openSUSE Local Security Checks : openSUSE Security Advisory (openSUSE-SU-2025:0074-1)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.18.1.2025.0074.1

Categoría: openSUSE Local Security Checks

Título: openSUSE Security Advisory (openSUSE-SU-2025:0074-1)

Resumen: The remote host is missing an update for the 'crun' package(s) announced via the openSUSE-SU-2025:0074-1 advisory.

Descripción: Summary:
The remote host is missing an update for the 'crun' package(s) announced via the openSUSE-SU-2025:0074-1 advisory.

Vulnerability Insight:
This update for crun fixes the following issues:

Update to 1.20:

* krun: fix CVE-2025-24965. The .krun_config.json file could be created outside of the container rootfs. (bsc#1237421)
* cgroup: reverted the removal of tun/tap from the default allow list, this was done in crun-1.5. The tun/tap device is now added by default again.
* CRIU: do not set network_lock unless explicitly specified.
* status: disallow container names containing slashes in their name.
* linux: Improved error message when failing to set the net.ipv4.ping_group_range sysctl.
* scheduler: Ignore ENOSYS errors when resetting the CPU affinity mask.
* linux: return a better error message when pidfd_open fails with EINVAL.
* cgroup: display the absolute path to cgroup.controllers when a controller is unavailable.
* exec: always call setsid. Now processes created through exec get the correct process group id.

Update to 1.19.1:

* linux: fix a hang if there are no reads from the tty. Use non blocking
sockets to read and write from the tty so that the 'crun exec' process
doesn't hang when the terminal is not consuming any data.
* linux: remove the workaround needed to mount a cgroup on top of
another cgroup mount. The workaround had the disadvantage to temporarily
leak a mount on the host. The alternative that is currently used is
to mount a temporary tmpfs between the twoo cgroup mounts.

Update to 1.19:
* wasm: add new handler wamr.
* criu: allow passing network lock method to libcriu.
* linux: honor exec cpu affinity mask.
* build: fix build with musl libc.
* crun: use mount API to self-clone.
* cgroup, systemd: do not override devices on update. If the 'update' request has no device block configured, do not reset the previously configuration.
* cgroup: handle case where cgroup v1 freezer is disabled. On systems without the freezer controller, containers were mistakenly reported as paused.
* cgroup: do not stop process on exec. The cpu mask is configured on the systemd scope, the previous workaround to stop the container until the cgroup is fully configured is no longer needed.

- Update to crun v1.18.2 Upstream changelog is available from
<[link moved to references]>

- Update to crun v1.18. Upstream changelog is available from
<[link moved to references]>

Update to 1.17:

* Add --log-level option. It accepts error, warning and error.
* Add debug logs for container creation.
* Fix double-free in crun exec code that could lead to a crash.
* Allow passing an ID to the journald log driver.
* Report 'executable not found' errors after tty has been setup.
* Do not treat EPIPE from hooks as an error.
* Make sure DefaultDependencies is correctly set in the systemd scope.
* Improve the error message when the container process is not found.
* Improve error handling for the mnt namespace restoration.
* Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux.
* ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'crun' package(s) on openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
7.2

CVSS Vector:
AV:L/AC:L/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2024-21626
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/
http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html
https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
https://github.com/opencontainers/runc/releases/tag/v1.1.12
https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html
http://www.openwall.com/lists/oss-security/2024/02/01/1
http://www.openwall.com/lists/oss-security/2024/02/02/3
Common Vulnerability Exposure (CVE) ID: CVE-2025-24965

Copyright Copyright (C) 2025 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.18.1.2025.0074.1
Categoría:	openSUSE Local Security Checks
Título:	openSUSE Security Advisory (openSUSE-SU-2025:0074-1)
Resumen:	The remote host is missing an update for the 'crun' package(s) announced via the openSUSE-SU-2025:0074-1 advisory.
Descripción:	Summary: The remote host is missing an update for the 'crun' package(s) announced via the openSUSE-SU-2025:0074-1 advisory. Vulnerability Insight: This update for crun fixes the following issues: Update to 1.20: * krun: fix CVE-2025-24965. The .krun_config.json file could be created outside of the container rootfs. (bsc#1237421) * cgroup: reverted the removal of tun/tap from the default allow list, this was done in crun-1.5. The tun/tap device is now added by default again. * CRIU: do not set network_lock unless explicitly specified. * status: disallow container names containing slashes in their name. * linux: Improved error message when failing to set the net.ipv4.ping_group_range sysctl. * scheduler: Ignore ENOSYS errors when resetting the CPU affinity mask. * linux: return a better error message when pidfd_open fails with EINVAL. * cgroup: display the absolute path to cgroup.controllers when a controller is unavailable. * exec: always call setsid. Now processes created through exec get the correct process group id. Update to 1.19.1: * linux: fix a hang if there are no reads from the tty. Use non blocking sockets to read and write from the tty so that the 'crun exec' process doesn't hang when the terminal is not consuming any data. * linux: remove the workaround needed to mount a cgroup on top of another cgroup mount. The workaround had the disadvantage to temporarily leak a mount on the host. The alternative that is currently used is to mount a temporary tmpfs between the twoo cgroup mounts. Update to 1.19: * wasm: add new handler wamr. * criu: allow passing network lock method to libcriu. * linux: honor exec cpu affinity mask. * build: fix build with musl libc. * crun: use mount API to self-clone. * cgroup, systemd: do not override devices on update. If the 'update' request has no device block configured, do not reset the previously configuration. * cgroup: handle case where cgroup v1 freezer is disabled. On systems without the freezer controller, containers were mistakenly reported as paused. * cgroup: do not stop process on exec. The cpu mask is configured on the systemd scope, the previous workaround to stop the container until the cgroup is fully configured is no longer needed. - Update to crun v1.18.2 Upstream changelog is available from <[link moved to references]> - Update to crun v1.18. Upstream changelog is available from <[link moved to references]> Update to 1.17: * Add --log-level option. It accepts error, warning and error. * Add debug logs for container creation. * Fix double-free in crun exec code that could lead to a crash. * Allow passing an ID to the journald log driver. * Report 'executable not found' errors after tty has been setup. * Do not treat EPIPE from hooks as an error. * Make sure DefaultDependencies is correctly set in the systemd scope. * Improve the error message when the container process is not found. * Improve error handling for the mnt namespace restoration. * Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux. * ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'crun' package(s) on openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 7.2 CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2024-21626 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/ http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf https://github.com/opencontainers/runc/releases/tag/v1.1.12 https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html http://www.openwall.com/lists/oss-security/2024/02/01/1 http://www.openwall.com/lists/oss-security/2024/02/02/3 Common Vulnerability Exposure (CVE) ID: CVE-2025-24965
Copyright	Copyright (C) 2025 Greenbone AG