[
Date Prev
][
Date Next
] [
Thread Prev
][
Thread Next
] [
Date Index
] [
Thread Index
]
"Leaky Vessels" CVEs affecting debian packages (incorrect NOT-FOR-US tag)
To
:
debian-security-tracker@lists.debian.org
Subject
: "Leaky Vessels" CVEs affecting debian packages (incorrect NOT-FOR-US tag)
From
: Will Sewell <
me@willsewell.com
>
Date
: Wed, 7 Feb 2024 16:34:11 +0000
Message-id
: <
[🔎]
CAKMCqEJ8KsDmbuXJDNg19BO8xdHUpW-nVumt5hcRtKXArHUy6w@mail.gmail.com
>
Hello,
Your security tracker claims that the CVEs related to "Leaky Vessels" (
https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/
) are NOT-FOR-US:
-
https://security-tracker.debian.org/tracker/CVE-2024-23651
-
https://security-tracker.debian.org/tracker/CVE-2024-23652
-
https://security-tracker.debian.org/tracker/CVE-2024-23653
And the following CVE is marked as only related to the runc package:
-
https://security-tracker.debian.org/tracker/CVE-2024-21626
However I think these vulnerabilities all affect at least the podman package (
https://packages.debian.org/bookworm/podman
) because it includes buildkit/runc as a Go library. You can see it being patched here:
-
https://github.com/containers/podman/pull/21464
-
https://github.com/containers/podman/pull/21485
And released in
https://github.com/containers/podman/releases/tag/v4.9.2
.
There might be other debian packages affected in this way. You can see a list of some of the programs that depend on these libraries here:
https://security.snyk.io/vuln?search=CVE-2024-23653
.
Please let me know if I'm missing something.
Kind regards,
Will
Reply to:
debian-security-tracker@lists.debian.org
Will Sewell (on-list)
Will Sewell (off-list)
Follow-Ups
:
Re: "Leaky Vessels" CVEs affecting debian packages (incorrect NOT-FOR-US tag)
From:
Salvatore Bonaccorso <carnil@debian.org>
Prev by Date:
External check
Next by Date:
External check
Previous by thread:
External check
Next by thread:
Re: "Leaky Vessels" CVEs affecting debian packages (incorrect NOT-FOR-US tag)
Index(es):
Date
Thread