Package "containerd"

  containerd (1.5.9-0ubuntu1~18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Memory exhaustion through Exec
    - debian/patches/CVE-2022-23471.patch: Prevent goroutine leak in Exec
      in pkg/cri/streaming/remotecommand/httpstream.go.
    - CVE-2022-23471
  * SECURITY UPDATE: Privilege escalation by inheritable file capabilities.
    - debian/patches/CVE-2022-24769.patch: Unassign the Inheritable
      capability in oci/spec.go and oci/spec_opts.go.
    - CVE-2022-24769
  * SECURITY UPDATE: Improper access to images due to imgcrypt.
    - debian/patches/CVE-2022-24778.patch: perform proper
      authentication by adding platforms in
      vendor/github.com/containerd/imgcrypt/images/
      encryption/encryption.go.
    - CVE-2022-24778
  * SECURITY UPDATE: Memory exhaustion through ExecSync.
    - debian/patches/CVE-2022-31030.patch: limit the response size
      of ExecSync in pkg/cri/server/container_execsync.go.
    - CVE-2022-31030

 -- David Fernandez Gonzalez <email address hidden> Mon, 12 Dec 2022 16:33:42 +0100

  containerd (1.5.5-0ubuntu3~18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Insecure handling of image volumes
    - debian/patches/CVE-2022-23648.patch: Use fs.RootPath when mounting
    volumes.
    - CVE-2022-23648

 -- Paulo Flabiano Smorigo <email address hidden> Fri, 25 Feb 2022 20:16:34 +0000

  containerd (1.5.2-0ubuntu1~18.04.3) bionic-security; urgency=medium

  * SECURITY UPDATE: insufficiently restricted directory permissions
    - debian/patches/1.5-reduce-directory-permissions.patch: reduce
      permissions for bundle dir in runtime/v1/linux/bundle.go,
      runtime/v1/linux/bundle_test.go, runtime/v2/bundle.go,
      runtime/v2/bundle_default.go, runtime/v2/bundle_linux.go,
      runtime/v2/bundle_linux_test.go, runtime/v2/bundle_test.go,
      snapshots/btrfs/btrfs.go.
    - CVE-2021-41103

 -- Marc Deslauriers <email address hidden> Wed, 29 Sep 2021 06:49:25 -0400

  containerd (1.5.2-0ubuntu1~18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: unexpected host file permission changes
    - debian/patches/1.5-Cleanup-lchmod-logic-in-archive.patch: cleanup
      lchmod logic in archive in archive/tar.go, archive/tar_freebsd.go,
      archive/tar_mostunix.go, archive/tar_test.go, archive/tar_unix.go,
      archive/tar_windows.go.
    - No CVE number yet

 -- Marc Deslauriers <email address hidden> Tue, 13 Jul 2021 12:55:59 -0400

  containerd (1.3.3-0ubuntu1~18.04.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Elevation of privilege vulnerability
    - debian/patches/CVE-2020-15257.patch: Use path based unix socket for shims
      and use path-based unix socket for containerd-shim.
    - debian/control: Remove libbtrfs-dev from build dependency since it's not
      available in Bionic.
    - CVE-2020-15257

 -- Paulo Flabiano Smorigo <email address hidden> Thu, 26 Nov 2020 18:12:09 +0000