Debian Bug report logs -
#988768
runc: CVE-2021-30465
Reported by: Shengjing Zhu <zhsj@debian.org>
Date: Wed, 19 May 2021 11:39:02 UTC
Severity: serious
Tags: help, security, upstream
Found in version runc/1.0.0~rc93+ds1-3
Fixed in versions runc/1.0.0~rc94+ds1-2, runc/1.0.0~rc93+ds1-4
Done: Shengjing Zhu <zhsj@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, zhsj@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>:
Bug#988768; Package runc.
(Wed, 19 May 2021 11:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Shengjing Zhu <zhsj@debian.org>:
New Bug report received and forwarded. Copy sent to zhsj@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>.
(Wed, 19 May 2021 11:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: runc
Version: 1.0.0~rc93+ds1-3
Severity: serious
Tags: security help
X-Debbugs-Cc: zhsj@debian.org, team@security.debian.org
CVE-2021-30465 is published for runc
https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r
I have checked the patch, it doesn't apply straightly on current version in testing.
So I'd like to use some help.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 19 May 2021 12:21:05 GMT) (full text, mbox, link).
Reply sent
to Shengjing Zhu <zhsj@debian.org>:
You have taken responsibility.
(Wed, 19 May 2021 12:21:08 GMT) (full text, mbox, link).
Notification sent
to Shengjing Zhu <zhsj@debian.org>:
Bug acknowledged by developer.
(Wed, 19 May 2021 12:21:08 GMT) (full text, mbox, link).
Message #12 received at 988768-close@bugs.debian.org (full text, mbox, reply):
Source: runc
Source-Version: 1.0.0~rc94+ds1-2
Done: Shengjing Zhu <zhsj@debian.org>
We believe that the bug you reported is fixed in the latest version of
runc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Shengjing Zhu <zhsj@debian.org> (supplier of updated runc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 19 May 2021 19:48:48 +0800
Source: runc
Architecture: source
Version: 1.0.0~rc94+ds1-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Shengjing Zhu <zhsj@debian.org>
Closes: 988768
Changes:
runc (1.0.0~rc94+ds1-2) experimental; urgency=medium
.
* Team upload.
* Backport patch for CVE-2021-30465 (Closes: #988768)
Checksums-Sha1:
72914a751885bf5fea061e78b61aef1485dca85f 2824 runc_1.0.0~rc94+ds1-2.dsc
308bfa71dbe96794e116b5727ba86f8d536d1c76 35800 runc_1.0.0~rc94+ds1-2.debian.tar.xz
2fb9f8f5838efcd0a8aedeada59482cf5067e576 7856 runc_1.0.0~rc94+ds1-2_amd64.buildinfo
Checksums-Sha256:
4d56dc542ad0ebc53ec432943d0e9577c1d72e2f369b0669345a383fe0aa3686 2824 runc_1.0.0~rc94+ds1-2.dsc
5debbc57a10b0b2e30ffcb1b870b808fcd75557adf8f1264625b5d3fb54cb7f2 35800 runc_1.0.0~rc94+ds1-2.debian.tar.xz
86299a6c2d1f04b9224105488cb74fcdd3614aea213819be338d91abd3fc1881 7856 runc_1.0.0~rc94+ds1-2_amd64.buildinfo
Files:
03466ac6ce3972edd6c7f5e9ea3a532d 2824 admin optional runc_1.0.0~rc94+ds1-2.dsc
c06437d5e7dfac10a6ecb2479bf0b5c4 35800 admin optional runc_1.0.0~rc94+ds1-2.debian.tar.xz
8b4dd8b102e64b251b9c3c14ddadb6ee 7856 admin optional runc_1.0.0~rc94+ds1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE85F2DZP0aJKsSKyHONAPABi+PjUFAmCk/McACgkQONAPABi+
PjW3AQf9HhUYxrqo+D4+Vrj75aDbLgIUNPscEr+MIY7dPLuyY/siy7hiXMmRVK6o
3TuJNHXDiTLvW2UIBeBZIcuAvrh7HyIqREy7epDbr3RWF5FMoN3VZfiTPVBzQ9mG
rA7QSXaSxY/hV+2+mv7wzxe2HBA0ZIh/C8YBxOKbg9I3458MYbVz/FGlY77RUV7A
/LCbPPyJRK1CLK9g+QiYbXvq3a/O637f2e8bdVMh+6QIXmm2+NjxEh97sFLDC5pT
NENqHHbGWqOhVRPmBggP0llDnuFcQ6XzTRuhztXMipfN8MZh8kegoRZlAl/xuN/6
MlMHR+AQQ9MOaC2c6zN/tveTVm4oiQ==
=qv2f
-----END PGP SIGNATURE-----
Reply sent
to Shengjing Zhu <zhsj@debian.org>:
You have taken responsibility.
