Bug#1009882: marked as done (golang-github-containers-buildah: CVE-2022-27651)
Your message dated Thu, 24 Nov 2022 21:04:27 + with message-id and subject line Bug#1009882: fixed in golang-github-containers-buildah 1.28.0+ds1-2 has caused the Debian Bug report #1009882, regarding golang-github-containers-buildah: CVE-2022-27651 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1009882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009882 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: golang-github-containers-buildah Version: 1.23.1+ds1-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for golang-github-containers-buildah. CVE-2022-27651[0]: | A flaw was found in buildah where containers were incorrectly started | with non-empty default permissions. A bug was found in Moby (Docker | Engine) where containers were incorrectly started with non-empty | inheritable Linux process capabilities, enabling an attacker with | access to programs with inheritable file capabilities to elevate those | capabilities to the permitted set when execve(2) runs. This has the | potential to impact confidentiality and integrity. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-27651 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27651 [1] https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b Please adjust the affected versions in the BTS as needed. Regards, Salvaotre --- End Message --- --- Begin Message --- Source: golang-github-containers-buildah Source-Version: 1.28.0+ds1-2 Done: Reinhard Tartler We believe that the bug you reported is fixed in the latest version of golang-github-containers-buildah, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1009...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reinhard Tartler (supplier of updated golang-github-containers-buildah package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 24 Nov 2022 15:27:47 -0500 Source: golang-github-containers-buildah Architecture: source Version: 1.28.0+ds1-2 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team Changed-By: Reinhard Tartler Closes: 1009882 Changes: golang-github-containers-buildah (1.28.0+ds1-2) unstable; urgency=medium . * upload to unstable . golang-github-containers-buildah (1.28.0+ds1-1) experimental; urgency=medium . * New upstream release new upstream version fixes CVE-2022-27651, Closes: #1009882 . golang-github-containers-buildah (1.27.0+ds1-6) experimental; urgency=medium . * Force building with golang-go, gccgo miscompiles at least on mips . golang-github-containers-buildah (1.27.0+ds1-5) experimental; urgency=medium . * also exclude running "copier" test from package build, breaks/timeouts on arm64, armel, armhf and powerpc64 . golang-github-containers-buildah (1.27.0+ds1-4) experimental; urgency=medium . * also exclude running pkg/cli test from package build . golang-github-containers-buildah (1.27.0+ds1-3) experimental; urgency=medium . * don't run test pkg/completion at package build times . golang-github-containers-buildah (1.27.0+ds1-2) experimental; urgency=medium . * New upstream release * Run tests at build time . golang-github-containers-buildah (1.26.1+ds1-1) experimental; urgency=medium . * New upstream release . golang-github-containers-buildah (1.24.1+ds1-1) experimental; urgency=medium . * New upstream release Checksums-Sha1: 8e2b40b9687c7873ff1c4d9e582cb41ec97c1561 4007 golang-github-containers-buildah_1.28.0+ds1-2.dsc 3670d28dce316fe453c6c3ec937d52bfde4b5932 6844 golang-github-containers-buildah_1.28.0+ds1-2.debian.tar.xz Checksums-Sha256: ebc280303d5659a76c54be59a663dc164e28b0cd272c8e007fcfc74b7883ce3e 4007 golang-github-containers-buildah_1.28.0+ds1-2.dsc 703396ca99411f54aaec26493841aa974574252b95a4304577116717c974ba57 6844
Bug#1009882: marked as done (golang-github-containers-buildah: CVE-2022-27651)
Your message dated Sun, 13 Nov 2022 17:52:35 + with message-id and subject line Bug#1009882: fixed in golang-github-containers-buildah 1.28.0+ds1-1 has caused the Debian Bug report #1009882, regarding golang-github-containers-buildah: CVE-2022-27651 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1009882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009882 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: golang-github-containers-buildah Version: 1.23.1+ds1-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for golang-github-containers-buildah. CVE-2022-27651[0]: | A flaw was found in buildah where containers were incorrectly started | with non-empty default permissions. A bug was found in Moby (Docker | Engine) where containers were incorrectly started with non-empty | inheritable Linux process capabilities, enabling an attacker with | access to programs with inheritable file capabilities to elevate those | capabilities to the permitted set when execve(2) runs. This has the | potential to impact confidentiality and integrity. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-27651 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27651 [1] https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b Please adjust the affected versions in the BTS as needed. Regards, Salvaotre --- End Message --- --- Begin Message --- Source: golang-github-containers-buildah Source-Version: 1.28.0+ds1-1 Done: Reinhard Tartler We believe that the bug you reported is fixed in the latest version of golang-github-containers-buildah, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1009...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reinhard Tartler (supplier of updated golang-github-containers-buildah package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 12 Nov 2022 11:23:23 -0500 Source: golang-github-containers-buildah Architecture: source Version: 1.28.0+ds1-1 Distribution: experimental Urgency: medium Maintainer: Debian Go Packaging Team Changed-By: Reinhard Tartler Closes: 1009882 Changes: golang-github-containers-buildah (1.28.0+ds1-1) experimental; urgency=medium . * New upstream release new upstream version fixes CVE-2022-27651, Closes: #1009882 Checksums-Sha1: 4c00ab757a49c9b3e689c78de16c6f446fea2149 4007 golang-github-containers-buildah_1.28.0+ds1-1.dsc b6a92b801633a3ffb89ba087f34df5b915e74efd 910896 golang-github-containers-buildah_1.28.0+ds1.orig.tar.xz c617b574f85afe0774edb011d20b5413ce7799ad 6832 golang-github-containers-buildah_1.28.0+ds1-1.debian.tar.xz Checksums-Sha256: 087079a6f0a700a7ca198be0c05e5cb4f236e285227b1b556aec36e26af12448 4007 golang-github-containers-buildah_1.28.0+ds1-1.dsc f488a1560e9ca3a01102604ad90e67f3d7bed2177f447b3daf147bbd569d022d 910896 golang-github-containers-buildah_1.28.0+ds1.orig.tar.xz 5e37196a2cf36d239cede214885dbf8d212ecdd4e73b6979dadc14459f9fa7b6 6832 golang-github-containers-buildah_1.28.0+ds1-1.debian.tar.xz Files: 0c9b5e2e44d318417a912a0f997032eb 4007 devel optional golang-github-containers-buildah_1.28.0+ds1-1.dsc 14e1b5a6b99bd82a0f7ab45f96a0eda8 910896 devel optional golang-github-containers-buildah_1.28.0+ds1.orig.tar.xz 613cbe06d00ee627e4c55ad31e72e38c 6832 devel optional golang-github-containers-buildah_1.28.0+ds1-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmNxJn4UHHNpcmV0YXJ0 QHRhdXdhcmUuZGUACgkQSadpd5QoJstg6xAAqcY/y5c1o9whdDI1t5ron37HvTsE hUdu6xboX94DOZhTsSZ4OIYbFOB2PxHcDPcQLHb999UU6THRduV3lB3Cyxtk7G3E amtZxvDz4j1/PAmW4ZudGh/fRMy9gJ7ucvkhPK+ilHNXkdK6UiTK2WLWJmdCT9s1 C23yYQD6o74F1UALLFlEHoj1xF1GpblCb7wvwdew+P8j/XVXagpx63eU/fRlCrj1 9mem0qiOk1yRlBflQ6Uw//wCO+hxJ1yWLluo6UPxTYyPz2e98mDQCLX5AkpOZaZi