On Mon 2 Aug 2021, at 11:48, Dominique Dumont <d...@debian.org> wrote: > On Tuesday, 27 July 2021 18:07:53 CEST Gareth Evans wrote: > > Given that these are all fixed in Bullseye (and at least the grave > > apt-listbugs issue has been fixed in eg Ubuntu since March 2020 [1]) why > > not also Buster? >
> According to runc security tracker, a fixed runc is available for buster, > albeit in buster's security repository. Thanks Dominique, do you have a link for this please? All I can find is https://security-tracker.debian.org/tracker/source-package/runc which includes "available versions ... buster 1.0.0~rc6+dfsg1-3" and in the section following that, the ~rc6 version is apparently vulnerable on Buster to all open issues listed (at the time of writing), including CVE-2019-16884 complained of by apt-listbugs. I can't see any reference there to a security repo version, and my system doesn't find it, even after adding the line suggested in "keeping secure" [link below] to sources.list > I guess that security repo is missing from your /etc/apt/sources.list > > See https://www.debian.org/security/#keeping-secure for instructions. I already had a couple of references to security repos (do they all point to the same thing?) but added the line suggested anyway - but no change even after reboot and a second update. $ sudo cat /etc/apt/sources.list deb https://deb.debian.org/debian buster contrib main non-free deb https://deb.debian.org/debian buster-updates contrib main non-free deb https://deb.debian.org/debian-security/ buster/updates contrib main non-free deb https://deb.debian.org/debian buster-backports contrib main non-free deb https://security.debian.org/ buster/updates contrib main non-free deb https://security.debian.org/debian-security buster/updates contrib main non-free $ sudo apt update Hit:1 https://security.debian.org buster/updates InRelease Hit:2 https://deb.debian.org/debian buster InRelease Hit:3 https://linux.teamviewer.com/deb stable InRelease Hit:4 https://security.debian.org/debian-security buster/updates InRelease Hit:5 https://deb.debian.org/debian buster-updates InRelease Hit:6 https://deb.debian.org/debian-security buster/updates InRelease Hit:7 https://deb.debian.org/debian buster-backports InRelease ... All packages are up to date. $ sudo apt install docker.io ... grave bugs of runc (→ 1.0.0~rc6+dfsg1-3) <Resolved in some Version> b1 - #942026 - runc: CVE-2019-16884 (Fixed: runc/1.0.0~rc9+dfsg1-1) Summary: runc(1 bug) Are you sure you want to install/upgrade the above packages? [Y/n/?/...] Tracker still shows that CVE and two others as open security issues in Buster. https://tracker.debian.org/pkg/runc and $ apt policy runc runc: Installed: (none) Candidate: 1.0.0~rc6+dfsg1-3 Version table: 1.0.0~rc6+dfsg1-3 500 500 https://deb.debian.org/debian buster/main amd64 Packages Grateful for any further advice. Thanks, Gareth > > HTH > > Dod > > > >