Your message dated Fri, 27 Mar 2026 19:53:34 +0000
with message-id <[email protected]>
and subject line Bug#1132021: fixed in crun 1.27-1
has caused the Debian Bug report #1132021,
regarding crun: CVE-2026-30892
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132021: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132021
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: crun
Version: 1.26-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.21-1
Hi,
The following vulnerability was published for crun.
CVE-2026-30892[0]:
| crun is an open source OCI Container Runtime fully written in C. In
| versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`)
| is incorrectly parsed. The value `1` is interpreted as UID 0 and GID
| 0 when it should have been UID 1 and GID 0. The process thus runs
| with higher privileges than expected. Version 1.27 patches the
| issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-30892
https://www.cve.org/CVERecord?id=CVE-2026-30892
[1] https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: crun
Source-Version: 1.27-1
Done: Faidon Liambotis <[email protected]>
We believe that the bug you reported is fixed in the latest version of
crun, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Faidon Liambotis <[email protected]> (supplier of updated crun package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Mar 2026 13:08:46 +0200
Source: crun
Architecture: source
Version: 1.27-1
Distribution: unstable
Urgency: medium
Maintainer: Faidon Liambotis <[email protected]>
Changed-By: Faidon Liambotis <[email protected]>
Closes: 1107098 1125794 1132021
Changes:
crun (1.27-1) unstable; urgency=medium
.
* New upstream release.
- Fixes CVE-2026-30892. (Closes: #1132021)
- Fix /dev/console on read-only file systems regression (Closes: #1125794)
* Use the system copy of libblake3 (newly added to the archive) instead of
the embedded copy. (Closes: #1107098)
* Update d/copyright to document files that have been added since the last
update.
* Remove Priority: optional and Rules-Requires-Root: no, the defaults now.
* Bump Standards-Version to 4.7.3.
Checksums-Sha1:
780372270eb993a3021d478fb144628b8d22bddb 2368 crun_1.27-1.dsc
8cfdc76bbcc7321ee0624d975956e188281f8b31 1943731 crun_1.27.orig.tar.gz
fc38dc2fdae99d42c594550a741c5719494976d7 488 crun_1.27.orig.tar.gz.asc
c37d98a8d2381099c14d680c6fd71c758ac66966 20324 crun_1.27-1.debian.tar.xz
ba30678a5e619077edab1b0854703de7752a47ce 7408 crun_1.27-1_amd64.buildinfo
Checksums-Sha256:
4ce7fa0e955e8d366b5ed10e271efc18af1fbad4a812abb05d66d3003538be53 2368
crun_1.27-1.dsc
99077cc701a9f6842f70384eb05e9429da1ad338cdef3e0bac5a486cbf2ca75d 1943731
crun_1.27.orig.tar.gz
47db3d9c15a57d7ce8409dc9a56f588121aab064a25ab7b9eda7f0ee821fbe1b 488
crun_1.27.orig.tar.gz.asc
ba704bb3d22473ef0c943b25ef755c3db36bd98e40cec766abd23c97456ce6d7 20324
crun_1.27-1.debian.tar.xz
2d9010bbc69c5b8de6dd8dc87fb15e646ef92834cf005eea2b388a15b5b6ccd2 7408
crun_1.27-1_amd64.buildinfo
Files:
68e747acf16b4cb5c09f76861ecef4b5 2368 admin optional crun_1.27-1.dsc
75c81e190f51435c93fc1c367d6c9bf7 1943731 admin optional crun_1.27.orig.tar.gz
168e615beb59b9928abc8ad25193a03d 488 admin optional crun_1.27.orig.tar.gz.asc
3225290332721b561703070e5f283c46 20324 admin optional crun_1.27-1.debian.tar.xz
7ea452f206e5c1b854b4df5bfeb7bd14 7408 admin optional
crun_1.27-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEqVksUhy5BAd9ZZgAnQteWx7sjw4FAmnG2X4UHHBhcmF2b2lk
QGRlYmlhbi5vcmcACgkQnQteWx7sjw4XQhAA2nl9E+BzLTlpsmClqfaZ7UdKCBLB
Dnbf5Eh2PRh+vrdJgNuY7EjwxSIzFix0UnAziP5Ap/mJPqfnmdPg6VGnhtRMGcVy
elEFz5C+S1DW9mQ2sihTOgg2MgDYMAnRPsQLucg8zh6ukE5G7E2emY8c3eba0nhy
zuOpKM3LL2XMPDSh0kFsx/p8y6IH1XMvqzX0YTeOmMSQ9A7U2/tjdlnZKZ4Rtog9
mNhIZHWPEOx2T9RHdZ+BYpM0/MANsUUX75EkgNJVs9KV3bMr2Csw3ItKaFYX6b3w
+pZxSnJI2ghoS+X0kJ4I+rJylEl4wzkdnspUhOjR+fQzieDRA5MWx/E1xUCbZxHO
fjCWSIo4kHDRhwpKnkmh4GkiGjqahaF6Dn2u2TJAMGGHWtrN6uVagyguCBOVqgTj
8EJTQvmTn19QxaINu5v0xhU8MPCjnRakjhXUQTFO1ylquVgwkUOxHubPzAq+XvvC
DgwHVxNyN5thJlbERzMQyeQFumkRZOiTVUTG6+58Rcym2OdhsRu8kygjUvnWGmop
da8b0TCmNyaQKEgmn/y8R7jkSKqLw2mN1hGm9it/Ab+kQs7SOK037xHaFBOxssiE
Zzp1m9+n1YaaIHtAQcbmz96VO4wb4DZi0dL80coalvHmLXHMNWsjfr7bviM/T2Od
AhJ9n9EZbGLYVPE=
=wvQe
-----END PGP SIGNATURE-----
pgpWN872DnABw.pgp
Description: PGP signature
--- End Message ---
