From ${URL} : Jann Horn discovered that the lxc-user-nic program could be tricked into operating on a network namespace over which the caller did not hold privilege. The behavior didn't follow what was documented in the lxc-user-nic(1) man page: It ensures that the calling user is privileged over the network namespace to which the interface will be attached. This issue is CVE-2017-5985. https://lists.linuxcontainers.org/pipermail/lxc-users/2017-March/012925.html https://launchpad.net/bugs/1654676 https://github.com/lxc/lxc/commit/16af238036a5464ae8f2420ed3af214f0de875f9 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fix is present in 2.0.8 upstream... please bump!
2.0.8 has been there for a while. Can we stabilize?
I've also verified that the fix is indeed in v2.0.8. However, it's not the commit that is linked above, but rather a cherry-pick: https://github.com/lxc/lxc/commit/d512bd5efb0e407eba350c4e649c464a65b712a3 $ git tag --contains d512bd5efb0e407eba350c4e649c464a65b712a3 lxc-2.0.8 lxc-2.0.9
ppc64, please keyword, test and mark stable =app-emulation/lxc-2.0.9 x86, amd64, please test and mark stable =app-emulation/lxc-2.0.9 Please note: It turns out that sys-process/criu is an entirely OPTIONAL runtime dependency (the lxc binary simply calls the criu binary). I have dropped the dependency for 2.0.9 so that we can stabilize on x86 and ppc64 (independently of criu).
x86 stable
amd64 stable
ppc64 stable
@maintainer(s), can we please clean the vulnerable?
GLSA Vote: No