Hello, Your security tracker claims that the CVEs related to "Leaky Vessels" ( https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/) are NOT-FOR-US:
- https://security-tracker.debian.org/tracker/CVE-2024-23651 - https://security-tracker.debian.org/tracker/CVE-2024-23652 - https://security-tracker.debian.org/tracker/CVE-2024-23653 And the following CVE is marked as only related to the runc package: - https://security-tracker.debian.org/tracker/CVE-2024-21626 However I think these vulnerabilities all affect at least the podman package (https://packages.debian.org/bookworm/podman) because it includes buildkit/runc as a Go library. You can see it being patched here: - https://github.com/containers/podman/pull/21464 - https://github.com/containers/podman/pull/21485 And released in https://github.com/containers/podman/releases/tag/v4.9.2. There might be other debian packages affected in this way. You can see a list of some of the programs that depend on these libraries here: https://security.snyk.io/vuln?search=CVE-2024-23653. Please let me know if I'm missing something. Kind regards, Will
