Bug#1031109: bullseye-pu: package crun/0.17+dfsg-1+deb11u1
Control: tags -1 + confirmed
On Sun, 2023-02-12 at 00:06 +0200, Faidon Liambotis wrote:
> A no-dsa security vulnerability, CVE-2022-27650:
> https://security-tracker.debian.org/tracker/CVE-2022-27650
>
> [ Impact ]
> Copying from the CVE:
>
> "A flaw was found in crun where containers were incorrectly started
> with
> non-empty default permissions. A vulnerability was found in Moby
> (Docker
> Engine) where containers were started incorrectly with non-empty
> inheritable Linux process capabilities. This flaw allows an attacker
> with access to programs with inheritable file capabilities to elevate
> those capabilities to the permitted set when execve(2) runs."
>
Please go ahead; sorry for the delay.
Regards,
Adam
Reply to: