Source: containerd Version: 1.7.24~ds1-6 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for containerd. CVE-2024-25621[0]: | containerd is an open-source container runtime. Versions 0.1.0 | through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through | 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad | default permission vulnerability. Directory paths | `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` | and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were | all created with incorrect permissions. This issue is fixed in | versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include | updating system administrator permissions so the host can manually | chmod the directories to not have group or world accessible | permissions, or to run containerd in rootless mode. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25621 https://www.cve.org/CVERecord?id=CVE-2024-25621 [1] https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w [2] https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f Regards, Salvatore
