All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/containerd: security bump to version 1.5.9
@ 2022-01-24  7:14 Christian Stewart via buildroot
  2022-01-26 21:23 ` Thomas Petazzoni
  0 siblings, 1 reply; 3+ messages in thread
From: Christian Stewart via buildroot @ 2022-01-24  7:14 UTC (permalink / raw)
  To: buildroot; +Cc: Christian Stewart, Yann E . MORIN, Thomas Petazzoni

CVE-2021-43816: "Unprivileged pod using `hostPath` can side-step active LSM when
it is SELinux"

Containers launched through containerd’s CRI implementation on Linux systems
which use the SELinux security module and containerd versions since v1.5.0 can
cause arbitrary files and directories on the host to be relabeled to match the
container process label through the use of specially-configured bind mounts in a
hostPath volume. This relabeling elevates permissions for the container,
granting full read/write access over the affected files and directories.
Kubernetes and crictl can both be configured to use containerd’s CRI
implementation.

https://github.com/advisories/GHSA-mvff-h3cj-wj9c
https://github.com/containerd/containerd/releases/tag/v1.5.9

Signed-off-by: Christian Stewart <christian@paral.in>
---
 package/containerd/containerd.hash | 2 +-
 package/containerd/containerd.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash
index f1a6709554..d5aafe2e70 100644
--- a/package/containerd/containerd.hash
+++ b/package/containerd/containerd.hash
@@ -1,3 +1,3 @@
 # Computed locally
-sha256  a41ab8d39393c9456941b477c33bb1b221a29b635f1c9a99523aab2f5e74f790  containerd-1.5.8.tar.gz
+sha256  40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4  containerd-1.5.9.tar.gz
 sha256  4bbe3b885e8cd1907ab4cf9a41e862e74e24b5422297a4f2fe524e6a30ada2b4  LICENSE
diff --git a/package/containerd/containerd.mk b/package/containerd/containerd.mk
index cd975db274..8976e12f1a 100644
--- a/package/containerd/containerd.mk
+++ b/package/containerd/containerd.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CONTAINERD_VERSION = 1.5.8
+CONTAINERD_VERSION = 1.5.9
 CONTAINERD_SITE = $(call github,containerd,containerd,v$(CONTAINERD_VERSION))
 CONTAINERD_LICENSE = Apache-2.0
 CONTAINERD_LICENSE_FILES = LICENSE
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/containerd: security bump to version 1.5.9
  2022-01-24  7:14 [Buildroot] [PATCH 1/1] package/containerd: security bump to version 1.5.9 Christian Stewart via buildroot
@ 2022-01-26 21:23 ` Thomas Petazzoni
  2022-01-28 21:07   ` Peter Korsgaard
  0 siblings, 1 reply; 3+ messages in thread
From: Thomas Petazzoni @ 2022-01-26 21:23 UTC (permalink / raw)
  To: Christian Stewart via buildroot; +Cc: Yann E . MORIN

On Sun, 23 Jan 2022 23:14:53 -0800
Christian Stewart via buildroot <buildroot@buildroot.org> wrote:

> CVE-2021-43816: "Unprivileged pod using `hostPath` can side-step active LSM when
> it is SELinux"
> 
> Containers launched through containerd’s CRI implementation on Linux systems
> which use the SELinux security module and containerd versions since v1.5.0 can
> cause arbitrary files and directories on the host to be relabeled to match the
> container process label through the use of specially-configured bind mounts in a
> hostPath volume. This relabeling elevates permissions for the container,
> granting full read/write access over the affected files and directories.
> Kubernetes and crictl can both be configured to use containerd’s CRI
> implementation.
> 
> https://github.com/advisories/GHSA-mvff-h3cj-wj9c
> https://github.com/containerd/containerd/releases/tag/v1.5.9
> 
> Signed-off-by: Christian Stewart <christian@paral.in>
> ---
>  package/containerd/containerd.hash | 2 +-
>  package/containerd/containerd.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/containerd: security bump to version 1.5.9
  2022-01-26 21:23 ` Thomas Petazzoni
@ 2022-01-28 21:07   ` Peter Korsgaard
  0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-01-28 21:07 UTC (permalink / raw)
  To: Thomas Petazzoni; +Cc: Yann E . MORIN, Christian Stewart via buildroot

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > On Sun, 23 Jan 2022 23:14:53 -0800
 > Christian Stewart via buildroot <buildroot@buildroot.org> wrote:

 >> CVE-2021-43816: "Unprivileged pod using `hostPath` can side-step active LSM when
 >> it is SELinux"
 >> 
 >> Containers launched through containerd’s CRI implementation on Linux systems
 >> which use the SELinux security module and containerd versions since v1.5.0 can
 >> cause arbitrary files and directories on the host to be relabeled to match the
 >> container process label through the use of specially-configured bind mounts in a
 >> hostPath volume. This relabeling elevates permissions for the container,
 >> granting full read/write access over the affected files and directories.
 >> Kubernetes and crictl can both be configured to use containerd’s CRI
 >> implementation.
 >> 
 >> https://github.com/advisories/GHSA-mvff-h3cj-wj9c
 >> https://github.com/containerd/containerd/releases/tag/v1.5.9
 >> 
 >> Signed-off-by: Christian Stewart <christian@paral.in>
 >> ---
 >> package/containerd/containerd.hash | 2 +-
 >> package/containerd/containerd.mk   | 2 +-
 >> 2 files changed, 2 insertions(+), 2 deletions(-)

Committed to 2021.11.x, thanks (2021.02.x not affected).

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-01-28 21:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-24  7:14 [Buildroot] [PATCH 1/1] package/containerd: security bump to version 1.5.9 Christian Stewart via buildroot
2022-01-26 21:23 ` Thomas Petazzoni
2022-01-28 21:07   ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.