Hi, On Mon, Feb 19, 2024 at 03:28:00AM +0100, Daniel Leidert wrote: > ------------------------------------------------------------------------- > Debian LTS Advisory DLA-3735-1 [email protected] > https://www.debian.org/lts/security/ Daniel Leidert > February 19, 2024 https://wiki.debian.org/LTS > ------------------------------------------------------------------------- > > Package : runc > Version : 1.0.0~rc6+dfsg1-3+deb10u3 > CVE ID : CVE-2021-43784 CVE-2024-21626 > Debian Bug : > > runc is a command line client for running applications packaged according > to the Open Container Format (OCF) and is a compliant implementation of > the Open Container Project specification. > > CVE-2021-43784 > > A flaw has been detected that may lead to a possible length field > overflow, allowing user-controlled data to be parsed as control > characters. > > CVE-2024-21626 > > A flaw has been detected which allows several container breakouts > due to internally leaked file descriptors. The patch includes fixes > and hardening measurements against these types of issues/attacks. > > For Debian 10 buster, these problems have been fixed in version > 1.0.0~rc6+dfsg1-3+deb10u3.
The DLA reservation for this update in data/DLA/list seems missing, can you push the changes there? Otherwise there is potential that there will be a duplicate DLA assingment apart that as well the tracker will not show up correctly the fixing information. Out of interest: For CVE-2024-21626 upstream mentioned in their GHSA: Affected versions: >=v1.0.0-rc93,<=1.1.11. If this is not correct then it might be worth pointing it out to upstream so they can adjust the affected version range. Do you know more by chance? Regards, Salvatore
