[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 3735-1] runc security update

Hi Daniel,

On Mon, Feb 19, 2024 at 11:00:14AM +0100, Daniel Leidert wrote:
> Am Montag, dem 19.02.2024 um 07:11 +0100 schrieb Salvatore Bonaccorso:
> 
> [..]
> 
> > > Debian LTS Advisory DLA-3735-1                
> 
> [..]
> 
> > The DLA reservation for this update in data/DLA/list seems missing,
> > can you push the changes there? Otherwise there is potential that
> > there will be a duplicate DLA assingment apart that as well the
> > tracker will not show up correctly the fixing information.
> 
> I'm sorry. I was sure I pushed it. I merged my commits now and pushed.

Thanks!

> > Out of interest: For CVE-2024-21626 upstream mentioned in their GHSA:
> > Affected versions: >=v1.0.0-rc93,<=1.1.11. If this is not correct then
> > it might be worth pointing it out to upstream so they can adjust the
> > affected version range. Do you know more by chance?
> 
> That is interesting and does not reflect my understanding. I planned
> talking to upstream anyway. However, most of the patchset for CVE-2024-
> 21626 contains hardening measurements to prevent similar attacks. Thus,
> I believe that these patches are valuable in any case.

Ack! I'm curious about it to hear what's upstream take. So if you hear
back something that would be welcome if you can share.

Regards,
Salvatore
Reply to: