Hello, Today we're releasing security fixes for CVE-2017-5985.
This security issue was reported by Jann Horn from Google and has to do with a lack of netns ownership check in lxc-user-nic, which would allow any user with a lxc-usernet allocation to create network interfaces on the host including choosing the name of that network interface. The created interface wouldn't be UP so is unlikely to be automatically brought up or get an address, but this issue could be used to squat the name of a real system network interface before it appears. The fix we're pushing today has lxc-user-nic drop privilege to the requesting user at interface rename time. This will still allow users to create veth pairs but it will not let them be renamed to whatever they want. Original report: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676 We have fixes for all supported LXC branches: - stable-1.0: https://github.com/lxc/lxc/commit/c905f00ad78b78a5e9c0d67504b86e00dfe085ec - stable-2.0: https://github.com/lxc/lxc/commit/d512bd5efb0e407eba350c4e649c464a65b712a3 - master: https://github.com/lxc/lxc/commit/16af238036a5464ae8f2420ed3af214f0de875f9 We also have a backported version of the fix for LXC 1.1 should anyone still use this unsupported version of LXC: https://github.com/lxc/lxc/commit/7e678d3d2a297abe8a6e2d673a7ada3994ebe4e5 Distributions have been notified ahead of this release so most of them should have updated packages out already or will really soon. This security fix will be included in the next round of LXC bugfix releases, until then, people building by hand should be including the fixes above. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
