Candidate: CVE-2017-18641 PublicDate: 2020-02-10 01:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18641 https://github.com/lxc/lxc/pull/1371 for the lxc-fedora template. https://lists.debian.org/debian-lts/2020/02/msg00102.html Description: In LXC 2.0, many template scripts download code over cleartext HTTP, and omit a digital-signature check, before running it to bootstrap containers. Ubuntu-Description: Notes: mdeslaur> in lxc 3.0, the old templates were split out into the mdeslaur> lxc-templates package and distrobuilder is now used instead. mdeslaur> https://github.com/lxc/lxc/commit/aafb5ea2a849056f9866359996605af0290605bd mdeslaur> mdeslaur> as of 2020-05-13, no complete fix for the issues are available rodrigo-zaiden> as of 2022-03-09, there is still no complete fix. Mitigation: Bugs: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447 Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH] Patches_lxc-templates: upstream_lxc-templates: needs-triage precise/esm_lxc-templates: DNE trusty_lxc-templates: ignored (out of standard support) trusty/esm_lxc-templates: DNE xenial_lxc-templates: DNE bionic_lxc-templates: deferred eoan_lxc-templates: ignored (reached end-of-life) focal_lxc-templates: deferred groovy_lxc-templates: ignored (reached end-of-life) hirsute_lxc-templates: ignored (reached end-of-life) impish_lxc-templates: deferred jammy_lxc-templates: deferred devel_lxc-templates: deferred Patches_lxc: upstream_lxc: released (1:3.0.3-1) precise/esm_lxc: DNE trusty_lxc: ignored (out of standard support) trusty/esm_lxc: needs-triage xenial_lxc: ignored (end of standard support, was deferred) esm-infra/xenial_lxc: deferred bionic_lxc: not-affected (3.0.3-0ubuntu1~18.04.1) eoan_lxc: not-affected (3.0.4-0ubuntu1) focal_lxc: not-affected (3.0.4-0ubuntu2) groovy_lxc: not-affected (3.0.4-0ubuntu2) hirsute_lxc: not-affected (3.0.4-0ubuntu2) impish_lxc: not-affected (3.0.4-0ubuntu2) jammy_lxc: not-affected (3.0.4-0ubuntu2) devel_lxc: not-affected (3.0.4-0ubuntu2)