922060 – (CVE-2023-6476) <app-containers/cri-o-1.29.0: node denial of service

Bug 922060 (CVE-2023-6476) - <app-containers/cri-o-1.29.0: node denial of service

Summary: <app-containers/cri-o-1.29.0: node denial of service

Status:	RESOLVED FIXED

Alias:	CVE-2023-6476

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2024-01-13 20:28 UTC by John Helmert III
Modified:	2024-04-22 07:24 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2024-01-13 20:28:39 UTC

CVE-2023-6476 (https://bugzilla.redhat.com/show_bug.cgi?id=2253994):

A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.

Fix in 1.27.3 and 1.28.3 according to the changelogs, please bump:

https://github.com/cri-o/cri-o/releases/tag/v1.27.3
https://github.com/cri-o/cri-o/releases/tag/v1.28.3

Comment 1 Zac Medico gentoo-dev

2024-04-22 05:59:17 UTC

Dropped 1.26.0:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd3df74b260c383ca385badbf0d60b4806f26318

Comment 2 Hans de Graaff gentoo-dev

2024-04-22 07:24:29 UTC

All done. Thanks!