On Thu, 2023-06-22 at 10:37 +0000, Bastien Roucariès wrote: > Hi, > > I want to discuss about CVE-2023-2884[0-2]. > > In order to be vulnerable host kernel need to disable the xt_u32 module. > > Moreover upstream drop for newer version support of xt_u32 see > https://github.com/moby/moby/commit/4d04068184cf34af7be43272db1687143327cdf7 > Do we support only xt_bpf in buster ? > > I believe it is not a problem for debian system (at least for buster), for > default kernel. > > What is your advice on these bugs ?
I think you are right for -28840 and -28841, but the description of - 28842 at <https://security-tracker.debian.org/tracker/CVE-2023-28842> does not say having xt_u32 available everywhere is a mitigation. Ben. > > BTW the upstream fix is: > https://github.com/moby/moby/commit/878ee341d6fad3c0a28f9bd5471eb56736579010 > and seems inclomplete without: > https://github.com/moby/moby/commit/1e195acee45ac69a2f7d8d4f2c9ea05ff6b0af2c > And for completeness again auser config: > https://github.com/moby/moby/commit/9a692a38028f4914a3a914c9a229e61bb3fbaf66 > > Bastien -- Ben Hutchings All the simple programs have been written, and all the good names taken
signature.asc
Description: This is a digitally signed message part