(Wed, 19 May 2021 18:21:06 GMT) (full text, mbox, link).
Notification sent
to Shengjing Zhu <zhsj@debian.org>:
Bug acknowledged by developer.
(Wed, 19 May 2021 18:21:06 GMT) (full text, mbox, link).
Message #17 received at 988768-close@bugs.debian.org (full text, mbox, reply):
Source: runc
Source-Version: 1.0.0~rc93+ds1-4
Done: Shengjing Zhu <zhsj@debian.org>
We believe that the bug you reported is fixed in the latest version of
runc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Shengjing Zhu <zhsj@debian.org> (supplier of updated runc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 20 May 2021 02:13:01 +0800
Source: runc
Architecture: source
Version: 1.0.0~rc93+ds1-4
Distribution: unstable
Urgency: high
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Shengjing Zhu <zhsj@debian.org>
Closes: 988768
Changes:
runc (1.0.0~rc93+ds1-4) unstable; urgency=high
.
* Team upload.
* Backport patches for CVE-2021-30465 (Closes: #988768)
To apply CVE-2021-30465 patch clearly, following PR are backported as
well:
+ https://github.com/opencontainers/runc/pull/2798
+ https://github.com/opencontainers/runc/pull/2818
Checksums-Sha1:
ad9abef70153114a508d7002d1909c8af4d11b9f 2603 runc_1.0.0~rc93+ds1-4.dsc
4233ff26ddd4ca2f3da9555c608914f01faec8cc 39120 runc_1.0.0~rc93+ds1-4.debian.tar.xz
dee12207f84e2fc736d55c6e5dd9b5fbc4fdf119 7620 runc_1.0.0~rc93+ds1-4_amd64.buildinfo
Checksums-Sha256:
b645d9200dce8b5699ec13a9b2ca5ca33481544c4f5ec4857a8b7ee0d5273cc6 2603 runc_1.0.0~rc93+ds1-4.dsc
d5ebd5e4f37cb3ce6e8b80f26cb29f02e169bf807bf4b4770c467dd68dc47ad5 39120 runc_1.0.0~rc93+ds1-4.debian.tar.xz
e1508f4b310954e1ddd25dc75498f388d24531da51cff6f9ecfecb21ad420c98 7620 runc_1.0.0~rc93+ds1-4_amd64.buildinfo
Files:
49fb238aa0ee96113cc66b87e1f37ddf 2603 admin optional runc_1.0.0~rc93+ds1-4.dsc
05aa04390ae03af7eb0235a80844c679 39120 admin optional runc_1.0.0~rc93+ds1-4.debian.tar.xz
21c03dd9b333f938c8beec76928f4a55 7620 admin optional runc_1.0.0~rc93+ds1-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIYEARYIAC4WIQSRhdT1d2eu7mxV1B5/RPol6lUUywUCYKVVhhAcemhzakBkZWJp
YW4ub3JnAAoJEH9E+iXqVRTLtroBAMZeKQSJ4FHi/ZPJ46W2lwF9b37lhrex4al3
LwVUOoBkAQDQER5UJfcW+VlWvvYMzi12z6rwHys15z8ZnRjkR5T3Dg==
=Pawe
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu May 20 12:44:05 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon