- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201711-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: LXC: Remote security bypass Date: November 11, 2017 Bugs: #636386 ID: 201711-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in LXC may lead to an unauthorized security bypass. Background ========== LinuX Containers userspace utilities Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/lxc < 2.0.7 >= 2.0.7 Description =========== Previous versions of lxc-attach ran a shell or the specified command without allocating a pseudo terminal making it vulnerable to input faking via a TIOCSTI ioctl call. Impact ====== Remote attackers can escape the container and perform unauthorized modifications. Workaround ========== There is no know workaround at this time. Resolution ========== All LXC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/lxc-2.0.7" References ========== [ 1 ] CVE-2016-10124 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10124 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201711-09 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License =======