This bug was fixed in the package linux-lts-utopic - 3.16.0-76.98~14.04.1 --------------- linux-lts-utopic (3.16.0-76.98~14.04.1) trusty; urgency=low
[ Luis Henriques ] * Release Tracking Bug - LP: #1596019 [ Upstream Kernel Changes ] * netfilter: x_tables: validate e->target_offset early - LP: #1555338 - CVE-2016-3134 * netfilter: x_tables: make sure e->next_offset covers remaining blob size - LP: #1555338 - CVE-2016-3134 * netfilter: x_tables: fix unconditional helper - LP: #1555338 - CVE-2016-3134 * netfilter: x_tables: don't move to non-existent next rule - LP: #1595350 * netfilter: x_tables: validate targets of jumps - LP: #1595350 * netfilter: x_tables: add and use xt_check_entry_offsets - LP: #1595350 * netfilter: x_tables: kill check_entry helper - LP: #1595350 * netfilter: x_tables: assert minimum target size - LP: #1595350 * netfilter: x_tables: add compat version of xt_check_entry_offsets - LP: #1595350 * netfilter: x_tables: check standard target size too - LP: #1595350 * netfilter: x_tables: check for bogus target offset - LP: #1595350 * netfilter: x_tables: validate all offsets and sizes in a rule - LP: #1595350 * netfilter: x_tables: don't reject valid target size on some architectures - LP: #1595350 * netfilter: arp_tables: simplify translate_compat_table args - LP: #1595350 * netfilter: ip_tables: simplify translate_compat_table args - LP: #1595350 * netfilter: ip6_tables: simplify translate_compat_table args - LP: #1595350 * netfilter: x_tables: xt_compat_match_from_user doesn't need a retval - LP: #1595350 * netfilter: x_tables: do compat validation via translate_table - LP: #1595350 * netfilter: x_tables: introduce and use xt_copy_counters_from_user - LP: #1595350 linux-lts-utopic (3.16.0-75.97~14.04.1) trusty; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1595703 [ Serge Hallyn ] * SAUCE: add a sysctl to disable unprivileged user namespace unsharing - LP: #1555338, #1595350 linux-lts-utopic (3.16.0-74.96~14.04.1) trusty; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1591324 [ Kamal Mostafa ] * [debian] getabis: Only git add $abidir if running in local repo - LP: #1584890 * [debian] getabis: Fix inconsistent compiler versions check - LP: #1584890 [ Tim Gardner ] * [Config] Remove arc4 from nic-modules - LP: #1582991 [ Upstream Kernel Changes ] * Revert "usb: hub: do not clear BOS field during reset device" - LP: #1582864 * mm/balloon_compaction: redesign ballooned pages management - LP: #1572562 * mm/balloon_compaction: fix deflation when compaction is disabled - LP: #1572562 * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS - LP: #1580379 - CVE-2016-4569 * ALSA: timer: Fix leak in events via snd_timer_user_ccallback - LP: #1581866 - CVE-2016-4578 * ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt - LP: #1581866 - CVE-2016-4578 * net: fix a kernel infoleak in x25 module - LP: #1585366 - CVE-2016-4580 * get_rock_ridge_filename(): handle malformed NM entries - LP: #1583962 - CVE-2016-4913 * netfilter: Set /proc/net entries owner to root in namespace - LP: #1584953 * USB: usbfs: fix potential infoleak in devio - LP: #1578493 - CVE-2016-4482 * IB/security: Restrict use of the write() interface - LP: #1580372 - CVE-2016-4565 -- Luis Henriques <luis.henriq...@canonical.com> Fri, 24 Jun 2016 17:17:07 +0100 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1584953 Title: backport fix for /proc/net issues with containers Status in linux package in Ubuntu: Fix Released Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Trusty: Fix Released Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Released Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Released Status in linux-lts-utopic source package in Xenial: Invalid Bug description: SRU Justification Impact: iptables-save fails in lxd containers due to the ownership of /proc/net/ip_tables_names. This command is needed to manage firewalls in containers using Puppet. Fix: Upstream commit f13f2aeed154da8e48f90b85e720f8ba39b1e881 ("netfilter: Set /proc/net entries owner to root in namespace") which sets ownership for /proc/net files to root in the user ns which owns the net ns. Test Case: Script attached to this bug report. Before the fix no output will be seen from iptables-save; after the fix it will output the iptables rules. --- Request to backport Kernel changes from Kernel 4.5 to lts kernel 4.4 for xenial and if possible to lts kernel for 14.04 Change upstream: netfilter: Set /proc/net entries owner to root in namespace http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/?id=f13f2aeed154da8e48f90b85e720f8ba39b1e881 This is the Kernel-side part of the fix for "iptables-save does not work inside lxd containers" https://github.com/lxc/lxd/issues/1978#issuecomment-220998013 The necessary changes in lxc landed in lxc/lxd https://github.com/lxc/lxc/pull/1014 and is available in version 2.0.1, currently in xenial-proposed. It would be great if this would be backported asap. As it allows to manage the firewall within lxd instances using Puppet and probably other configuration management systems. And to use iptables-save manually To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1584953/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp