Bug#1014716: marked as done (ignition: CVE-2022-1706)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 27 Jul 2022 14:38:41 +0000
with message-id <E1oGiBN-00053E-79@fasolo.debian.org>
and subject line Bug#1014716: fixed in ignition 2.14.0+ds1-1
has caused the Debian Bug report #1014716,
regarding ignition: CVE-2022-1706
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1014716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014716
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: ignition: CVE-2022-1706
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Sun, 10 Jul 2022 20:11:04 +0200
• Message-id: <[🔎] YssWOLRkAjRWGNs9@pisco.westfalen.local>

Source: ignition
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for ignition.

CVE-2022-1706[0]:
| A vulnerability was found in Ignition where ignition configs are
| accessible from unprivileged containers in VMs running on VMware
| products. This issue is only relevant in user environments where the
| Ignition config contains secrets. The highest threat from this
| vulnerability is to data confidentiality. Possible workaround is to
| not put secrets in the Ignition config.

https://github.com/coreos/ignition/issues/1300
https://github.com/coreos/ignition/pull/1350

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-1706
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1706

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1014716-close@bugs.debian.org
• Subject: Bug#1014716: fixed in ignition 2.14.0+ds1-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Wed, 27 Jul 2022 14:38:41 +0000
• Message-id: <E1oGiBN-00053E-79@fasolo.debian.org>
• Reply-to: Christoph Senkel <christoph.senkel@credativ.de>

Source: ignition
Source-Version: 2.14.0+ds1-1
Done: Christoph Senkel <christoph.senkel@credativ.de>

We believe that the bug you reported is fixed in the latest version of
ignition, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1014716@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Senkel <christoph.senkel@credativ.de> (supplier of updated ignition package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 27 Jul 2022 15:52:07 +0200
Source: ignition
Architecture: source
Version: 2.14.0+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Christoph Senkel <christoph.senkel@credativ.de>
Closes: 1014716
Changes:
 ignition (2.14.0+ds1-1) unstable; urgency=medium
 .
   * Team upload
   * New upstrem version
   * Fixes CVE-2022-1706 (Closes: #1014716)
Checksums-Sha1:
 37ca29f362f78519b0ee2739668aa788e24a336d 2713 ignition_2.14.0+ds1-1.dsc
 0a93e4da04ee878bb0eaa6f721514fadb54065d4 225804 ignition_2.14.0+ds1.orig.tar.xz
 de99953ac83e34293b5669c20549bb76d5e2ac87 3504 ignition_2.14.0+ds1-1.debian.tar.xz
Checksums-Sha256:
 dfe0b90a394a269824bf1307a32b996ac54aa218e5ae3e976a94f64a7af36b66 2713 ignition_2.14.0+ds1-1.dsc
 3ab9b4c9207251c577ad53eed70b1b2355e6dc6cdf5899f5f33a6fa5f1031bd5 225804 ignition_2.14.0+ds1.orig.tar.xz
 3a2cfef507d2d9f9b1de4ac4b2f3e9396c1b6ff4e3ae4c105a78959373fec18f 3504 ignition_2.14.0+ds1-1.debian.tar.xz
Files:
 e73dbc803cee256d7279e9291e134c82 2713 golang optional ignition_2.14.0+ds1-1.dsc
 7c6d38593a5e78c70d20d333196b3678 225804 golang optional ignition_2.14.0+ds1.orig.tar.xz
 e2ef7272b2d25cfcebb30f8a43515768 3504 golang optional ignition_2.14.0+ds1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmLhSMYACgkQTFprqxLS
p67Q3Q//fybs38CakW5Hpb2qzxk8CPa90jgC05PeDmDfjEmmXZxzqFtmiOsw9w3H
CMw4/1/GgUmWJs6rUxYcV+Ik61aRdsmn5MYnavBr3U8kWEcs9sRxDM7So8QgY+zI
g2VEgB3EYrHdeB7ndIM81etfyHWutHcu5II3LrpoaMjJ+YvXKDYWaNC+cmo2dQfa
mocZ9DR50AHfFwhCUG+GR6NamNQu7I6aScZ0HyjkMxQ8U8/wFJlvNcg5QECJ/Pt4
xMMLue2dF5qDdrFiycPy8uJKWOkaEALK/80KxmOb33LaNs07YX6cHhO4E7jb1RnI
oHWlbvBELKlO+F1Q99ynCgvMDJr5RmIUM/lj++bOTmNm4rpwVKvLfiGPv3WlzZW+
QO7s8eYTpklAxitu80U4jllQFwEgQFWDt/xYZQ7lPZHmVlOFrIsBueol0nLtgLXy
BJT66fXDQrqrJiU2nfFguYRBcb1Ys2Cghsrbn7sEfx8KgkF2dEl9h8DleG0qv4bf
Awc6MggzJ6gwTLPeXUrDbHMLvzlyWdOtk9LS0EA0was2XWzJ0FCAz1z04WWpNrbo
i4Dsnr93n22QcCWP3WCkOMnQEWoG9oRXkUxidVizxiHK0QnLKpyADdXnDuKK0H2h
rWOcwswjOmeLUOpgRV/xd/K0Wy70unvHBCRYYyz+2Eytm9Np9xA=
=4p10
-----END PGP SIGNATURE-----

--- End Message ---