Upstream has issued an advisory on May 19: https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r The issue is fixed upstream in 1.0.0-rc95. Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 1.0.0-rc95Whiteboard: (none) => MGA8TOO, MGA7TOO
Ubuntu has issued an advisory for this on May 19: https://ubuntu.com/security/notices/USN-4960-1
rc95 pushed to both cauldron, mga8 & 7.
Status: NEW => ASSIGNED
Seems ok for cauldron and mga8. arm based packages not building for mga7 but is it really an issue ?
Assignee: bruno => qa-bugs
Yes, our build system rejects it if fails on ARM.
Assignee: qa-bugs => bruno
Arm support for Mageia is still considered experimental. Packages only need to work on x86_64, and except for some things like virtual machines, i586 too.
CC: (none) => davidwhodgins
No, unfortunately aarch64 was made mandatory a long time ago for some odd reason. I don't think we even have an installable image for it still. I know QA doesn't deal with it, but it has to build to even get to QA.
My mistake. I was thinking about what arches the packages have to work on to be validated by qa, not about what the build system considers required. As to aarch64 ... $ uname -a Linux rp4.hodgins.homeip.net 5.10.37-server-2.mga8 #1 SMP PREEMPT Mon May 17 16:59:03 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux That's on my raspberry pi 4. I don't have any devices that run armv7hl.
(In reply to Dave Hodgins from comment #7) > My mistake. I was thinking about what arches the packages have to work on to > be validated by qa, not about what the build system considers required. > > As to aarch64 ... > $ uname -a > Linux rp4.hodgins.homeip.net 5.10.37-server-2.mga8 #1 SMP PREEMPT Mon May 17 > 16:59:03 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux > > That's on my raspberry pi 4. > > I don't have any devices that run armv7hl. armv7hl is needed for banana pro SBC. Jybz runs it and Mageia ARM development is done on this, also pterjan runs that kind of arm build. Agreed meanwhile that we should have some policies on this.
CC: (none) => ouaurelien
(In reply to David Walser from comment #6) > No, unfortunately aarch64 was made mandatory a long time ago for some odd > reason. Because aarch64 is considered more of futureproof platform than old 32bit arm is, and it also is used in our infra as build hosts... all our ec2 hosts runs on clean mageia basesystems... kernels and all... And since people blindly kept dropping arm fixes causing us (pterjan mostly) to have to keep "re-fixing" the same issues we decided to ensure it wont happend on aarch64. armv7hl is not mandatory (since we used to have so slow armv7 builders) but for stable trees you should still try to keep them building... as it's after all a *stable* release tree ... and if they dont, just ask on dev@ And as for build-speed nowdays... our aarch64 builders chews through armv7hl builds faster than both i586 and x86_64 builders finish theirs most of the time :) > I don't think we even have an installable image for it still. Beginning with Mageia 8 we actually have "official images" both for armv7hl: https://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/8/armv7hl/install/images/ and aarch64: https://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/8/aarch64/install/images/ We just dont "promote them much yet..." > I know QA doesn't deal with it, but it has to build to even get to QA. We have several aarch64 users with rpi4 and others (not all part of QA)
Oh, and I see it only failed on mga7 (and also on i586, so not even "arm* only") makeing me think... mga7 is going eol in a few days... people should already move to mga8... what about simply accepting the fact it wont be fixed on mga7 anymore...
Fedora has issued an advisory for this today (May 29): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH/ Also see these advisories for another issue possibly affecting runc referenced in Bug 28885: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GWKDCFQ4EVHMJJ6V2EAABHSRZK34HUUT/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZNMB7O2UIXE34PGSCSOULGHPX5LIJBMM/
Per Thomas comment upper, I'm assigning it to the QA team so recent distribution versions can get the update. Change it back if you prefer another workflow.
The Council agreed to extend the Mageia 7 EOL, so you can fix the build. Also, the other issue referenced in Comment 11 needs to be investigated.
RedHat has issued advisories for this on May 31: https://access.redhat.com/errata/RHSA-2021:2144 https://access.redhat.com/errata/RHSA-2021:2145
openSUSE has issued an advisory for this on June 17: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/G76UZ7FY6VFG73EC6UUCBE46L3TAKR6G/
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/ Ping Bruno.
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
opencontainers-runc is also vulnerable to CVE-2021-34558 due to a bundled golang module: https://bugzilla.redhat.com/show_bug.cgi?id=1987832 https://bugzilla.redhat.com/show_bug.cgi?id=1983596
Summary: opencontainers-runc new security issue CVE-2021-30465 => opencontainers-runc new security issues CVE-2021-30465 and CVE-2021-34558
cauldron updated with 1.0.2.
mga8 updated in core/updates_testing with 1.0.2 as well
Version: Cauldron => 8Assignee: bruno => qa-bugsWhiteboard: MGA8TOO => (none)
(In reply to David Walser from comment #17) > opencontainers-runc is also vulnerable to CVE-2021-34558 due to a bundled > golang module: > https://bugzilla.redhat.com/show_bug.cgi?id=1987832 > https://bugzilla.redhat.com/show_bug.cgi?id=1983596 or not: https://bugzilla.redhat.com/show_bug.cgi?id=1987832#c2 I couldn't find any evidence that CVE-2021-20291 directly affects runc either.
Status comment: Fixed upstream in 1.0.0-rc95 => (none)Summary: opencontainers-runc new security issues CVE-2021-30465 and CVE-2021-34558 => opencontainers-runc new security issue CVE-2021-30465
SRPM and RPM is: opencontainers-runc-1.0.2-1.mga8 References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30465 https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH/
CC: (none) => bruno
mga8, x64 Installed docker which pulled in opencontainers-runc. As in previous tests of the update candidate running docker should be a sufficient test. docker was working fine here the last time it was installed so straight on with the update. Added user to docker group and restarted docker. $ docker version Gives some information but $ docker --version Docker version unknown-version, build unknown-commit $ rpm -q docker docker-20.10.5-1.mga8 $ docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world b8dfde127a29: Pull complete Digest: sha256:7d91b69e04a9029b99f3585aaaccae2baa80bcf318f4a5d2165a9898cd2dc0a1 Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. $ docker run -ti ubuntu /bin/bash Unable to find image 'ubuntu:latest' locally latest: Pulling from library/ubuntu 16ec32c2132b: Pull complete Digest: sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3 Status: Downloaded newer image for ubuntu:latest root@7c0d05d8ec03:/# dmesg <hung> In another terminal: $ killall docker $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu latest 1318b700e415 4 weeks ago 72.8MB hello-world latest d1165f221234 5 months ago 13.3kB $ docker run -ti fedora:latest /bin/bash ........ exit That went well. $ docker run -ti fedora:latest /bin/bash [root@1ec3a2a1adad /]# ls /bin ..... [root@1ec3a2a1adad /]# dmesg ..... $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu latest 1318b700e415 4 weeks ago 72.8MB fedora latest dce66322d647 4 weeks ago 178MB hello-world latest d1165f221234 5 months ago 13.3kB $ docker stop 1ec3a2a1adad 1ec3a2a1adad $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1ec3a2a1adad fedora:latest "/bin/bash" 2 minutes ago Exited (0) 44 seconds ago crazy_matsumoto 967c69acb1d2 fedora:latest "/bin/bash" 5 minutes ago Exited (0) 3 minutes ago great_galois 7c0d05d8ec03 ubuntu "/bin/bash" 12 minutes ago Exited (0) 9 minutes ago stupefied_dhawan b9fbe95cd3a6 hello-world "/hello" 14 minutes ago Exited (0) 14 minutes ago strange_borg Looks like things are working.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0412.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED