I wonder how long does it take to get the updated LXC 2.0 for Centos and Fedora. It does not reflect the new fixed bugs.
On Tue, May 31, 2016 at 2:16 PM, Stéphane Graber <[email protected]> wrote: > Hello everyone, > > Today we're releasing LXD 2.0.2 as a security release for two recent CVEs. > > The main announcement can be found at: > https://linuxcontainers.org/lxd/news/ > > > == CVE-2016-1581 == > Robie Basak noticed that after setting up a loop based ZFS pool through > "lxd init" the resulting file (/var/lib/lxd/zfs.img) was world readable. > > This would allow any user on the system, and a potential attacker to > copy and then read the data of any LXD container, regardless of file > permissions inside the container. > > LXD 2.0.2 fixes the "lxd init" logic to always set the mode of zfs.img to > 0600. > > Additionally a one-time upgrade step will trigger on first run and reset > any existing zfs.img mode to be 0600. > > If you manage an affected system and suspect an unauthorized user may > have accessed the zfs.img file, you should consider replacing any secret > that was stored in the affected containers (private keys and similar > credentials). > > > == CVE-2016-1582 == > Robie Basak noticed that when switching an unprivileged container > (default, security.privileged=false) into privileged mode (by setting > security.privileged to true), the container rootfs is properly remapped > but the container directory itself (/var/lib/lxd/containers/XYZ) remains > at 0755. > > This is a problem because it allows an unprivileged user on the host to > access any world readable path under /var/lib/lxd/containers/XYZ which > may include setuid binaries. > > Such setuid binaries could then be used on the host to access otherwise > unaccessible data or to escalate one's privileges. > > LXD 2.0.2 fixes this behavior by making sure all privileged containers > are always root-owned and have their mode set to 0700 to prevent > traversal by unprivileged users. > > Additionally a one-time upgrade step will trigger on first run and reset > any existing privileged containers' ownership and mode to root:root 0700 > > > We recommend everyone update to LXD 2.0.2 as soon as possible. > Especially if you are a user of loop-mounted ZFS or privileged > containers! > > > Thanks to the Ubuntu Security team for coordinating the disclosure of > those two CVEs with other Linux distributions. > > > As a reminder, the 2.0 series is supported for bugfix and security > updates up until June 2021. > > > Stéphane Graber > On behalf of the LXD development team > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
