Your message dated Thu, 24 Nov 2022 21:04:27 +0000 with message-id <e1oyjov-00ft05...@fasolo.debian.org> and subject line Bug#1009882: fixed in golang-github-containers-buildah 1.28.0+ds1-2 has caused the Debian Bug report #1009882, regarding golang-github-containers-buildah: CVE-2022-27651 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1009882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009882 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: golang-github-containers-buildah Version: 1.23.1+ds1-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for golang-github-containers-buildah. CVE-2022-27651[0]: | A flaw was found in buildah where containers were incorrectly started | with non-empty default permissions. A bug was found in Moby (Docker | Engine) where containers were incorrectly started with non-empty | inheritable Linux process capabilities, enabling an attacker with | access to programs with inheritable file capabilities to elevate those | capabilities to the permitted set when execve(2) runs. This has the | potential to impact confidentiality and integrity. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-27651 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27651 [1] https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b Please adjust the affected versions in the BTS as needed. Regards, Salvaotre
--- End Message ---
--- Begin Message ---Source: golang-github-containers-buildah Source-Version: 1.28.0+ds1-2 Done: Reinhard Tartler <siret...@tauware.de> We believe that the bug you reported is fixed in the latest version of golang-github-containers-buildah, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1009...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reinhard Tartler <siret...@tauware.de> (supplier of updated golang-github-containers-buildah package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 24 Nov 2022 15:27:47 -0500 Source: golang-github-containers-buildah Architecture: source Version: 1.28.0+ds1-2 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org> Changed-By: Reinhard Tartler <siret...@tauware.de> Closes: 1009882 Changes: golang-github-containers-buildah (1.28.0+ds1-2) unstable; urgency=medium . * upload to unstable . golang-github-containers-buildah (1.28.0+ds1-1) experimental; urgency=medium . * New upstream release new upstream version fixes CVE-2022-27651, Closes: #1009882 . golang-github-containers-buildah (1.27.0+ds1-6) experimental; urgency=medium . * Force building with golang-go, gccgo miscompiles at least on mips . golang-github-containers-buildah (1.27.0+ds1-5) experimental; urgency=medium . * also exclude running "copier" test from package build, breaks/timeouts on arm64, armel, armhf and powerpc64 . golang-github-containers-buildah (1.27.0+ds1-4) experimental; urgency=medium . * also exclude running pkg/cli test from package build . golang-github-containers-buildah (1.27.0+ds1-3) experimental; urgency=medium . * don't run test pkg/completion at package build times . golang-github-containers-buildah (1.27.0+ds1-2) experimental; urgency=medium . * New upstream release * Run tests at build time . golang-github-containers-buildah (1.26.1+ds1-1) experimental; urgency=medium . * New upstream release . golang-github-containers-buildah (1.24.1+ds1-1) experimental; urgency=medium . * New upstream release Checksums-Sha1: 8e2b40b9687c7873ff1c4d9e582cb41ec97c1561 4007 golang-github-containers-buildah_1.28.0+ds1-2.dsc 3670d28dce316fe453c6c3ec937d52bfde4b5932 6844 golang-github-containers-buildah_1.28.0+ds1-2.debian.tar.xz Checksums-Sha256: ebc280303d5659a76c54be59a663dc164e28b0cd272c8e007fcfc74b7883ce3e 4007 golang-github-containers-buildah_1.28.0+ds1-2.dsc 703396ca99411f54aaec26493841aa974574252b95a4304577116717c974ba57 6844 golang-github-containers-buildah_1.28.0+ds1-2.debian.tar.xz Files: fa3b20d3cc51f248d135a3552ec3f822 4007 devel optional golang-github-containers-buildah_1.28.0+ds1-2.dsc 22fcbd8dce8374fe016c26e30f33166b 6844 devel optional golang-github-containers-buildah_1.28.0+ds1-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmN/1IQUHHNpcmV0YXJ0 QHRhdXdhcmUuZGUACgkQSadpd5QoJsumsxAAzp0JaVWCOpZgl/C7C0l2hsJK3RLH /+fZIoeaASP5wBHBStopkkRJoFDWNjaGbrAtRtTKu8ArFR0rM/zV9sikg6E/S2Yn IWdjCVErUu+6wS7KUIXK1Ns+4sUW/pYwOjabcu5ltgTCmehkpr92O1+glEAsUjEC ss7k2ANtQLZ2w1vjIDa8xTDfx+OphMgl9787tY8WCbJWdlNlWJfUJKcIBX/U12x+ LQ+Sk0YJTZ2tFnJlDSE1BQ0drFdfgkv5DubVIjdFHUB2rM39PL8Slcz4bbU8FIZY qPFgEcgSFj3USQSyvYJnqia9ys1qqYYYGH2oHyJNX70E7+GUi1eDXxfHQcHdFdsM 4fzD5TSYHgQLOgfYsDQDVsYrt1MKCrTRsTIfAE4FbQreH/YIAWxvd6eQjDAf7uNM itwHjKJ8CRAoLPUUagSAcBt/5XeYL90RlU3d3sNem7NnlUKbbMBk99C3eLQBW9aA UhcCsI1CyIH8fMz3U7FlCW8pKeN+PrFqXKbhXvbg1d+PuZ/0uEvFubkWgo81hV9K xv4s3OfsvrHdWI9a94QAQQ3v1n94zQlp/QfEFJ5pUt+Og2HMBc5CADQYqneMPSAB EnckqU4DEmExkDkr/99sYitThhMOQGKjfpwS628Q7hveNIDxglXwTtq0YCo3pRep HTputEWsnfh6LXQ= =o78l -----END PGP SIGNATURE-----
--- End Message ---
