From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A4B39158099 for ; Sat, 25 Nov 2023 10:49:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A62192BC1C5; Sat, 25 Nov 2023 10:48:48 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BA32B2BC01D for ; Sat, 25 Nov 2023 10:48:25 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id 2A840335CAF for ; Sat, 25 Nov 2023 10:48:25 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id D52A68C6A0 for ; Sat, 25 Nov 2023 10:48:24 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202311-13 ] Apptainer: Privilege Escalation Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============4581380655311239346==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Sat, 25 Nov 2023 10:48:24 -0000 Message-ID: <170090930486.7.15000228114919387303@eaa400207d9c> X-Archives-Salt: b7d1d22e-3d63-4bf1-a6a6-18b5e5c292c3 X-Archives-Hash: 053cae24f765e8f05919b6621a7dd0e3 --===============4581380655311239346== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202311-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Apptainer: Privilege Escalation Date: November 25, 2023 Bugs: #905091 ID: 202311-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A privilege escalation vulnerability has been discoverd in Apptainer. Background ========== Apptainer is the container system for secure high-performance computing. Affected packages ================= Package Vulnerable Unaffected ------------------------ ------------ ------------ app-containers/apptainer < 1.1.8 >= 1.1.8 Description =========== A vulnerability has been discovered in Apptainer. Please review the CVE identifier referenced below for details. Impact ====== There is an ext4 use-after-free flaw that is exploitable in vulnerable versions. Workaround ========== There is no known workaround at this time. Resolution ========== All Apptainer users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-containers/apptainer-1.1.8" References ========== [ 1 ] CVE-2023-30549 https://nvd.nist.gov/vuln/detail/CVE-2023-30549 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202311-13 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============4581380655311239346== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmVh0PgACgkQFMQkOaVy +9motg//RTETZ7k+q+27jV+9KsCa84CAfmxywKyL9KmqgV6c45EecRG4LfhAD+jq sgQvT8NihBsW2VuY48CPS744WKtB+aBztWYMSUyytIO7OopTTJwPYPhQZcjiI3b0 hk/ER3coUl1qwoom8cMxA2nk+EmoHVB3UWFNxjJkje7bkPbhZAsPwj1R7U/yThuW 3GmnB35+wTiZu5wEnqOvVgWonTeZOULlbEeQ7AyIlybNDkT/LJ89yOGMlsZ2MRx8 XCv/kwEeP/bseGVi6o/dJuRr4H5T4r+93MDAPQxSP8R2sevRhx0I5SDRoumJZsl+ Ii5F/WY+zOsLL0FdIpFWIY1uGdRYHstgA3o/CXr37LBbMV130NnwpZuSdWLE3y9I 3lG7eB5BDuv98uMMK722U2F/N8Ua4W/UQ5EhY4sB5gsAe+b7GpMA0wPh6oV5dqFi Qy+e6cs54rZwOlbQYQNiE3pRsuxygSPH7qmFiGmIIw+XViWpdLZkq95KsX0swkf2 hr4rehMAY+DeHtNKzcB1FkGiN+e3vdMLDy/hg9sSfJ9tluo0dAoJzDsMEk/TGJ4n /L9LgYjFO4O0tfDldmcF1kZYfy/wsmJ3HDGLzR1TXqqEwxnD3mL82CBkBoVr5NyJ 3gNfcwbHY4VvM32QcUoMK4Mp15WMe1Bw06brTrFqPM+Z2GpuMNA= =cgDG -----END PGP SIGNATURE----- --===============4581380655311239346==--