Hi Will, On Wed, Feb 07, 2024 at 04:34:11PM +0000, Will Sewell wrote: > Hello, > > Your security tracker claims that the CVEs related to "Leaky Vessels" ( > https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/) > are NOT-FOR-US: > > - https://security-tracker.debian.org/tracker/CVE-2024-23651 > - https://security-tracker.debian.org/tracker/CVE-2024-23652 > - https://security-tracker.debian.org/tracker/CVE-2024-23653 > > And the following CVE is marked as only related to the runc package: > > - https://security-tracker.debian.org/tracker/CVE-2024-21626 > > However I think these vulnerabilities all affect at least the podman > package (https://packages.debian.org/bookworm/podman) because it includes > buildkit/runc as a Go library. You can see it being patched here: > > - https://github.com/containers/podman/pull/21464 > - https://github.com/containers/podman/pull/21485 > > And released in https://github.com/containers/podman/releases/tag/v4.9.2. > > There might be other debian packages affected in this way. You can see a > list of some of the programs that depend on these libraries here: > https://security.snyk.io/vuln?search=CVE-2024-23653. > > Please let me know if I'm missing something.
Thank you, we will have a look at it. Regards, Salvatore