Le jeudi 22 juin 2023, 13:51:54 UTC Ben Hutchings a écrit : > On Thu, 2023-06-22 at 10:37 +0000, Bastien Roucariès wrote: > > Hi, > > > > I want to discuss about CVE-2023-2884[0-2]. > > > > In order to be vulnerable host kernel need to disable the xt_u32 module. > > > > Moreover upstream drop for newer version support of xt_u32 see > > https://github.com/moby/moby/commit/4d04068184cf34af7be43272db1687143327cdf7 > > Do we support only xt_bpf in buster ? > > > > I believe it is not a problem for debian system (at least for buster), for default kernel. > > > > What is your advice on these bugs ? > > I think you are right for -28840 and -28841, but the description of - > 28842 at <https://security-tracker.debian.org/tracker/CVE-2023-28842> > does not say having xt_u32 available everywhere is a mitigation. Indeed you are right. Bastien > > Ben. > > > > > BTW the upstream fix is: > > https://github.com/moby/moby/commit/878ee341d6fad3c0a28f9bd5471eb56736579010 > > and seems inclomplete without: > > https://github.com/moby/moby/commit/1e195acee45ac69a2f7d8d4f2c9ea05ff6b0af2c > > And for completeness again auser config: > > https://github.com/moby/moby/commit/9a692a38028f4914a3a914c9a229e61bb3fbaf66 > > > > Bastien > >
Attachment:
signature.asc
Description: This is a digitally signed message part.