This repository has been archived by the owner on Dec 7, 2023. It is now read-only.
v0.6.1 and v0.6.2 binaries and builds cannot pull ignite-spawn images #500
Labels
area/runtime
Issues related to container runtimes
area/security
Issues related to security
kind/bug
Categorizes issue or PR as related to a bug.
wontfix
This will not be worked on
On November 27th, the Firecracker team privately disclosed CVE-2019-18960 to us.
This security bug is an improper bounds-check, exploitable by firecracker guests using vsock.
We did determine that ignite was unaffected as the vulnerable vsock feature is currently unused in ignite.
We responded hastily and as a result of an internal miscommunication, we removed release binaries from GitHub and docker-images from DockerHub for ignite v0.6.1 and v0.6.2.
This means ignite v0.6.1 and v0.6.2 are not installable: (#496)
Existing users for these ignite versions are unable to create new vm's on hosts that lack the matching ignite docker-images.
The embargo for disclosing information on this CVE is now lifted.
Ignite v0.6.3 is published containing Firecracker v0.18.1 which resolves the security issue.
Please upgrade to ignite v0.6.3.
Ignite
master
is now using Firecracker v0.19.1.We're preliminarily tagging this as
wontfix
for v0.6.1 and v0.6.2.This will remain open for a few days.
If users have a need for these older versions to be published, we can attempt to locate and re-publish the build artifacts.
The text was updated successfully, but these errors were encountered: