Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for docker.io. CVE-2024-32473[0]: | Moby is an open source container framework that is a key component | of Docker Engine, Docker Desktop, and other distributions of | container tooling or runtimes. In 26.0.0, IPv6 is not disabled on | network interfaces, including those belonging to networks where | `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface | will normally be configured to share an external network link with | the host machine. Because of this direct access, (1) Containers may | be able to communicate with other hosts on the local network over | link-local IPv6 addresses, (2) if router advertisements are being | broadcast over the local network, containers may get SLAAC-assigned | addresses, and (3) the interface will be a member of IPv6 multicast | groups. This means interfaces in IPv4-only networks present an | unexpectedly and unnecessarily increased attack surface. The issue | is patched in 26.0.2. To completely disable IPv6 in a container, use | `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` | or `docker run` command. Or, in the service configuration of a | `compose` file. https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9 https://github.com/moby/moby/commit/841c4c8057bcf5317d6565875595a3f0c046e3fa It's not super clear whether this is only fixed in 26.x and old releases (such as the one in unstable) are not affected or, let's validate and update the Security Tracker accordingly if not (ideally by identifying the introducing commit) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32473 https://www.cve.org/CVERecord?id=CVE-2024-32473 Please adjust the affected versions in the BTS as needed.
