CVE-2019-14891 (https://nvd.nist.gov/vuln/detail/CVE-2019-14891): A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host. ---- It's not clear to me what version this was fixed in, if at all.
According to the RH bug, this was fixed in 1.16.1.
Particularly https://github.com/cri-o/cri-o/commit/7c140ff847e330a5c5d1fbc0beb19ef16dcb58ae Maybe it's time to clean up.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1831069e295b9a3cd213159de150f0dc8a4a838 commit e1831069e295b9a3cd213159de150f0dc8a4a838 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-08-19 16:35:06 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-08-19 16:39:42 +0000 app-emulation/cri-o: Bump to version 1.18.3 Reported-by: Konstantin (Qrator Labs) <kpp+gentoo@qrator.net> Bug: https://bugs.gentoo.org/720740 Bug: https://bugs.gentoo.org/737994 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-emulation/cri-o/Manifest | 1 + app-emulation/cri-o/cri-o-1.18.3.ebuild | 95 +++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+)
(In reply to Jeroen Roovers (RETIRED) from comment #2) > Particularly > https://github.com/cri-o/cri-o/commit/ > 7c140ff847e330a5c5d1fbc0beb19ef16dcb58ae > > Maybe it's time to clean up. Yep, patch is in 1.16.3 onwards, all done!