Debian-LTS has issued an advisory on March 27: https://www.debian.org/lts/security/2023/dla-3369 Mageia 8 is also affected.
Status comment: (none) => Patches available from upstream and DebianWhiteboard: (none) => MGA8TOO
I suggest that we wait for officieal 1.1.5 due to other CVE to be fixed with it: https://github.com/opencontainers/runc/issues/3789
Status: NEW => ASSIGNED
1.1.5 submitted for cauldron and mga8 updates_testing.
Version: Cauldron => 8CC: (none) => brunoWhiteboard: MGA8TOO => (none)Assignee: bruno => qa-bugsStatus comment: Patches available from upstream and Debian => (none)
opencontainers-runc-1.1.5-1.mga8 from opencontainers-runc-1.1.5-1.mga8.src.rpm Note that this is still awaiting a freeze move for Cauldron. In fact, I don't see a request submitted to the dev ml. Bruno?
I made the request to the sysadmin ml.
Mageia8, x86_64 CLI tool for open containers. Clean update from the previously tested version. Referencing bug 30421. Restarted docker and ran hello-world to check installation. $ docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 737663dbf81f hello-world "/hello" 24 seconds ago Exited (0) 23 seconds ago zealous_ride $ docker run -it ubuntu bash Unable to find image 'ubuntu:latest' locally latest: Pulling from library/ubuntu 2ab09b027e7f: Pull complete Digest: sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21 Status: Downloaded newer image for ubuntu:latest root@c65071eda6c0:/# exit exit $ docker run -it -h cowsay debian bash Unable to find image 'debian:latest' locally latest: Pulling from library/debian 3e440a704568: Pull complete Digest: sha256:7b991788987ad860810df60927e1adbaf8e156520177bd4db82409f81dd3b721 Status: Downloaded newer image for debian:latest root@cowsay:/# apt-get update [...] Fetched 8642 kB in 2s (4631 kB/s) Reading package lists... Done root@cowsay:/# /usr/games/fortune | /usr/games/cowsay bash: /usr/games/cowsay: No such file or directory bash: /usr/games/fortune: No such file or directory root@cowsay:/# apt-get install ruby <installed ruby 2.7> Running hooks in /etc/ca-certificates/update.d... done. root@cowsay:/# irb irb(main):001:0> a = (1..21).to_a => [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21] irb(main):002:0> sum = a.inject(&:+) => 231 irb(main):003:0> exit root@cowsay:/# exit exit Shame about cowsay. Must have found greener grass over the hill. Anyway, the container is functioning with docker.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Absolutely OT. Fortunately we have it. $ fortune | cowsay -t _______________________________________ / The average individual's position in \ | any hierarchy is a lot like pulling a | | dogsled -- there's no real change of | \ scenery except for the lead dog. / --------------------------------------- \ ^__^ \ (--)\_______ (__)\ )\/\ ||----w | || ||
(OT) According to https://markets.businessinsider.com/commodities/live-cattle-price?op=1 live cattle prices to the farmer are up 80% over the last three years. If you couple that with the rising costs of feeding them it's not surprising that some cattle, even talking ones, might not be as easy to find as they once were. But I digress from the business at hand. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Nice one TJ!
SUSE has issued an advisory for this on April 3: https://lists.suse.com/pipermail/sle-security-updates/2023-April/014342.html The update to 1.1.5 also fixed two other CVEs. Good moove Bruno! :D
Summary: opencontainers-runc new security issue CVE-2023-27561 => opencontainers-runc new security issues CVE-2023-25809, CVE-2023-27561, and CVE-2023-28642
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0125.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED