- Package:
- src:containerd
- Source:
- src:containerd
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-11-07 02:39:04 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for containerd. CVE-2024-25621[0]: | containerd is an open-source container runtime. Versions 0.1.0 | through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through | 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad | default permission vulnerability. Directory paths | `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` | and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were | all created with incorrect permissions. This issue is fixed in | versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include | updating system administrator permissions so the host can manually | chmod the directories to not have group or world accessible | permissions, or to run containerd in rootless mode. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25621 https://www.cve.org/CVERecord?id=CVE-2024-25621 [1] https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w [2] https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
containerd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1120285@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated containerd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 06 Nov 2025 20:27:20 -0500
Source: containerd
Architecture: source
Version: 1.7.24~ds1-9
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1120285
Changes:
containerd (1.7.24~ds1-9) unstable; urgency=medium
.
* golang-github-containerd-containerd-api-dev: Add missing Breaks
* Backport patch for CVE-2024-25621, Closes: #1120285
* Bump Standards Version, no changes needed
* debian/control: Drop redundant Rules-Requires-Root
* Switch to using Static-Build-Using
* golang-github-containerd-containerd-api-dev: add ${misc:Depends}
Checksums-Sha1:
23133c5b933cf090680f4e90cf34bae4eaa49985 5280 containerd_1.7.24~ds1-9.dsc
c99e948cfe49a545902fd6be11d78b14dedc6404 36660 containerd_1.7.24~ds1-9.debian.tar.xz
Checksums-Sha256:
ba1d4e6c5edc47b05ae496522947c24c3ee8361b1591f66c6ff7bd3af5924daf 5280 containerd_1.7.24~ds1-9.dsc
b62c0fe95472cb2ec034d20be9ee7cb546fb188f8b858573db24b36abc2e6e6e 36660 containerd_1.7.24~ds1-9.debian.tar.xz
Files:
a0de9fdc6983aea35711dd5e9e84cadc 5280 admin optional containerd_1.7.24~ds1-9.dsc
418c620d1e417762bce583709011dbc1 36660 admin optional containerd_1.7.24~ds1-9.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmkNUgEUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsswDxAAzcWy2yUr0u/HaWhMtQBkHZr5SG5V
e2nyyPNDI1RBv/Uk05sxyvhlkvDrJWuasqoce8+ErZ4IZJ5/7GHlPmd7nwZNJ/D/
ZRnoWDXz8kqljYM8UMpmAuTBmbpFnB5RV7PmZgtL6T+gyOe3FSAWYKmLkknKIPHs
Q5puExVwbtQdlVwwsksJeqPUgf5x32LObyb6b4uv5KoFkD9gwyZfeZjrGg4HNN0d
cpKyhfs+1rYTzsUDUjtrjcIqt7mAOttQc793hOomjyHUFPmLYYWoNJUwVRAiN7uT
vpdS3+xQ8hF+61i5XZz94DE3dwbYAok91cq8Gfe+y4nN4pAjvpvWeTtXK7hgYDck
a/C86XS3Aur0oxOiGk7LfUPuioFkL/oyJPSfo/yUU1tVHdi72FtJ9BlCGRDBHYIN
0/k6gn1gKdklmYwqX433Fng3WiW+kypI0fuXe8Njf35T5yQ2XdRvB3EmCO5hSYRQ
sV0pBINNxReUe+OrQF27WIhnKgTHVGy+ELUztjKxR1iGqBV9FqO6p4ANsLGFYaot
4Lnuv0vlQFxJ/WlV60fpQLZHwybLkZYTpcl5QoP85k9mAU3GBxhIBYl18Gy+WcwS
0axGRytptztQUWU1pUiWA/RTPFk0F8aHELd4u6JZ89TnHHrzKtI25l/NbGyeIe+X
ChpqhswyEyBSFnM=
=QKQL
-----END PGP SIGNATURE-----