install over the older packages. Lacking a specific package list, I used the one from http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/28478/application/0 That was this: containernetworking-plugins-0.9.1-1.mga8.x86_64.rpm containernetworking-plugins-devel-0.9.1-1.mga8.noarch.rpm containernetworking-plugins-unit-test-devel-0.9.1-1.mga8.x86_64.rpm Using MCC, installed the plugins, but I couldn't find either of the devel packages listed. OK, they're new, or something. It's happened before. So, I used the above list in qarepo, and it downloaded those three rpms. The plugins rpm updated OK, but when I went to use drakrpm to install the two devel packages (now listed), after OKing a long list of dependencies for the tests rpm, I got this: Sorry, the following package cannot be selected: - containernetworking-plugins-unit-test-devel-0.9.1-1.mga8.x86_64 (due to unsatisfied golang(github.com/d2g/dhcp4)) And when I tried to select the other devel rpm, I got this: Sorry, the following package cannot be selected: - containernetworking-plugins-devel-0.9.1-1.mga8.noarch (due to unsatisfied golang(github.com/vishvananda/netlink)) So, I haven't a clue about where to go from here.
CC: (none) => andrewsfarmKeywords: (none) => feedback
Assigning to Joseph, who imported this package.
Keywords: feedback => (none)Assignee: qa-bugs => joequantCC: (none) => joequant, qa-bugs
Fedora has issued an advisory today (August 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3XBQUFVI5TMV4KMKI7GKA223LHGPQISE/ The issue is caused by a bundled golang module.
Version: 8 => CauldronSummary: containernetworking-plugins new security issue CVE-2021-20206 => containernetworking-plugins new security issues CVE-2021-20206 and CVE-2021-34558Whiteboard: (none) => MGA8TOO
According to Fedora, this also needs to be rebuilt for CVE-2022-41717: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVRQOIKQAASY2DLU74TK3BWPT5J2C7QC/
RedHat has issued an advisory on April 30: https://lwn.net/Articles/971673/
CC: (none) => nicolas.salgueroSummary: containernetworking-plugins new security issues CVE-2021-20206 and CVE-2021-34558 => containernetworking-plugins new security issues CVE-2021-20206, CVE-2021-34558, CVE-2023-39326 and CVE-2023-45287Source RPM: containernetworking-plugins-0.8.5-1.mga8.src.rpm => containernetworking-plugins-1.1.1-1.mga9.src.rpmCVE: CVE-2021-20206 => CVE-2021-20206, CVE-2021-34558, CVE-2023-39326, CVE-2023-45287Whiteboard: MGA8TOO => MGA9TOO
I've got the bug rebuilt for cauldron. Will get it rebuilt for Mageia 9 and 8 as soon as I get a dev enviroment set up on a new machine.
Mageia 8 is EOL. No need to build it for that one.