jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
cvrf2cusa/cvrf/2023/cvrf-openEuler-SA-2023-1075.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

109 lines
7.3 KiB
XML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for lxc is now available for openEuler-20.03-LTS-SP3</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2023-1075</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2023-02-10</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2023-02-10</InitialReleaseDate>
<CurrentReleaseDate>2023-02-10</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2023-02-10</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">lxc security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for lxc is now available for openEuler-20.03-LTS-SP3.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Containers are insulated areas inside a system, which have their own namespace for filesystem, network, PID, IPC, CPU and memory allocation and which can be created using the Control Group and Namespace features included in the Linux kernel.
Security Fix(es):
lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because &quot;Failed to open&quot; often indicates that a file does not exist, whereas &quot;does not refer to a network namespace path&quot; often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that &quot;we will report back to the user that the open() failed but the user has no way of knowing why it failed&quot;; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist.(CVE-2022-47952)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for lxc is now available for openEuler-20.03-LTS-SP3.
openEuler Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Low</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">lxc</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1075</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-47952</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-47952</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="aarch64">
<FullProductName ProductID="lxc-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-4.0.3-2022102408.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="lxc-debugsource-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-debugsource-4.0.3-2022102408.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="lxc-libs-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-libs-4.0.3-2022102408.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="lxc-debuginfo-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-debuginfo-4.0.3-2022102408.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="lxc-devel-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-devel-4.0.3-2022102408.oe1.aarch64.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="lxc-help-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-help-4.0.3-2022102408.oe1.noarch.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="lxc-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-4.0.3-2022102408.oe1.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="x86_64">
<FullProductName ProductID="lxc-devel-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-devel-4.0.3-2022102408.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="lxc-libs-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-libs-4.0.3-2022102408.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="lxc-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-4.0.3-2022102408.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="lxc-debugsource-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-debugsource-4.0.3-2022102408.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="lxc-debuginfo-4.0.3-2022102408" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">lxc-debuginfo-4.0.3-2022102408.oe1.x86_64.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because Failed to open often indicates that a file does not exist, whereas does not refer to a network namespace path often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that we will report back to the user that the open() failed but the user has no way of knowing why it failed ; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist.</Note>
</Notes>
<ReleaseDate>2023-02-10</ReleaseDate>
<CVE>CVE-2022-47952</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Low</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>3.3</BaseScore>
<Vector>AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>lxc security update</Description>
<DATE>2023-02-10</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1075</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink