Comment 1 Virgil Dupras (RETIRED) 2018-08-05 15:58:26 UTC

The patched ebuilds are ready to push on my machine. Waiting the end of the embargo.

Comment 2 Virgil Dupras (RETIRED) 2018-08-06 11:07:39 UTC

Created attachment 542532 [details, diff]
Security patch for current LXC ebuilds

Comment 3 Virgil Dupras (RETIRED) 2018-08-06 16:13:55 UTC

Pushed at https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29dedb39a6a6587a6d71b11444de28f24a98b0bb

Can we unlock this bug so we can start stabilization?

Comment 4 Virgil Dupras (RETIRED) 2018-08-06 16:26:14 UTC

amd64, ppc64, x86, please stabilize:

=app-emulation/lxc-2.1.1-r1
=app-emulation/lxc-3.0.1-r1

Thanks!

Comment 5 Agostino Sarubbo 2018-08-06 19:07:47 UTC

I have an LXC/LXD production environment. I will do a great runtime test tomorrow.

Comment 6 Thomas Deutschmann (RETIRED) 2018-08-06 22:21:43 UTC

x86 stable

Comment 7 Agostino Sarubbo 2018-08-07 08:50:33 UTC

amd64 stable

Comment 8 Virgil Dupras (RETIRED) 2018-08-11 23:31:22 UTC

ppc64, status? This bug has a security status of "B1", which means that our target delay is 5 days. I'll soon be forced to proceed to cleanup even if it means dropping the stable ppc64 keyword.

Comment 9 Larry the Git Cow 2018-08-13 00:55:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6083e4cfd2b9d5cdcd94c58a40b08f3ad8eb33d

commit f6083e4cfd2b9d5cdcd94c58a40b08f3ad8eb33d
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-13 00:55:29 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-13 00:55:29 +0000

    app-emulation/lxc: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/662780
    Package-Manager: Portage-2.3.45, Repoman-2.3.10

 app-emulation/lxc/lxc-2.1.1.ebuild | 214 -------------------------------------
 app-emulation/lxc/lxc-3.0.1.ebuild | 162 ----------------------------
 2 files changed, 376 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0946d4577f5c2bc7e123465c1e8c3224ac477f0f

commit 0946d4577f5c2bc7e123465c1e8c3224ac477f0f
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-13 00:46:44 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-13 00:53:48 +0000

    profiles: mask app-emulation/lxc revdeps on ppc64
    
    ppc64 stabilization is too long and make us miss our security target
    delay on bug #662780. Masking app-emulation/lxc and revdeps until it is
    stabilized.
    
    Bug: https://bugs.gentoo.org/662780

 profiles/arch/powerpc/ppc64/package.mask | 7 +++++++
 1 file changed, 7 insertions(+)

Comment 10 Virgil Dupras (RETIRED) 2018-08-13 00:58:20 UTC

Security team: I've masked app-emulation/lxc and relevant revdeps on ppc64 and cleaned up old vulnerable versions.

I'm not sure what your policies are in situations like this, but I'm guessing you could issue your GLSA.

GLSA filed.Thanks

Comment 12 Thomas Deutschmann (RETIRED) 2018-08-22 17:33:18 UTC

Downgraded to B4 (information leak) because it is read-only.

Comment 13 GLSAMaker/CVETool Bot 2018-08-22 21:28:50 UTC

This issue was resolved and addressed in
 GLSA 201808-02 at https://security.gentoo.org/glsa/201808-02
by GLSA coordinator Thomas Deutschmann (whissi).