-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.4133
                           runc security update
                              7 December 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           runc
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   Linux variants
Impact/Access:     Reduced Security -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-43784  

Original Bulletin: 
   https://www.debian.org/lts/security/2021/dla-2841

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running runc check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2841-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
December 06, 2021                             https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : runc
Version        : 0.1.1+dfsg1-2+deb9u3
CVE ID         : CVE-2021-43784

It was discovered that there was an overflow issue in runc, the
runtime for the Open Container Project, often used with Docker.

The Netlink 'bytemsg' length field could have allowed an attacker to
override Netlink-based container configurations. This vulnerability
required the attacker to have some control over the configuration of
the container, but would have allowed the attacker to bypass the
namespace restrictions of the container by simply adding their own
Netlink payload which disables all namespaces.

For Debian 9 "Stretch", this problem has been fixed in version
0.1.1+dfsg1-2+deb9u3.

We recommend that you upgrade your runc packages.

For the detailed security status of runc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/runc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmGukYwACgkQHpU+J9Qx
HljF8w/+LHWY4pcYvhLQvAyodPFvTxlxZ60QlA70Pvspva8LRww59nNH1QnBQTxC
LLuD6UfhjXMt/tm4nAQ0X7sAhBSBVBn2OUVDZj4b6sWCb68Ideqviud4jzYvxbYD
1JrjSvK+/A0cJhsSac9rppMg4B3lPeekW6AmIsLWswW4olJROtmbRzgn1j5GSTyn
XdL7HwKwgbuzs1u2cKYjExJIdVNlIuUrVQH2njCHTeK3sVn20bFpAmwLnWhO3+yJ
Fy7sMAtbvW2eNht7e5qL+tamHcg4PlZkuO7cu698tSkfpTMgD0hfv5Il5Gw1e6Lq
HkDmFaSMiJiFlK/iybg7WeiHSKuhAQOXKuOHrx81s4ayYv3PZ3Jltj4lG9asNPSB
BsTKmXGYvzn0mEa1wVuQpEDRt/n3yUruzKxaWA3iFU6FfT+vFgJ3N5D/lpgieLid
AyYQqojHhoBMFmpUvZeuDObTgQ/EBo07VCsN56F59iGbclPWd/cFC5J7p3ahmQhC
0DAL/P3THd9tRAUS8WrugwNI/hlAoqhay0lw05x3B4ZOgFaFzaQOlzsN4jzsY5i8
Tar22dhJU3/D/K0TUcqWZsUqGzu86flN93nEFcnrDnZGiSvzwMutjeA4T126vXH3
wdTKalOmYgxpM5Kk7IlEmYmlbSs8NHHH3LetFGkGIs/goZTmduM=
=vcTl
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYa6es+NLKJtyKPYoAQgE4Q//V4hJ/cUInxMHoJzqoXELWRowpNCsMGGF
4wsT/pwmylyOuhyqXqSYSNYTZiNXMsntFl2GUrL79uzcNTfOoacoquWx59i8h5Ti
i7NTdpYjAzVIAivJNjhsTl0wh08ofYysZzhpeEEhjhmmL3jGiogxx+XxFyunrJIM
Nk9cVTbNBr42fKE/HLUVUID0CKIkKKjF6FXiCO/7xCMgm548V0fRIIuzWuDQWN8K
MVNjcjIUVjW652U90cxASOHpJbOAiq0mBwMrCqR1xQMlyqh4YMWTqFR9vxlEIWR5
uQlHZow4ItrwoXR0owKklvh6vhasT8biHTlNpNgano8eVLvO7OfFSOUWHl/8Kd9H
aE+wmghymxYJHRdP6DAMpX6MLPxWvXvAU7IQqyNOvy4A7AY554qIZBTcjTvJnzQH
ArEB8mCUl2Z5wu8chc7bEVnUa/t+xBNAlcwCXseiJe6jBOfwwWnTQDTlrcEiyYWK
65sebJSoyUiXbHmo5uA4+R5eBGRo49Su7mA+2rk9q5IV41mJi5SmE1URrUL84R/9
dRSpqhohorKctzrMXW3R376OBYNXBlFQWUDcFy51Mm6nhTqOrtb3rTYrczHZmo2Q
M05/xoZTIBrpGfYO5eRz8L8zP00oDaRXp6cdZaS3sGJCFxBkJEuJUMed51ASbYv2
CAWYdas0vPs=
=JflT
-----END PGP SIGNATURE-----