Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]
Hi Guido, On Mon, Mar 28, 2016 at 11:49:55AM +0200, Guido Günther wrote: > Hi Salvatore, > On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote: > > Hi Guido, > > > > On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote: > [..snip..] > > > O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ? > > > > Honestly I tend to actually mark this as no-dsa. My argument is the > > following: LXC in wheezy was in a really early stage, and a local > > container admin/root inside the container can do basically anything on > > the host. Furthermore proper confinement methods were afaik neither > > implemented and only came with later versions (even in Jessie I think > > that's not yet working all correctly). > > > > https://blog.bofh.it/debian/id_413 > > > > Does that makes sense? We thus initially only addressed that specific > > CVE only in Jessie. > > After looking into this in more detail yesterday and today I tend to > agree. Although there is some confinement dropping privileges only a > small set is used by default and we don't have a apparmor policy in > place for wheezy either. > > I've marked this as no-dsa in wheezy (hope that's o.k.) but am happy to > revisit this if others disagre#e. > > (cc'ing the lts list since we provided a patch for Squeeze) Yes that's fine. Thanks for double-checking and confirming. Regards, Salvatore signature.asc Description: PGP signature
Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]
Hi Salvatore, On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote: > Hi Guido, > > On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote: [..snip..] > > O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ? > > Honestly I tend to actually mark this as no-dsa. My argument is the > following: LXC in wheezy was in a really early stage, and a local > container admin/root inside the container can do basically anything on > the host. Furthermore proper confinement methods were afaik neither > implemented and only came with later versions (even in Jessie I think > that's not yet working all correctly). > > https://blog.bofh.it/debian/id_413 > > Does that makes sense? We thus initially only addressed that specific > CVE only in Jessie. After looking into this in more detail yesterday and today I tend to agree. Although there is some confinement dropping privileges only a small set is used by default and we don't have a apparmor policy in place for wheezy either. I've marked this as no-dsa in wheezy (hope that's o.k.) but am happy to revisit this if others disagre#e. (cc'ing the lts list since we provided a patch for Squeeze) Cheers, -- Guido
DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]
Hi, On Tue, Mar 01, 2016 at 08:01:20PM +0100, Moritz Muehlenhoff wrote: > On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote: > > On 2016-03-01, Mike Gabrielwrote: > > > @Security Team: Shall we (LTS contributors) handle wheezy-security > > > updates like described below until Debian wheezy LTS comes into play? > > > > > >o Pick a package that has open CVE issues in wheezy, e.g. from > > > above list > > >o Add the package to data/dsa-needed.txt, if not already there: > > Don't add anything to dsa-needed.txt directly, but rather ask team@ first > whether this actually qualifies for a DSA. Packages get only added there > after individual assessment. O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ? Cheers, -- Guido