[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]

Hi Guido,

On Mon, Mar 28, 2016 at 11:49:55AM +0200, Guido Günther wrote:
> Hi Salvatore,
> On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote:
> > Hi Guido,
> > 
> > On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote:
> [..snip..]
> > > O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ?
> > 
> > Honestly I tend to actually mark this as no-dsa. My argument is the
> > following: LXC in wheezy was in a really early stage, and a local
> > container admin/root inside the container can do basically anything on
> > the host.  Furthermore proper confinement methods were afaik neither
> > implemented and only came with later versions (even in Jessie I think
> > that's not yet working all correctly).
> > 
> > https://blog.bofh.it/debian/id_413
> > 
> > Does that makes sense? We thus initially only addressed that specific
> > CVE only in Jessie.
> After looking into this in more detail yesterday and today I tend to
> agree. Although there is some confinement dropping privileges only a
> small set is used by default and we don't have a apparmor policy in
> place for wheezy either. 
> I've marked this as no-dsa in wheezy (hope that's o.k.) but am happy to
> revisit this if others disagre#e.
> (cc'ing the lts list since we provided a patch for Squeeze)

Yes that's fine. Thanks for double-checking and confirming.


Attachment: signature.asc
Description: PGP signature

Reply to: