Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi Reinhard, On Sun, Aug 25, 2019 at 09:33:58AM -0400, Reinhard Tartler wrote: > Copying the debian-release mailing list, hope that's OK with everyone. Ack, no issue with quoting the below to the release mailinglist. The SRM though prefer for actuall proposed updates to have filled a corresponding bug. Doing so now and full quoting below the rationale for the no-dsa: > On 8/24/19 6:05 AM, Moritz Mühlenhoff wrote: > > On Sun, Aug 11, 2019 at 09:10:52PM +0200, Salvatore Bonaccorso wrote: > >> Hi Reinhard, > >> > >> Apologies it took that long to come back to you in the first place. > >> > >> On Wed, Aug 07, 2019 at 06:13:08PM -0400, Reinhard Tartler wrote: > >>> Hi Security Team, > >>> > >>> I have not received an answer to my question below. Any chance you > >>> could get back to me on that? > >> > >> Unless I severely missunderstand something, slirp4netns is useful for > >> instance for networking with unprivileged containers and it needs user > >> namespaces to be enabled. > >> > >> By default those are for good reasons disabled in Debian, as well in > >> buster. > >> > >> As such I would have said it would be enough to fix this issue for the > >> upcoming point release on 7th september (so there is stil enough time > >> to preare updates). > >> > >> Can we route you towards the point release for it? It would though be > >> good to as well include as well the fix for the new CVE-2019-14378 > >> (#933742) as well. Prerequisites though that it gets accepted for > >> stable is that the fix is as well first in unstable. > > > > Agreed, enabling unprivileged user namespaces is not fully supported > > by security support and Debian explicitly disables them by default > > as it causes a ton of security issues in the Linux kernel (which > > are often still fixed, but e.g. no DSAs are being released for such > > issues). > > > > As such, can you fix slirp4netns by the 10.1 buster point release? > > > > Done, I've just uploaded 0.2.3 to buster, fixing two CVEs: > > Changes: > slirp4netns (0.2.3-1) buster; urgency=medium > . > * New upstream releases: > - 0.2.2: check sscanf result when emulating ident, CVE-2019-9824 > - 0.2.3: Fixes heap overflow in included libslirp, Closes: #933742, > CVE-2019-14378 > Checksums-Sha1: > 459c12f439d0f2ba629d1ad5791ca49041931709 2087 slirp4netns_0.2.3-1.dsc > befcd9e2f1b1fbf8b51ccac4b83536e22af12003 136459 slirp4netns_0.2.3.orig.tar.gz > 370b1cf92bf21491038fc08f9d4fa3fcba432878 3968 > slirp4netns_0.2.3-1.debian.tar.xz Regards, Salvatore