Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.4133 runc security update 7 December 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: runc Publisher: Debian Operating System: Debian GNU/Linux Linux variants Impact/Access: Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-43784 Original Bulletin: https://www.debian.org/lts/security/2021/dla-2841 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running runc check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2841-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb December 06, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : runc Version : 0.1.1+dfsg1-2+deb9u3 CVE ID : CVE-2021-43784 It was discovered that there was an overflow issue in runc, the runtime for the Open Container Project, often used with Docker. The Netlink 'bytemsg' length field could have allowed an attacker to override Netlink-based container configurations. This vulnerability required the attacker to have some control over the configuration of the container, but would have allowed the attacker to bypass the namespace restrictions of the container by simply adding their own Netlink payload which disables all namespaces. For Debian 9 "Stretch", this problem has been fixed in version 0.1.1+dfsg1-2+deb9u3. We recommend that you upgrade your runc packages. For the detailed security status of runc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/runc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmGukYwACgkQHpU+J9Qx HljF8w/+LHWY4pcYvhLQvAyodPFvTxlxZ60QlA70Pvspva8LRww59nNH1QnBQTxC LLuD6UfhjXMt/tm4nAQ0X7sAhBSBVBn2OUVDZj4b6sWCb68Ideqviud4jzYvxbYD 1JrjSvK+/A0cJhsSac9rppMg4B3lPeekW6AmIsLWswW4olJROtmbRzgn1j5GSTyn XdL7HwKwgbuzs1u2cKYjExJIdVNlIuUrVQH2njCHTeK3sVn20bFpAmwLnWhO3+yJ Fy7sMAtbvW2eNht7e5qL+tamHcg4PlZkuO7cu698tSkfpTMgD0hfv5Il5Gw1e6Lq HkDmFaSMiJiFlK/iybg7WeiHSKuhAQOXKuOHrx81s4ayYv3PZ3Jltj4lG9asNPSB BsTKmXGYvzn0mEa1wVuQpEDRt/n3yUruzKxaWA3iFU6FfT+vFgJ3N5D/lpgieLid AyYQqojHhoBMFmpUvZeuDObTgQ/EBo07VCsN56F59iGbclPWd/cFC5J7p3ahmQhC 0DAL/P3THd9tRAUS8WrugwNI/hlAoqhay0lw05x3B4ZOgFaFzaQOlzsN4jzsY5i8 Tar22dhJU3/D/K0TUcqWZsUqGzu86flN93nEFcnrDnZGiSvzwMutjeA4T126vXH3 wdTKalOmYgxpM5Kk7IlEmYmlbSs8NHHH3LetFGkGIs/goZTmduM= =vcTl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYa6es+NLKJtyKPYoAQgE4Q//V4hJ/cUInxMHoJzqoXELWRowpNCsMGGF 4wsT/pwmylyOuhyqXqSYSNYTZiNXMsntFl2GUrL79uzcNTfOoacoquWx59i8h5Ti i7NTdpYjAzVIAivJNjhsTl0wh08ofYysZzhpeEEhjhmmL3jGiogxx+XxFyunrJIM Nk9cVTbNBr42fKE/HLUVUID0CKIkKKjF6FXiCO/7xCMgm548V0fRIIuzWuDQWN8K MVNjcjIUVjW652U90cxASOHpJbOAiq0mBwMrCqR1xQMlyqh4YMWTqFR9vxlEIWR5 uQlHZow4ItrwoXR0owKklvh6vhasT8biHTlNpNgano8eVLvO7OfFSOUWHl/8Kd9H aE+wmghymxYJHRdP6DAMpX6MLPxWvXvAU7IQqyNOvy4A7AY554qIZBTcjTvJnzQH ArEB8mCUl2Z5wu8chc7bEVnUa/t+xBNAlcwCXseiJe6jBOfwwWnTQDTlrcEiyYWK 65sebJSoyUiXbHmo5uA4+R5eBGRo49Su7mA+2rk9q5IV41mJi5SmE1URrUL84R/9 dRSpqhohorKctzrMXW3R376OBYNXBlFQWUDcFy51Mm6nhTqOrtb3rTYrczHZmo2Q M05/xoZTIBrpGfYO5eRz8L8zP00oDaRXp6cdZaS3sGJCFxBkJEuJUMed51ASbYv2 CAWYdas0vPs= =JflT -----END PGP SIGNATURE-----