Severe Vulnerabilities in Moby BuildKit and OCI runc: CVE-2024-23651, CVE-2024-23652, CVE-2024-23653, CVE-2024-21626

[MatthiasCloudOptimizer]

Hello everyone,
is IoT Edge (EFLWO) affected and if so, until when will there be an update?

Detailed background
https://socradar.io/severe-vulnerabilities-in-moby-buildkit-and-oci-runc-cve-2024-23651-cve-2024-23652-cve-2024-23653-cve-2024-21626/

This release contains security fixes for the following CVEs
affecting Docker Engine and its components: https://github.com/moby/moby/releases/tag/v25.0.2

Thanks!

Kind regards,
Matthias

I posted the same issue in the iotedge-eflow repo last week and still haven't received a response. Is this issue not being tracked?

[yophilav]

Checking...

[MatthiasCloudOptimizer]

Is there any news? @yophilav @TerryWarwick

[veyalla]

The patched runc is available on packages.microsoft.com:

[SummerSmith]

Hi @Prov-Matthias, I am a PM on the EFLOW team. Apologies for not seeing your GitHub request in that repo, the patched runc is included in the latest EFLOW release from early February.

[MatthiasCloudOptimizer]

Thanks for the update @SummerSmith @veyalla

[MatthiasCloudOptimizer]

[like] Matthias Braun | Provectus reacted to your message:

…

________________________________ From: Summer Smith ***@***.***> Sent: Thursday, February 29, 2024 4:16:52 AM To: Azure/iotedge ***@***.***> Cc: Matthias Braun | Provectus ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/iotedge] Severe Vulnerabilities in Moby BuildKit and OCI runc: CVE-2024-23651, CVE-2024-23652, CVE-2024-23653, CVE-2024-21626 (Issue #7215) Hi @Prov-Matthias<https://github.com/Prov-Matthias>, I am a PM on the EFLOW team. Apologies for not seeing your GitHub request in that repo, the patched runc is included in the latest EFLOW release from early February<https://github.com/Azure/iotedge-eflow/releases>. — Reply to this email directly, view it on GitHub<#7215 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANT27HHDXX5QT3WLUI5PBXDYV76LHAVCNFSM6AAAAABDHV45CWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZQGM3DKNZUGI>. You are receiving this because you were mentioned.Message ID: ***@***.***> Der Inhalt dieser Email ist nur im Rahmen der geschäftlichen Erfordernisse und unter Beachtung vertraglicher Verpflichtungen (z.B. NDA) zu nutzen. Sollten Sie diese E-mail fälschlicherweise erhalten haben, ohne dass Sie der berechtigte Adressat sind, bitten wir Sie höflich, den Absender sofort zu informieren und diese E-Mail nebst Anlagen umgehend zu vernichten. Zur Klassifizierung der Informationen nutzen wir das sog. Traffic Light Protocol (TLP). Informationen zur Handhabung finden sie unter www.provectus.de/tlp<https://www.provectus.de/tlp>