Your message dated Thu, 28 May 2020 22:33:39 +0000 with message-id <e1jer5n-0003vh...@fasolo.debian.org> and subject line Bug#961421: fixed in libpod 1.6.4+dfsg1-3 has caused the Debian Bug report #961421, regarding libpod: CVE-2020-1726 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 961421: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961421 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libpod Version: 1.6.4+dfsg1-2 Severity: grave Tags: security upstream Forwarded: https://github.com/containers/libpod/pull/5168 Hi, The following vulnerability was published for libpod. CVE-2020-1726[0]: | A flaw was discovered in Podman where it incorrectly allows containers | when created to overwrite existing files in volumes, even if they are | mounted as read-only. When a user runs a malicious container or a | container based on a malicious image with an attached volume that is | used for the first time, it is possible to trigger the flaw and | overwrite files in the volume.This issue was introduced in version | 1.6.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-1726 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1726 [1] https://github.com/containers/libpod/pull/5168 [2] https://github.com/containers/libpod/commit/c140ecdc9b416ab4efd4d21d14acd63b6adbdd42 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libpod Source-Version: 1.6.4+dfsg1-3 Done: Reinhard Tartler <siret...@tauware.de> We believe that the bug you reported is fixed in the latest version of libpod, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 961...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reinhard Tartler <siret...@tauware.de> (supplier of updated libpod package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 28 May 2020 17:24:41 -0400 Source: libpod Architecture: source Version: 1.6.4+dfsg1-3 Distribution: unstable Urgency: high Maintainer: Dmitry Smirnov <only...@debian.org> Changed-By: Reinhard Tartler <siret...@tauware.de> Closes: 961421 Changes: libpod (1.6.4+dfsg1-3) unstable; urgency=high . * Team upload. * Do not copy up when volume is not empty CVE-2020-1726, Closes: #961421 Checksums-Sha1: db51cef34765ea7278e077f357b6d2c5c4e36c5c 4640 libpod_1.6.4+dfsg1-3.dsc 4bd15831841d7cd0399dd1b4644bdc78feb75bde 12804 libpod_1.6.4+dfsg1-3.debian.tar.xz 75761f929f1293deb31664e647085a5d24ad5bf6 5676 libpod_1.6.4+dfsg1-3_source.buildinfo Checksums-Sha256: 7233e37b31d89c18ca32f438b64f3762b78dd07c96b69ee27e167c24e2fe6fe0 4640 libpod_1.6.4+dfsg1-3.dsc 103495b4225c4b38ecfc8e549ee444ad89ac284a01b25ebc2a8bccc1179e1b27 12804 libpod_1.6.4+dfsg1-3.debian.tar.xz e5eb780fc49041f445f65bcc7806c659e78ce4bbdd6df9cf65b459af42f1ea7a 5676 libpod_1.6.4+dfsg1-3_source.buildinfo Files: 655b3727845b220ad44293cd60e4c352 4640 admin optional libpod_1.6.4+dfsg1-3.dsc 43ace3b1d57188e693fa398f9bc47490 12804 admin optional libpod_1.6.4+dfsg1-3.debian.tar.xz 5abf48364d32157daba657e8f8147d65 5676 admin optional libpod_1.6.4+dfsg1-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAl7QNpgUHHNpcmV0YXJ0 QHRhdXdhcmUuZGUACgkQSadpd5QoJssFDg/9EoP37Hs046FRmceFALf2F7WOjWUW 7UyVy2OE4w8Rvf+kwO2txKT/zKQdR1VzFMm0IlkvIVCn/zqE2SbEDbEBC8uIZnrm OGBkGS92fZs0JpUgzwPlKSXH0plAfhoQkd+el8WjtrTpYkUCWSCh6vLa3HUpeZ2q i0WAeIjuk4eplUTGSjy+KJmqn+jrEL48ETbODF4xZ8I2BYDjMkGVIJ4oNdO3IDPx 3er45HT7eORSK1CmEgtak0JWbekY+4fpsHfLNtIHrqxXT3J285oGkq1S0IERLfkq zsQvbSmEgVvhPrTEVv9jGJGQFvVM1Bs07jPG3/ScmGEbxdoTrBZ9z1mXetokW3Au gdfQ2mh/u8WnWbfoMPeejQ0FULpax9KS7qaNR9pGMi4QIJh94MX+PM3EXDHcPXya kcNkcyaFiLxttTb8nRLfnkkBv+3pdmVLs3jAVduLcsj5aesPG4wbkH14cRaDtz2M Yho0Atg7KqwWFMTUgho23aVPivO/jG15JN66lcmgKpskQ0NwqDXit4rGV96uV1r6 sJhpeH0Yz2LNvWEdt1u2pNB+3rr/h6MbJkNp/O1AGshzoSjmD1QakZlC3LvuMH11 slNhKHxj4yEKT+ofmMzPb+wlFsfF8FcKTI2uUF1u9R7bM+qQNBDb48aZQVctf+E4 7iCbi6pgk49QWhY= =ULAT -----END PGP SIGNATURE-----
--- End Message ---
