On 30 January 2017 at 10:51, Thorsten Alteholz <deb...@alteholz.de> wrote: > the following vulnerability was published for runc. > > CVE-2016-8867: > | Docker Engine 1.12.2 enabled ambient capabilities with misconfigured > | capability policies. This allowed malicious images to bypass user > | permissions to access files within the container filesystem or mounted > | volumes. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Thanks Thorsten! This one definitely doesn't apply to the runc 0.1.1 we have in Debian -- the first "ambient capabilities" functionality added upstream was in https://github.com/opencontainers/runc/pull/1086 (and several more followed to tweak the behavior), but that wasn't included in a release until 1.0.0-rc2. :) (leaving the bug open since I don't want to mess up anything related to the security tracker) ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4 _______________________________________________ Pkg-go-maintainers mailing list Pkgemail@example.com http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers