[Buildroot] [PATCH 1/1] package/containerd: security bump to version 1.5.9
Peter Korsgaard
peter at korsgaard.com
Fri Jan 28 21:07:48 UTC 2022
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at bootlin.com> writes:
> On Sun, 23 Jan 2022 23:14:53 -0800
> Christian Stewart via buildroot <buildroot at buildroot.org> wrote:
>> CVE-2021-43816: "Unprivileged pod using `hostPath` can side-step active LSM when
>> it is SELinux"
>>
>> Containers launched through containerd’s CRI implementation on Linux systems
>> which use the SELinux security module and containerd versions since v1.5.0 can
>> cause arbitrary files and directories on the host to be relabeled to match the
>> container process label through the use of specially-configured bind mounts in a
>> hostPath volume. This relabeling elevates permissions for the container,
>> granting full read/write access over the affected files and directories.
>> Kubernetes and crictl can both be configured to use containerd’s CRI
>> implementation.
>>
>> https://github.com/advisories/GHSA-mvff-h3cj-wj9c
>> https://github.com/containerd/containerd/releases/tag/v1.5.9
>>
>> Signed-off-by: Christian Stewart <christian at paral.in>
>> ---
>> package/containerd/containerd.hash | 2 +-
>> package/containerd/containerd.mk | 2 +-
>> 2 files changed, 2 insertions(+), 2 deletions(-)
Committed to 2021.11.x, thanks (2021.02.x not affected).
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list