runc's CVE-2024-21626 - Githubissues

canonical / docker-snap

https://snapcraft.io/docker

MIT License

54 stars 27 forks source link

runc's CVE-2024-21626 #163

Closed eslerm closed 4 months ago

eslerm commented 5 months ago

The version of runc in this snap is likely affected by CVE-2024-21626.

The parts section of this snapcraft.yaml contains:

  runc:
    plugin: make
    source: https://github.com/opencontainers/runc.git
    # from https://github.com/moby/moby/releases/tag/v24.0.5
    source-tag: v1.1.7

runc before v1.1.12 is affected by CVE-2024-21626.

See https://www.openwall.com/lists/oss-security/2024/01/31/6 Please note upstream's security-announce mailing list.

eslerm commented 4 months ago

Could this have more priority?

From https://www.openwall.com/lists/oss-security/2024/01/31/6

This is a notification to vendors that use runc about a high-severity vulnerability (CVE-2024-21626) with several exploit methods which allow for full container breakouts due to an internal file descriptor leak.

eslerm commented 4 months ago

Thank you!

When will this fix land in latest/stable?

lucaskanashiro commented 4 months ago

It was automatically pushed to the latest/edge channel, and I just promoted it to latest/beta. Now, we need to wait for automated tests to pass (which may take same days or a week from my experience) so we can keep promoting it until latest/stable.

eslerm commented 2 months ago

This issue is still open for latest/stable.

lucaskanashiro commented 2 months ago

Now it is fixed in latest/stable.