Le vendredi 23 juin 2023, 12:44:59 UTC Bastien Roucariès a écrit : > Le jeudi 22 juin 2023, 13:51:54 UTC Ben Hutchings a écrit : > > On Thu, 2023-06-22 at 10:37 +0000, Bastien Roucariès wrote: > > > Hi, > > > > > > I want to discuss about CVE-2023-2884[0-2]. > > > > > > In order to be vulnerable host kernel need to disable the xt_u32 module. > > > > > > Moreover upstream drop for newer version support of xt_u32 see > > > https://github.com/moby/moby/commit/4d04068184cf34af7be43272db1687143327cdf7 > > > Do we support only xt_bpf in buster ? > > > > > > I believe it is not a problem for debian system (at least for buster), for default kernel. > > > > > > What is your advice on these bugs ? > > > > I think you are right for -28840 and -28841, but the description of - > > 28842 at <https://security-tracker.debian.org/tracker/CVE-2023-28842> > > does not say having xt_u32 available everywhere is a mitigation. > Indeed you are right, I have pushed a fix https://salsa.debian.org/lts-team/packages/docker.io Can somebody test ? I have not the hardware and the debug tools for debuging this problem, and I will appreciate a review and test. Bastien
Attachment:
signature.asc
Description: This is a digitally signed message part.