[pkg-go] Bug#853240: Bug#853240: runc: CVE-2016-8867

Tianon Gravi tianon at debian.org
Mon Jan 30 20:21:54 UTC 2017

On 30 January 2017 at 10:51, Thorsten Alteholz <debian at alteholz.de> wrote:
> the following vulnerability was published for runc.
> CVE-2016-8867[0]:
> | Docker Engine 1.12.2 enabled ambient capabilities with misconfigured
> | capability policies. This allowed malicious images to bypass user
> | permissions to access files within the container filesystem or mounted
> | volumes.
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Thanks Thorsten!

This one definitely doesn't apply to the runc 0.1.1 we have in Debian
-- the first "ambient capabilities" functionality added upstream was
in https://github.com/opencontainers/runc/pull/1086 (and several more
followed to tweak the behavior), but that wasn't included in a release
until 1.0.0-rc2. :)

(leaving the bug open since I don't want to mess up anything related
to the security tracker)

- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

More information about the Pkg-go-maintainers mailing list