[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: wheezy-backports: lxc security update: looking for sponsor + BSA requested


I didn't get any response to my email to backports-team@debian.org. If
this were just a normal package update I'd be a _lot_ more patient,
but this is security-related (especially CVE-2015-1331 might really
hurt) and I'd very much like to get the fixed package into
wheezy-backports as soon as possible, hence I'm resending this email

I would really appreciate it if somebody could sponsor this upload.



-------- Forwarded Message --------
Subject: wheezy-backports: lxc security update: looking for sponsor + BSA requested
Date: Sun, 26 Jul 2015 00:47:32 +0200
From: Christian Seiler <christian@iwakd.de>
To: backports-team@debian.org

(I'm sending this only to backports-team because it's security-related,
otherwise I'd have used the backports list. If this is wrong, I
apologize and please tell me what to do in the future in similar cases.)

I'm maintaining the backported version of LXC in wheezy-backports, and
there was a recent security update for LXC in jessie.

DSA: https://www.debian.org/security/2015/dsa-3317

I've backported it and uploaded the package to mentors.debian.net:


I've successfully built this in a clean wheezy VM and did some very
simple functionality tests.

It would be great if someone could sponsor this upload, and there's also
the need for a BSA (my guess is that since I'm not a DD, the sponsor
will have to send the mail to debian-backports-announce@). I've
pre-written the announcement email (feel free to change anything you
need to; I've copied the vulnerability descriptions from the DSA):

Subject: [BSA-XXX] Security Update for lxc

<Uploader> uploaded new packages for lxc which fixed the following
security problems:

  Roman Fiedler discovered a directory traversal flaw in LXC when
  creating lock files. A local attacker could exploit this flaw to
  create an arbitrary file as the root user.

  Roman Fiedler discovered that LXC incorrectly trusted the container's
  proc filesystem to set up AppArmor profile changes and SELinux domain
  transitions. A malicious container could create a fake proc
  filesystem and use this flaw to run programs inside the container
  that are not confined by AppArmor or SELinux.

For the wheezy-backports distribution the problems have been fixed in
version 1.0.6-6+deb8u1~bpo70+1.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: