Lucene search
DebianDEBIAN:DLA-442-1:9E76DHistoryFeb 29, 2016 - 2:41 p.m.
[SECURITY] [DLA 442-1] lxc security update
2016-02-2914:41:59
lists.debian.org
8
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
27.3%
Package : lxc
Version : 0.7.2-1+deb6u1
CVE ID : CVE-2013-6441 CVE-2015-1335
Debian Bug : #800471
Brief introduction
CVE-2013-6441
The template script lxc-sshd used to mount itself as /sbin/init in the
container using a writable bind-mount.
This update resolved the above issue by using a read-only bind-mount
instead preventing any form of potentially accidental damage.
CVE-2015-1335
On container startup, lxc sets up the container's initial file system
tree by doing a bunch of mounting, guided by the container's configuration
file.
The container config is owned by the admin or user on the host, so we
do not try to guard against bad entries. However, since the mount
target is in the container, it's possible that the container admin
could divert the mount with symbolic links. This could bypass proper
container startup (i.e. confinement of a root-owned container by the
restrictive apparmor policy, by diverting the required write to
/proc/self/attr/current), or bypass the (path-based) apparmor policy
by diverting, say, /proc to /mnt in the container.
This update implements a safe_mount() function that prevents lxc from
doing mounts onto symbolic links.
–
mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net
Attachment:
signature.asc
Description: Digital signature
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 8 | powerpc | lxc | < 1:1.0.6-6+deb8u2 | lxc_1:1.0.6-6+deb8u2_powerpc.deb |
| Debian | 8 | armel | lxc-dbg | < 1:1.0.6-6+deb8u2 | lxc-dbg_1:1.0.6-6+deb8u2_armel.deb |
| Debian | 8 | amd64 | lxc-dbg | < 1:1.0.6-6+deb8u2 | lxc-dbg_1:1.0.6-6+deb8u2_amd64.deb |
| Debian | 8 | mipsel | lxc | < 1:1.0.6-6+deb8u2 | lxc_1:1.0.6-6+deb8u2_mipsel.deb |
| Debian | 8 | armhf | lxc | < 1:1.0.6-6+deb8u2 | lxc_1:1.0.6-6+deb8u2_armhf.deb |
| Debian | 8 | i386 | lxc | < 1:1.0.6-6+deb8u2 | lxc_1:1.0.6-6+deb8u2_i386.deb |
| Debian | 8 | arm64 | lxc | < 1:1.0.6-6+deb8u2 | lxc_1:1.0.6-6+deb8u2_arm64.deb |
| Debian | 8 | all | lxc | < 1:1.0.6-6+deb8u2 | lxc_1:1.0.6-6+deb8u2_all.deb |
| Debian | 6 | all | lxc | < 0.7.2-1+deb6u1 | lxc_0.7.2-1+deb6u1_all.deb |
| Debian | 8 | mips | lxc-dbg | < 1:1.0.6-6+deb8u2 | lxc-dbg_1:1.0.6-6+deb8u2_mips.deb |
Related
osv
osv
lxc - security update
2016-02-29 00:00:00
nessus
nessus
Debian DLA-442-1 : lxc security update
2016-03-01 00:00:00
Ubuntu 13.10 : lxc vulnerability (USN-2104-1)
2014-02-13 00:00:00
SuSE 11.3 Security Update : lxc (SAT Patch Number 9084)
2014-05-15 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-442-1)
2023-03-08 00:00:00
Mageia: Security Advisory (MGASA-2014-0102)
2022-01-28 00:00:00
Ubuntu: Security Advisory (USN-2104-1)
2022-08-26 00:00:00
mageia
mageia
Updated lxc packages fix security vulnerability
2014-02-26 22:23:25
Updated lxc packages fix security vulnerability
2016-01-29 14:02:50
securityvulns
securityvulns
lxc protection bypass
2014-04-07 00:00:00
[USN-2104-1] LXC vulnerability
2014-04-07 00:00:00
LXC directory traversal
2015-07-27 00:00:00
cve
cve
CVE-2013-6441
2014-02-14 15:55:00
CVE-2015-1335
2015-10-01 20:59:00
debiancve
debiancve
CVE-2013-6441
2014-02-14 15:55:00
CVE-2015-1335
2015-10-01 20:59:00
prion
prion
Design/Logic Flaw
2014-02-14 15:55:00
Code injection
2015-10-01 20:59:00
ubuntucve
ubuntucve
CVE-2013-6441
2013-12-31 00:00:00
CVE-2015-1335
2015-09-29 00:00:00
ubuntu
ubuntu
LXC vulnerability
2014-02-12 00:00:00
LXC vulnerability
2015-09-29 00:00:00
fedora
fedora
[SECURITY] Fedora 22 Update: lxc-1.1.4-2.fc22
2015-11-12 00:22:27
[SECURITY] Fedora 23 Update: lxc-1.1.4-2.fc23
2015-11-01 02:55:00
[SECURITY] Fedora 21 Update: lxc-1.0.7-4.fc21
2015-11-12 00:49:49
oraclelinux
oraclelinux
lxc security update
2015-10-15 00:00:00
debian
debian
[SECURITY] [DSA 3400-1] lxc security update
2015-11-19 19:55:59
[SECURITY] [DSA 3400-1] lxc security update
2015-11-19 19:55:59
suse
suse
Security update for lxc, lxcfs (important)
2019-05-31 00:00:00
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
27.3%
Related for DEBIAN:DLA-442-1:9E76D