Merge pull request #44 from vigh-m/2.2.0-advisories

Add advisories for 2.2.0 core-kit third party packages
bottlerocket-os · Jul 24, 2024 · e3fa3c2 · e3fa3c2
2 parents 67cdd95 + 392bdbe
commit e3fa3c2
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/advisories/2.2.0/BRSA-tjnwgl2a.toml b/advisories/2.2.0/BRSA-tjnwgl2a.toml
@@ -0,0 +1,16 @@
+[advisory]
+id = "BRSA-tjnwgl2a"
+title = "docker-engine CVE-2024-29018"
+cve = "CVE-2024-29018"
+severity = "high"
+description = "A flaw in the `dockerd` design allowed for a potential data exfiltration from 'internal' networks via authoritative DNS servers. This is because `dockerd` will forward DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely."
+
+[[advisory.products]]
+package-name = "docker-engine"
+patched-version = "25.0.5"
+
+[updateinfo]
+author = "vighmah"
+issue-date = 2024-07-18T20:54:34Z 
+arches = ["aarch64", "x86_64"]
+version = "2.2.0"
diff --git a/advisories/2.2.0/BRSA-wyuvthdr.toml b/advisories/2.2.0/BRSA-wyuvthdr.toml
@@ -0,0 +1,16 @@
+[advisory]
+id = "BRSA-wyuvthdr"
+title = "soci-snapshotter CVE-2024-24788"
+cve = "CVE-2024-24788"
+severity = "high"
+description = "A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop."
+
+[[advisory.products]]
+package-name = "soci-snapshotter"
+patched-version = "0.6.1"
+
+[updateinfo]
+author = "vighmah"
+issue-date = 2024-07-18T20:54:34Z 
+arches = ["x86_64", "aarch64"]
+version = "2.2.0"