Updated lxc packages fix security vulnerabilities
Publication date: 12 Jun 2017Modification date: 12 Jun 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-8649 , CVE-2017-5985
Description
Roman Fiedler discovered a directory traversal flaw in lxc-attach. An attacker with access to an LXC container could exploit this flaw to access files outside of the container (CVE-2016-8649). Jann Horn discovered that LXC incorrectly verified permissions when creating virtual network interfaces. A local attacker could possibly use this issue to create virtual network interfaces in network namespaces that they do not own (CVE-2017-5985). The lxc package has been updated to version 1.0.10 to fix these issues and other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=20439
- https://linuxcontainers.org/lxc/news/
- https://www.ubuntu.com/usn/usn-3136-1/
- https://www.ubuntu.com/usn/usn-3224-1/
- https://bugs.mageia.org/show_bug.cgi?id=19835
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8649
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5985
SRPMS
5/core
- lxc-1.0.10-1.mga5