Hi,
On Mon, Feb 19, 2024 at 03:28:00AM +0100, Daniel Leidert wrote:
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3735-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
February 19, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : runc
Version : 1.0.0~rc6+dfsg1-3+deb10u3
CVE ID : CVE-2021-43784 CVE-2024-21626
Debian Bug :
runc is a command line client for running applications packaged according
to the Open Container Format (OCF) and is a compliant implementation of
the Open Container Project specification.
CVE-2021-43784
A flaw has been detected that may lead to a possible length field
overflow, allowing user-controlled data to be parsed as control
characters.
CVE-2024-21626
A flaw has been detected which allows several container breakouts
due to internally leaked file descriptors. The patch includes fixes
and hardening measurements against these types of issues/attacks.
For Debian 10 buster, these problems have been fixed in version
1.0.0~rc6+dfsg1-3+deb10u3.
The DLA reservation for this update in data/DLA/list seems missing,
can you push the changes there? Otherwise there is potential that
there will be a duplicate DLA assingment apart that as well the
tracker will not show up correctly the fixing information.