Bug#1031109: bullseye-pu: package crun/0.17+dfsg-1+deb11u1

To: Faidon Liambotis <paravoid@debian.org>, 1031109@bugs.debian.org
Subject: Bug#1031109: bullseye-pu: package crun/0.17+dfsg-1+deb11u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 01 Apr 2023 20:24:57 +0100
Message-id: <[🔎] f08749a4e2bf0eb3df1cf40d1740fd1645929348.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1031109@bugs.debian.org
In-reply-to: <Y+gRXtfAU30oTyIe@tty.gr>
References: <Y+gRXtfAU30oTyIe@tty.gr> <Y+gRXtfAU30oTyIe@tty.gr>

Control: tags -1 + confirmed

On Sun, 2023-02-12 at 00:06 +0200, Faidon Liambotis wrote:
> A no-dsa security vulnerability, CVE-2022-27650:
> https://security-tracker.debian.org/tracker/CVE-2022-27650
> 
> [ Impact ]
> Copying from the CVE:
> 
> "A flaw was found in crun where containers were incorrectly started
> with
> non-empty default permissions. A vulnerability was found in Moby
> (Docker
> Engine) where containers were started incorrectly with non-empty
> inheritable Linux process capabilities. This flaw allows an attacker
> with access to programs with inheritable file capabilities to elevate
> those capabilities to the permitted set when execve(2) runs."
> 

Please go ahead; sorry for the delay.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#1031109: bullseye-pu: package crun/0.17+dfsg-1+deb11u1
  - From: Faidon Liambotis <paravoid@debian.org>

Prev by Date: Bug#1031630: bullseye-pu: package containerd/1.4.13~ds1-1~deb11u4
Next by Date: Bug#1031410: bullseye-pu: package postgis/3.1.1+dfsg-1+deb11u1
Previous by thread: Processed: Re: Bug#1031630: bullseye-pu: package containerd/1.4.13~ds1-1~deb11u4
Next by thread: Processed: Re: Bug#1031109: bullseye-pu: package crun/0.17+dfsg-1+deb11u1
Index(es):
- Date
- Thread