From 77e961eb0f90381c61794f6c4af3df029cef2b8a Mon Sep 17 00:00:00 2001
From: Daniel Leidert <dleidert@debian.org>
Date: Mon, 19 Feb 2024 03:04:51 +0100
Subject: Reserve DLA-3735-1 for runc

---
 data/CVE/list       | 1 -
 data/DLA/list       | 3 +++
 data/dla-needed.txt | 8 +++++---
 3 files changed, 8 insertions(+), 4 deletions(-)

(limited to 'data')

diff --git a/data/CVE/list b/data/CVE/list
index 2735a8dcfa..30992d4c7d 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -161665,7 +161665,6 @@ CVE-2021-43784 (runc is a CLI tool for spawning and running containers on Linux
 	{DLA-2841-1}
 	- runc 1.0.3+ds1-1
 	[bullseye] - runc <ignored> (Minor issue; not exploitable in 1.0.0)
-	[buster] - runc <ignored> (Minor issue; not exploitable in 1.0.0)
 	NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
 	NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/1
 	NOTE: Fixed by: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
diff --git a/data/DLA/list b/data/DLA/list
index f388a22db0..586c7a0e5b 100644
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[19 Feb 2024] DLA-3735-1 runc - security update
+	{CVE-2021-43784 CVE-2024-21626}
+	[buster] - runc 1.0.0~rc6+dfsg1-3+deb10u3
 [17 Feb 2024] DLA-3734-1 openvswitch - security update
 	{CVE-2023-5366}
 	[buster] - openvswitch 2.10.7+ds1-0+deb10u5
diff --git a/data/dla-needed.txt b/data/dla-needed.txt
index 35417f3169..3604a9e1b6 100644
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -249,10 +249,12 @@ ring
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)
 --
-runc (dleidert)
+runc
   NOTE: 20240204: Added by Front-Desk (ta)
-  NOTE: 20240208: Will need 2-3 more days (dleidert)
-  NOTE: 20240211: Ready to upload, except for https://lists.debian.org/debian-lts/2024/02/msg00014.html - will wait 2-3 days (dleidert)
+  NOTE: 20240219: Complete fix for CVE-2024-21626 would require backport of
+  NOTE: 20240219: https://github.com/opencontainers/runc/commit/284ba3057e428f8d6c7afcc3b0ac752e525957df and
+  NOTE: 20240219: https://github.com/opencontainers/runc/commit/e9665f4d606b64bf9c4652ab2510da368bfbd951.
+  NOTE: 20240219: But it uses a link to internal/poll.IsPollDescriptor, introduced in Go 1.12, which I cannot backport (dleidert).
 --
 samba
   NOTE: 20230918: Added by Front-Desk (apo)
-- 
cgit v1.2.3