Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: Debian Security Team <team@security.debian.org>, debian-lts@lists.debian.org
Subject: Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]
From: Guido Günther <agx@sigxcpu.org>
Date: Mon, 28 Mar 2016 11:49:55 +0200
Message-id: <[🔎] 20160328094955.GA3810@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Salvatore Bonaccorso <carnil@debian.org>, Debian Security Team <team@security.debian.org>, debian-lts@lists.debian.org
In-reply-to: <20160328053238.GA8301@eldamar.local>
References: <20160229152546.Horde.bUTfXxHSPmDu0AWwU5x1bGj@mail.das-netzwerkteam.de> <20160229205411.GA10345@bogon.m.sigxcpu.org> <[🔎] 20160301071528.Horde.2vkf2nEumr1U3Zct8iUtE6a@mail.das-netzwerkteam.de> <[🔎] 20160301074408.GA2810@bogon.m.sigxcpu.org> <[🔎] 20160301080847.Horde.ftbTP7VPWRyVaJkHUAoyyvl@mail.das-netzwerkteam.de> <[🔎] 20160301150551.799@usenet.piggo.com> <[🔎] 20160301190120.GA14675@inutil.org> <[🔎] 20160327141510.GA19723@bogon.m.sigxcpu.org> <20160328053238.GA8301@eldamar.local>

Hi Salvatore,
On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote:
> Hi Guido,
> 
> On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote:
[..snip..]
> > O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ?
> 
> Honestly I tend to actually mark this as no-dsa. My argument is the
> following: LXC in wheezy was in a really early stage, and a local
> container admin/root inside the container can do basically anything on
> the host.  Furthermore proper confinement methods were afaik neither
> implemented and only came with later versions (even in Jessie I think
> that's not yet working all correctly).
> 
> https://blog.bofh.it/debian/id_413
> 
> Does that makes sense? We thus initially only addressed that specific
> CVE only in Jessie.

After looking into this in more detail yesterday and today I tend to
agree. Although there is some confinement dropping privileges only a
small set is used by default and we don't have a apparmor policy in
place for wheezy either. 

I've marked this as no-dsa in wheezy (hope that's o.k.) but am happy to
revisit this if others disagre#e.

(cc'ing the lts list since we provided a patch for Squeeze)

Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Re: working for wheezy-security until wheezy-lts starts
  - From: Mike Gabriel <sunweaver@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Guido Günther <agx@sigxcpu.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Mike Gabriel <sunweaver@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Sébastien Delafond <seb@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: Archive of squeeze-lts ?
Next by Date: Re: tracking security issues without CVEs
Previous by thread: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]
Next by thread: Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]
Index(es):
- Date
- Thread