Your message dated Fri, 07 Nov 2025 02:36:51 +0000
with message-id <[email protected]>
and subject line Bug#1120285: fixed in containerd 1.7.24~ds1-9
has caused the Debian Bug report #1120285,
regarding containerd: CVE-2024-25621
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120285
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: containerd
Version: 1.7.24~ds1-6
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for containerd.
CVE-2024-25621[0]:
| containerd is an open-source container runtime. Versions 0.1.0
| through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through
| 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad
| default permission vulnerability. Directory paths
| `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri`
| and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were
| all created with incorrect permissions. This issue is fixed in
| versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include
| updating system administrator permissions so the host can manually
| chmod the directories to not have group or world accessible
| permissions, or to run containerd in rootless mode.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-25621
https://www.cve.org/CVERecord?id=CVE-2024-25621
[1]
https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w
[2]
https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: containerd
Source-Version: 1.7.24~ds1-9
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
containerd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated containerd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Nov 2025 20:27:20 -0500
Source: containerd
Architecture: source
Version: 1.7.24~ds1-9
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1120285
Changes:
containerd (1.7.24~ds1-9) unstable; urgency=medium
.
* golang-github-containerd-containerd-api-dev: Add missing Breaks
* Backport patch for CVE-2024-25621, Closes: #1120285
* Bump Standards Version, no changes needed
* debian/control: Drop redundant Rules-Requires-Root
* Switch to using Static-Build-Using
* golang-github-containerd-containerd-api-dev: add ${misc:Depends}
Checksums-Sha1:
23133c5b933cf090680f4e90cf34bae4eaa49985 5280 containerd_1.7.24~ds1-9.dsc
c99e948cfe49a545902fd6be11d78b14dedc6404 36660
containerd_1.7.24~ds1-9.debian.tar.xz
Checksums-Sha256:
ba1d4e6c5edc47b05ae496522947c24c3ee8361b1591f66c6ff7bd3af5924daf 5280
containerd_1.7.24~ds1-9.dsc
b62c0fe95472cb2ec034d20be9ee7cb546fb188f8b858573db24b36abc2e6e6e 36660
containerd_1.7.24~ds1-9.debian.tar.xz
Files:
a0de9fdc6983aea35711dd5e9e84cadc 5280 admin optional
containerd_1.7.24~ds1-9.dsc
418c620d1e417762bce583709011dbc1 36660 admin optional
containerd_1.7.24~ds1-9.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmkNUgEUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsswDxAAzcWy2yUr0u/HaWhMtQBkHZr5SG5V
e2nyyPNDI1RBv/Uk05sxyvhlkvDrJWuasqoce8+ErZ4IZJ5/7GHlPmd7nwZNJ/D/
ZRnoWDXz8kqljYM8UMpmAuTBmbpFnB5RV7PmZgtL6T+gyOe3FSAWYKmLkknKIPHs
Q5puExVwbtQdlVwwsksJeqPUgf5x32LObyb6b4uv5KoFkD9gwyZfeZjrGg4HNN0d
cpKyhfs+1rYTzsUDUjtrjcIqt7mAOttQc793hOomjyHUFPmLYYWoNJUwVRAiN7uT
vpdS3+xQ8hF+61i5XZz94DE3dwbYAok91cq8Gfe+y4nN4pAjvpvWeTtXK7hgYDck
a/C86XS3Aur0oxOiGk7LfUPuioFkL/oyJPSfo/yUU1tVHdi72FtJ9BlCGRDBHYIN
0/k6gn1gKdklmYwqX433Fng3WiW+kypI0fuXe8Njf35T5yQ2XdRvB3EmCO5hSYRQ
sV0pBINNxReUe+OrQF27WIhnKgTHVGy+ELUztjKxR1iGqBV9FqO6p4ANsLGFYaot
4Lnuv0vlQFxJ/WlV60fpQLZHwybLkZYTpcl5QoP85k9mAU3GBxhIBYl18Gy+WcwS
0axGRytptztQUWU1pUiWA/RTPFk0F8aHELd4u6JZ89TnHHrzKtI25l/NbGyeIe+X
ChpqhswyEyBSFnM=
=QKQL
-----END PGP SIGNATURE-----
pgpJnCMzz9o2t.pgp
Description: PGP signature
--- End Message ---
