CVE-2023-2884[0-2]: impact for debian user

To: security@debian.org, debian-lts@lists.debian.org
Subject: CVE-2023-2884[0-2]: impact for debian user
From: Bastien Roucariès <rouca@debian.org>
Date: Thu, 22 Jun 2023 10:37:08 +0000
Message-id: <[🔎] 3828244.Nlof7LDrIb@portable-bastien>

Hi,

I want to discuss about CVE-2023-2884[0-2].

In order to be vulnerable host kernel need to disable the xt_u32 module. 

Moreover upstream drop for newer version support of xt_u32 see 
https://github.com/moby/moby/commit/4d04068184cf34af7be43272db1687143327cdf7
Do we support only xt_bpf in buster ?

I believe it is not a problem for debian system (at least for buster), for default kernel.

What is your advice on these bugs ?

BTW the upstream fix is: 
https://github.com/moby/moby/commit/878ee341d6fad3c0a28f9bd5471eb56736579010
and seems inclomplete without:
https://github.com/moby/moby/commit/1e195acee45ac69a2f7d8d4f2c9ea05ff6b0af2c
And for completeness again auser config:
https://github.com/moby/moby/commit/9a692a38028f4914a3a914c9a229e61bb3fbaf66

Bastien

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: CVE-2023-2884[0-2]: impact for debian user
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: RFC: php-cas
Next by Date: Re: CVE-2023-2884[0-2]: impact for debian user
Previous by thread: Re: RFC: php-cas (CVE-2022-39369)
Next by thread: Re: CVE-2023-2884[0-2]: impact for debian user
Index(es):
- Date
- Thread