Debian Bug report logs -
#1070378
docker.io: CVE-2024-32473
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>:
Bug#1070378; Package src:docker.io.
(Sat, 04 May 2024 16:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>.
(Sat, 04 May 2024 16:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: docker.io
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for docker.io.
CVE-2024-32473[0]:
| Moby is an open source container framework that is a key component
| of Docker Engine, Docker Desktop, and other distributions of
| container tooling or runtimes. In 26.0.0, IPv6 is not disabled on
| network interfaces, including those belonging to networks where
| `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface
| will normally be configured to share an external network link with
| the host machine. Because of this direct access, (1) Containers may
| be able to communicate with other hosts on the local network over
| link-local IPv6 addresses, (2) if router advertisements are being
| broadcast over the local network, containers may get SLAAC-assigned
| addresses, and (3) the interface will be a member of IPv6 multicast
| groups. This means interfaces in IPv4-only networks present an
| unexpectedly and unnecessarily increased attack surface. The issue
| is patched in 26.0.2. To completely disable IPv6 in a container, use
| `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create`
| or `docker run` command. Or, in the service configuration of a
| `compose` file.
https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9
https://github.com/moby/moby/commit/841c4c8057bcf5317d6565875595a3f0c046e3fa
It's not super clear whether this is only fixed in 26.x and old releases
(such as the one in unstable) are not affected or, let's validate
and update the Security Tracker accordingly if not (ideally by identifying
the introducing commit)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-32473
https://www.cve.org/CVERecord?id=CVE-2024-32473
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 04 May 2024 19:30:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun May 5 11:55:35 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon