| Message ID | 20220124071453.16225-1-christian@paral.in |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/containerd: security bump to version 1.5.9 | expand |
On Sun, 23 Jan 2022 23:14:53 -0800 Christian Stewart via buildroot <buildroot@buildroot.org> wrote: > CVE-2021-43816: "Unprivileged pod using `hostPath` can side-step active LSM when > it is SELinux" > > Containers launched through containerd’s CRI implementation on Linux systems > which use the SELinux security module and containerd versions since v1.5.0 can > cause arbitrary files and directories on the host to be relabeled to match the > container process label through the use of specially-configured bind mounts in a > hostPath volume. This relabeling elevates permissions for the container, > granting full read/write access over the affected files and directories. > Kubernetes and crictl can both be configured to use containerd’s CRI > implementation. > > https://github.com/advisories/GHSA-mvff-h3cj-wj9c > https://github.com/containerd/containerd/releases/tag/v1.5.9 > > Signed-off-by: Christian Stewart <christian@paral.in> > --- > package/containerd/containerd.hash | 2 +- > package/containerd/containerd.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Applied to master, thanks. Thomas
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes: > On Sun, 23 Jan 2022 23:14:53 -0800 > Christian Stewart via buildroot <buildroot@buildroot.org> wrote: >> CVE-2021-43816: "Unprivileged pod using `hostPath` can side-step active LSM when >> it is SELinux" >> >> Containers launched through containerd’s CRI implementation on Linux systems >> which use the SELinux security module and containerd versions since v1.5.0 can >> cause arbitrary files and directories on the host to be relabeled to match the >> container process label through the use of specially-configured bind mounts in a >> hostPath volume. This relabeling elevates permissions for the container, >> granting full read/write access over the affected files and directories. >> Kubernetes and crictl can both be configured to use containerd’s CRI >> implementation. >> >> https://github.com/advisories/GHSA-mvff-h3cj-wj9c >> https://github.com/containerd/containerd/releases/tag/v1.5.9 >> >> Signed-off-by: Christian Stewart <christian@paral.in> >> --- >> package/containerd/containerd.hash | 2 +- >> package/containerd/containerd.mk | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) Committed to 2021.11.x, thanks (2021.02.x not affected).
diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash index f1a6709554..d5aafe2e70 100644 --- a/package/containerd/containerd.hash +++ b/package/containerd/containerd.hash @@ -1,3 +1,3 @@ # Computed locally -sha256 a41ab8d39393c9456941b477c33bb1b221a29b635f1c9a99523aab2f5e74f790 containerd-1.5.8.tar.gz +sha256 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4 containerd-1.5.9.tar.gz sha256 4bbe3b885e8cd1907ab4cf9a41e862e74e24b5422297a4f2fe524e6a30ada2b4 LICENSE diff --git a/package/containerd/containerd.mk b/package/containerd/containerd.mk index cd975db274..8976e12f1a 100644 --- a/package/containerd/containerd.mk +++ b/package/containerd/containerd.mk @@ -4,7 +4,7 @@ # ################################################################################ -CONTAINERD_VERSION = 1.5.8 +CONTAINERD_VERSION = 1.5.9 CONTAINERD_SITE = $(call github,containerd,containerd,v$(CONTAINERD_VERSION)) CONTAINERD_LICENSE = Apache-2.0 CONTAINERD_LICENSE_FILES = LICENSE
CVE-2021-43816: "Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux" Containers launched through containerd’s CRI implementation on Linux systems which use the SELinux security module and containerd versions since v1.5.0 can cause arbitrary files and directories on the host to be relabeled to match the container process label through the use of specially-configured bind mounts in a hostPath volume. This relabeling elevates permissions for the container, granting full read/write access over the affected files and directories. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. https://github.com/advisories/GHSA-mvff-h3cj-wj9c https://github.com/containerd/containerd/releases/tag/v1.5.9 Signed-off-by: Christian Stewart <christian@paral.in> --- package/containerd/containerd.hash | 2 +- package/containerd/containerd.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)