[pkg-lxc-devel] Bug#845465: lxc: CVE-2016-8649: attach: do not send procfd to attached process

Salvatore Bonaccorso carnil at debian.org
Wed Nov 23 18:06:45 UTC 2016


Source: lxc
Version: 1:2.0.5-3
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for lxc.

CVE-2016-8649[0]:
lxc-attach to malicious container allows access to host

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-8649
[1] https://github.com/lxc/lxc/commit/81f466d05f2a89cb4f122ef7f593ff3f279b165c
[2] https://launchpad.net/bugs/1639345
[3] http://www.openwall.com/lists/oss-security/2016/11/23/6

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the Pkg-lxc-devel mailing list