A flaw was found in cri-o, as a result of all pod-related processes being
placed in the same memory cgroup. This can result in container management
(conmon) processes being killed if a workload process triggers an
out-of-memory (OOM) condition for the cgroup. An attacker could abuse this
flaw to get host network access on an cri-o host.
It's not clear to me what version this was fixed in, if at all.
According to the RH bug, this was fixed in 1.16.1.
Maybe it's time to clean up.
The bug has been referenced in the following commit(s):
Author: Zac Medico <firstname.lastname@example.org>
AuthorDate: 2020-08-19 16:35:06 +0000
Commit: Zac Medico <email@example.com>
CommitDate: 2020-08-19 16:39:42 +0000
app-emulation/cri-o: Bump to version 1.18.3
Reported-by: Konstantin (Qrator Labs) <firstname.lastname@example.org>
Package-Manager: Portage-3.0.4, Repoman-3.0.1
Signed-off-by: Zac Medico <email@example.com>
app-emulation/cri-o/Manifest | 1 +
app-emulation/cri-o/cri-o-1.18.3.ebuild | 95 +++++++++++++++++++++++++++++++++
2 files changed, 96 insertions(+)
(In reply to Jeroen Roovers (RETIRED) from comment #2)
> Maybe it's time to clean up.
Yep, patch is in 1.16.3 onwards, all done!