{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "rebuild with newer golang to fix security vulnerabilities:\n- CVE-2023-45287: fix RSA-based TLS key exchange timing attack vulnerability\n- CVE-2024-24788: fix DNS resolver infinite loop causing denial of service\n- CVE-2023-39321: fix QUIC post-handshake message processing causing panic\n and denial of service", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2025/clsa-2025_1763489872.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872" } ], "tracking": { "current_release_date": "2026-02-16T09:49:35Z", "generator": { "date": "2026-02-16T09:49:35Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1763489872", "initial_release_date": "2025-11-18T18:19:18Z", "revision_history": [ { "date": "2025-11-18T18:19:18Z", "number": "1", "summary": "Initial version" }, { "date": "2026-02-16T09:49:35Z", "number": "2", "summary": "Update document" } ], "status": "final", "version": "2" }, "title": "runc: Fix of 3 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64", "product": { "name": "runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64", "product_id": "runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/runc@1.1.4-1.el9_1.tuxcare.els2?arch=x86_64&epoch=4" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" }, "product_reference": "runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-45287", "cwe": { "id": "CWE-203", "name": "Observable Discrepancy" }, "notes": [ { "category": "description", "text": "Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-45287" }, { "category": "external", "summary": "https://go.dev/cl/326012/26", "url": "https://go.dev/cl/326012/26" }, { "category": "external", "summary": "https://go.dev/issue/20654", "url": "https://go.dev/issue/20654" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/QMK8IQALDvA", "url": "https://groups.google.com/g/golang-announce/c/QMK8IQALDvA" }, { "category": "external", "summary": "https://people.redhat.com/~hkario/marvin/", "url": "https://people.redhat.com/~hkario/marvin/" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-2375", "url": "https://pkg.go.dev/vuln/GO-2023-2375" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20240112-0005/", "url": "https://security.netapp.com/advisory/ntap-20240112-0005/" } ], "release_date": "2023-12-05T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-11-18T18:17:54.530016Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872", "product_ids": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2024-24788", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "notes": [ { "category": "description", "text": "A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-24788" } ], "release_date": "2024-05-08T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-11-18T18:17:54.530016Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872", "product_ids": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2023-39321", "notes": [ { "category": "description", "text": "Processing an incomplete post-handshake message for a QUIC connection can cause a panic.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-39321" }, { "category": "external", "summary": "https://go.dev/cl/523039", "url": "https://go.dev/cl/523039" }, { "category": "external", "summary": "https://go.dev/issue/62266", "url": "https://go.dev/issue/62266" }, { "category": "external", "summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ", "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-2044", "url": "https://pkg.go.dev/vuln/GO-2023-2044" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202311-09", "url": "https://security.gentoo.org/glsa/202311-09" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20231020-0004/", "url": "https://security.netapp.com/advisory/ntap-20231020-0004/" } ], "release_date": "2023-09-08T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-11-18T18:17:54.530016Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872", "product_ids": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2023-28642", "cwe": { "id": "CWE-281", "name": "Improper Preservation of Permissions" }, "notes": [ { "category": "description", "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.\n\n", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-28642" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/pull/3785", "url": "https://github.com/opencontainers/runc/pull/3785" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c", "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20241206-0005/", "url": "https://security.netapp.com/advisory/ntap-20241206-0005/" } ], "release_date": "2023-03-29T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-11-18T18:17:54.530016Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872", "product_ids": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2023-27561", "cwe": { "id": "CWE-706", "name": "Use of Incorrectly-Resolved Name or Reference" }, "notes": [ { "category": "description", "text": "runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-27561" }, { "category": "external", "summary": "https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9", "url": "https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334", "url": "https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/issues/3751", "url": "https://github.com/opencontainers/runc/issues/3751" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html", "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20241206-0004/", "url": "https://security.netapp.com/advisory/ntap-20241206-0004/" } ], "release_date": "2023-03-03T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-11-18T18:17:54.530016Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872", "product_ids": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763489872" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:runc-4:1.1.4-1.el9_1.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }