Bug#1084993: marked as done (docker.io: CVE-2024-41110)

Debian Bug Tracking System Sun, 20 Oct 2024 10:33:15 -0700

Your message dated Sun, 20 Oct 2024 17:32:08 +0000
with message-id <e1t2zmi-00htot...@fasolo.debian.org>
and subject line Bug#1084993: fixed in docker.io 20.10.24+dfsg1-1+deb12u1
has caused the Debian Bug report #1084993,
regarding docker.io: CVE-2024-41110
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1084993: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084993
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: docker.io
Version: 20.10.24+dfsg1-1
Severity: serious
Tags: security
Justification: security

Dear Maintainer,

security vulnerability has been detected in certain versions of Docker Engine,
which could allow an attacker to bypass authorization plugins (AuthZ) under
specific circumstances. The base likelihood of this being exploited is low.
Using a specially-crafted API request, an Engine API client could make the
daemon forward the request or response to an authorization plugin without the
body. In certain circumstances, the authorization plugin may allow a request
which it would have otherwise denied if the body had been forwarded to it. A
security issue was discovered In 2018, where an attacker could bypass AuthZ
plugins using a specially crafted API request. This could lead to unauthorized
actions, including privilege escalation. Although this issue was fixed in
Docker Engine v18.09.1 in January 2019, the fix was not carried forward to
later major versions, resulting in a regression. Anyone who depends on
authorization plugins that introspect the request and/or response body to make
access control decisions is potentially impacted.

I plan to prepare a PU

Bastien

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

Source: docker.io
Source-Version: 20.10.24+dfsg1-1+deb12u1
Done: Bastien Roucariès <ro...@debian.org>

We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1084...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated docker.io package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Oct 2024 15:19:49 +0000
Source: docker.io
Architecture: source
Version: 20.10.24+dfsg1-1+deb12u1
Distribution: bookworm
Urgency: high
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1084993
Changes:
 docker.io (20.10.24+dfsg1-1+deb12u1) bookworm; urgency=high
 .
   * Team upload
   * Fix CVE-2024-41110: Authz zero length regression
     A security vulnerability has been detected in Docker Engine,
     which could allow an attacker
     to bypass authorization plugins (AuthZ) under specific
     circumstances. The base likelihood of this being exploited is low.
     (Closes: #1084993)
Checksums-Sha1:
 583c82bb1b419d5a86355e4e6774c10c942689d9 7626 
docker.io_20.10.24+dfsg1-1+deb12u1.dsc
 68da443013117b03a9d11202cfcfce231b15ce6c 1842812 
docker.io_20.10.24+dfsg1.orig-cli.tar.xz
 f7771f50c53cbe7daedb3a60e5a91ac7ffa8cbe6 656256 
docker.io_20.10.24+dfsg1.orig-libnetwork.tar.xz
 eaa9d01633fc0324e6a8e3760a8328cc8a8e6877 775612 
docker.io_20.10.24+dfsg1.orig-swarmkit.tar.xz
 a13b4a662a8be49d12e4d32649b0dd40dde625cb 2347008 
docker.io_20.10.24+dfsg1.orig.tar.xz
 822a6df23744747472491e5a3b0da175c7430cca 48720 
docker.io_20.10.24+dfsg1-1+deb12u1.debian.tar.xz
 ad7d7f7cd4990c147c13fded9d7de975531091d9 25370 
docker.io_20.10.24+dfsg1-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 02df7fabbba063e2eae26e18404589acefbb86f03de4d924ae40a61362250565 7626 
docker.io_20.10.24+dfsg1-1+deb12u1.dsc
 670549697a76b1c0ade0c41c79381a62c608d6ef829f8f45842a830d5ce189b7 1842812 
docker.io_20.10.24+dfsg1.orig-cli.tar.xz
 c895d579840fda49c6e42e52b0bd3c010b496a2c4fc02081fd5ea3e44dff1c21 656256 
docker.io_20.10.24+dfsg1.orig-libnetwork.tar.xz
 60d0a75217e4c74fe7ce819df4c5b4e34952eb4fac87ecef07f1d85b50cc511b 775612 
docker.io_20.10.24+dfsg1.orig-swarmkit.tar.xz
 952f68f219a5aac7c293d2dfb26fb4c641b60f6d8c5eebf8cbf32a3f1429d2ce 2347008 
docker.io_20.10.24+dfsg1.orig.tar.xz
 dcf1344809373f0c469afa4ae1a4fa2b5813b9c06a86715c687a6bab667c50bb 48720 
docker.io_20.10.24+dfsg1-1+deb12u1.debian.tar.xz
 535d615155de52d64761ded10b7ad5744372c46cacb8777ec895105f1fbef6ea 25370 
docker.io_20.10.24+dfsg1-1+deb12u1_amd64.buildinfo
Files:
 ec3fb08ac2e68f8a3993b8a117151555 7626 admin optional 
docker.io_20.10.24+dfsg1-1+deb12u1.dsc
 3b3c5239cd5dec525e635394446f705c 1842812 admin optional 
docker.io_20.10.24+dfsg1.orig-cli.tar.xz
 3ce2f151dffdc5e349f83942a219465f 656256 admin optional 
docker.io_20.10.24+dfsg1.orig-libnetwork.tar.xz
 513d42f8c21a37a17c37dee5e98622ba 775612 admin optional 
docker.io_20.10.24+dfsg1.orig-swarmkit.tar.xz
 a4efdb54ec568d779bd38e61d1cd8cc6 2347008 admin optional 
docker.io_20.10.24+dfsg1.orig.tar.xz
 66a8be6cf153aadabc5753ebd2f27e50 48720 admin optional 
docker.io_20.10.24+dfsg1-1+deb12u1.debian.tar.xz
 17cfc13ef2a18875388c4f7960114364 25370 admin optional 
docker.io_20.10.24+dfsg1-1+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmcT0HQRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF/gTA/8CUb0P6EFzgWT/eXJU6DF2+5ZYYlJWxfr
fhVER7zeISVnkzt70P+xXAmu6B/gUoE8f76BW+TqpmdvJIXZHbSZHDtUId6ALWD6
SLloqw6ufVYnlMVChgdvrmXs8bhRgg2vdXUdy4epTo+U6+y2qyTgnrYP7+YAyh22
D4bMTITcTMcBSd4uxbVpL7/yicpoJDJp67HoCVZ4mgUOdufmEJ4XDaDzzwFKH2VS
KBiJFkZgtQsOqJhyakF4GXQjp0JcLuHNP2f4Z0bl+XSkM7p4N4ZOnSbUeQJ1IaJg
JCnx8E1Cm8PX8Gu4e0qKg1+ziwn6fDvWw6VLfcwZQgAD4gPgzzdWH7xd2NK3+ZjT
gysK0ekIkkoFShYDNPpPr78WAbVT/EPYEgG04cLiYhFCbLLYSVZFI2IDM0P9Ke/5
EI/NhI8qbCGjLnC+l2fqivWnOiQ0USVVla+Fvz+nHlhLwyRuyp7MiBEApjxnJzQD
yiSEIN4igGthmZzsv1Ds0XmHbF+sbkm0HXsjrGsjJuFqM/RxU8ROjdMNbi6Ci57Z
QW39/jfNybTD6FLDm/8L6sA48MqcDp6DtyedNvsZFtSux3oBJG/gOtzMRfqNNhNs
xn+CcDlE+vpAG/55ABw2d+JhaxpINxZvlNFfDDWiWtgtRaO7jfmTvxsPxMV3e0jG
nPqo6xLLARY=
=RFDm
-----END PGP SIGNATURE-----

pgpAOoavhlVlC.pgp
Description: PGP signature

--- End Message ---

Bug#1084993: marked as done (docker.io: CVE-2024-41110)

Reply via email to