Your message dated Wed, 16 Oct 2024 12:07:03 +0000
with message-id <[email protected]>
and subject line Bug#1084061: fixed in golang-github-containers-common
0.60.4+ds1-1
has caused the Debian Bug report #1084061,
regarding golang-github-containers-common: CVE-2024-9341
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1084061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084061
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-containers-common
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for golang-github-containers-common.
CVE-2024-9341[0]:
| A flaw was found in Go. When FIPS mode is enabled on a system,
| container runtimes may incorrectly handle certain file paths due to
| improper validation in the containers/common Go library. This flaw
| allows an attacker to exploit symbolic links and trick the system
| into mounting sensitive host directories inside a container. This
| issue also allows attackers to access critical host files, bypassing
| the intended isolation between containers and the host system.
https://bugzilla.redhat.com/show_bug.cgi?id=2315691
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-9341
https://www.cve.org/CVERecord?id=CVE-2024-9341
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: golang-github-containers-common
Source-Version: 0.60.4+ds1-1
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-containers-common, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated
golang-github-containers-common package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 16 Oct 2024 06:17:52 -0400
Source: golang-github-containers-common
Architecture: source
Version: 0.60.4+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1084061
Changes:
golang-github-containers-common (0.60.4+ds1-1) unstable; urgency=medium
.
* New upstream release
- pkg/subscriptions: use securejoin for the container path
- Fixes: CVE-2024-9341, Closes: #1084061
Checksums-Sha1:
6234d976fc633a513c3010606f6a1ed22c3904e1 4390
golang-github-containers-common_0.60.4+ds1-1.dsc
c5f7a8ad3c963f06a431c6f9e86a19ec1f2a66f5 1354648
golang-github-containers-common_0.60.4+ds1.orig.tar.xz
e0d4147129481b9daeb5be2af59d3e2bfa3e10a7 7048
golang-github-containers-common_0.60.4+ds1-1.debian.tar.xz
Checksums-Sha256:
2806b449a90d3269b46dea31fab55a3b8c1431039a9574a3154bcf82cde22ac2 4390
golang-github-containers-common_0.60.4+ds1-1.dsc
02b27f399d126759b2ea62cf6042479ce8a73ab9c2b522365292dcf6f4a00931 1354648
golang-github-containers-common_0.60.4+ds1.orig.tar.xz
fe2665fbe29a470346b6011091298ec0fecae702b2cff7a2ab7be1fc7cbc5b87 7048
golang-github-containers-common_0.60.4+ds1-1.debian.tar.xz
Files:
fb225e0a78aa9e218a86e13a8e422bc4 4390 golang optional
golang-github-containers-common_0.60.4+ds1-1.dsc
a126ccbd97f80e67454223b3df11d4a8 1354648 golang optional
golang-github-containers-common_0.60.4+ds1.orig.tar.xz
0a0dc85a23d7de982f63dca58d5bd1d0 7048 golang optional
golang-github-containers-common_0.60.4+ds1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmcPlBUUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsvQ5w/6A2Mo/O9lnD2qo6N73BGXO8bIusTz
KI4aZhQPrtAnyvGXTbOiKIxZ9Fev7Kcv+59KeYf6E3LBIJsmkDzQ3pXcsoxYdKL/
CoxYl7Ip93rxIH8F/A3NWQhG2XxZ/u27Gr72wO3uceEG2Q2eFSpFwLMZscAvOoKO
aUPc9J59do28kXG//ZyTcbc0IRBXKIkQiOBiRNKbT7thkbqBvjeafVB2oFZqQsdY
67jkZmESaveN0DeF1GRTg9T5G/xIBUrc2X6aadfSENqqOHvtVxS1PVsnYcWeyLkm
9oBkjaE0i6/ACNXa82OaBI9IMWBBLpghvoA1lzEKxCp3F/Vbyf9Lf9yY/9gHIypV
xd6ro1ux1Pp4YPAMjRy1fFlKpjJAPwC8wDS5fYNI+/235wJaKEdv1HYRSZqbfaJZ
K73PSXPKDAK5EQDat3FDs7T8HcMokV2htBkxbAa9cVIwELkFwKQCqXCLYLtG2Ewp
cQOBP4xGpUTSw63YzuvyZRdrv2c7xCGiZZvyw+F1erLHCQgqwC7SlKGwgtsBjJlB
u4Am5Ji3ZKiJWnsXqCGerSGfFrj+/dn8hIV42FrOpsia5ZN7T8oFIqSb+ZJwcRwG
jAiUquTtL4UZBC6ul2eYng/IMGu5zGjy2NbVlqvV8xryVNw69LpHO0/azXgfTbKe
9nhjIiAx/dwAYUM=
=on7a
-----END PGP SIGNATURE-----
pgp0MM4bdY2EF.pgp
Description: PGP signature
--- End Message ---
