[lxc-users] LXD 2.0.2 has been released (security update)!

Saint Michael venefax at gmail.com
Tue May 31 18:35:27 UTC 2016 

I wonder how long does it take to get the updated LXC 2.0 for Centos and
Fedora.
It does not reflect the new fixed bugs.


On Tue, May 31, 2016 at 2:16 PM, Stéphane Graber <stgraber at ubuntu.com>
wrote:

> Hello everyone,
>
> Today we're releasing LXD 2.0.2 as a security release for two recent CVEs.
>
> The main announcement can be found at:
> https://linuxcontainers.org/lxd/news/
>
>
> == CVE-2016-1581 ==
> Robie Basak noticed that after setting up a loop based ZFS pool through
> "lxd init" the resulting file (/var/lib/lxd/zfs.img) was world readable.
>
> This would allow any user on the system, and a potential attacker to
> copy and then read the data of any LXD container, regardless of file
> permissions inside the container.
>
> LXD 2.0.2 fixes the "lxd init" logic to always set the mode of zfs.img to
> 0600.
>
> Additionally a one-time upgrade step will trigger on first run and reset
> any existing zfs.img mode to be 0600.
>
> If you manage an affected system and suspect an unauthorized user may
> have accessed the zfs.img file, you should consider replacing any secret
> that was stored in the affected containers (private keys and similar
> credentials).
>
>
> == CVE-2016-1582 ==
> Robie Basak noticed that when switching an unprivileged container
> (default, security.privileged=false) into privileged mode (by setting
> security.privileged to true), the container rootfs is properly remapped
> but the container directory itself (/var/lib/lxd/containers/XYZ) remains
> at 0755.
>
> This is a problem because it allows an unprivileged user on the host to
> access any world readable path under /var/lib/lxd/containers/XYZ which
> may include setuid binaries.
>
> Such setuid binaries could then be used on the host to access otherwise
> unaccessible data or to escalate one's privileges.
>
> LXD 2.0.2 fixes this behavior by making sure all privileged containers
> are always root-owned and have their mode set to 0700 to prevent
> traversal by unprivileged users.
>
> Additionally a one-time upgrade step will trigger on first run and reset
> any existing privileged containers' ownership and mode to root:root 0700
>
>
> We recommend everyone update to LXD 2.0.2 as soon as possible.
> Especially if you are a user of loop-mounted ZFS or privileged
> containers!
>
>
> Thanks to the Ubuntu Security team for coordinating the disclosure of
> those two CVEs with other Linux distributions.
>
>
> As a reminder, the 2.0 series is supported for bugfix and security
> updates up until June 2021.
>
>
> Stéphane Graber
> On behalf of the LXD development team
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160531/6082642c/attachment.html>

More information about the lxc-users mailing list