Upstream has issued an advisory on June 6: https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j The issue is fixed upstream in 1.24.1, 1.23.3, and 1.22.5. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 1.22.5, 1.23.3, and 1.24.1
Joseph is the registered and last maintainer of this, which has been quiet since "update to 1.17.3" over 2y ago.
Assignee: bugsquad => joequant
SUSE has issued an advisory for this on October 18: https://lists.suse.com/pipermail/sle-security-updates/2022-October/012564.html Apparently 1.19.7 fixes the issue as well.
RedHat has issued an advisory for this today (November 8): https://access.redhat.com/errata/RHSA-2022:7469
cri-o was updated to 1.25.1 in cauldron!
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)CC: (none) => geiger.david68210
working on it
CC: (none) => joequant
QA Please test cri-o-1.25.1-1.mga8
CC: (none) => qa-bugs
CC: qa-bugs => (none)Status comment: Fixed upstream in 1.22.5, 1.23.3, and 1.24.1 => (none)Assignee: joequant => qa-bugs
MGA8-64 MATE on Acer Aspire 5253 No installation issues. No wiki, no previous updates and containers is untrodden area for me, so playing with some commands $ crio-status -h NAME: crio-status - A tool for CRI-O status retrieval USAGE: crio-status [global options] command [command options] [arguments...] VERSION: 1.25.1 DESCRIPTION: A tool for CRI-O status retrieval AUTHOR: The CRI-O Maintainers COMMANDS: complete, completion Generate bash, fish or zsh completions. man Generate the man page documentation. markdown, md Generate the markdown documentation. config, c Show the configuration of CRI-O as TOML string. containers, container, cs, s Display detailed information about the provided container ID. info, i Retrieve generic information about CRI-O, like the cgroup and storage driver. help, h Shows a list of commands or help for one command GLOBAL OPTIONS: --help, -h show help (default: false) --socket value, -s value absolute path to the unix socket (default: "/var/run/crio/crio.sock") --version, -v print the version (default: false) $ crio -h NAME: crio - OCI-based implementation of Kubernetes Container Runtime Interface USAGE: OCI-based implementation of Kubernetes Container Runtime Interface Daemon crio is meant to provide an integration path between OCI conformant runtimes and the kubelet. Specifically, it implements the Kubelet Container Runtime Interface (CRI) using OCI conformant runtimes. The scope of crio is tied to the scope of the CRI. 1. Support multiple image formats including the existing Docker and OCI image formats. 2. Support for multiple means to download images including trust & image verification. 3. Container image management (managing image layers, overlay filesystems, etc). 4. Container process lifecycle management. 5. Monitoring and logging required to satisfy the CRI. 6. Resource isolation as required by the CRI. VERSION: 1.25.1 Version: 1.25.1 GitCommit: unknown GitCommitDate: unknown GitTreeState: clean GoVersion: go1.19.10 Compiler: gc Platform: linux/amd64 Linkmode: dynamic BuildTags: rpm_crashtraceback and a lot more .... Found https://github.com/cri-o/cri-o/blob/main/tutorials/crictl.md requires crictl, but # urpmf crictl cri-o:/etc/crictl.yaml $MIRRORLIST: media/core/release/media_info/20210224-165404-files.xml.lzma cri-o:/etc/crictl.yaml $MIRRORLIST: media/core/updates/media_info/20230707-051628-files.xml.lzma $MIRRORLIST: media/nonfree/release/media_info/20210224-171907-files.xml.lzma $MIRRORLIST: media/nonfree/updates/media_info/20230608-193145-files.xml.lzma $MIRRORLIST: media/tainted/release/media_info/20210224-172114-files.xml.lzma $MIRRORLIST: media/tainted/updates/media_info/20230521-083722-files.xml.lzma Leaving for others with more knowledge on the subject, but the installation does not seem to do any harm to the system.
CC: (none) => herman.viaene
From https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/cri-o_runtime/use-crio-engine " There is little need for direct command-line contact with CRI-O. However, to provide full access to CRI-O for testing and monitoring, and to provide features you expect with Docker that CRI-O does not offer, a set of container-related command-line tools are available. These tools replace and extend what is available with the docker command and service. Tools include: crictl - For troubleshooting and working directly with CRI-O container engines runc - For running container images podman - For managing pods and container images (run, stop, start, ps, attach, exec, etc.) outside of the container engine buildah - For building, pushing and signing container images skopeo - For copying, inspecting, deleting, and signing images" We do not seem to provide crictl, but at least some version of each of the others is available. Unfortunately, I am at a complete loss where it comes to setting cri-o up, and using the tools with it. If someone else with more skills than I have doesn't look to test this in a couple of days, I will OK and validate on the basis of Herman's clean install.
CC: (none) => andrewsfarm
Validating.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0240.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED