[Bug 2084571] Re: needrestart: container restart is broken
Launchpad Bug Tracker
2084571 at bugs.launchpad.net
Tue Nov 19 17:59:19 UTC 2024
This bug was fixed in the package needrestart - 3.6-7ubuntu4.3
---------------
needrestart (3.6-7ubuntu4.3) noble-security; urgency=medium
* SECURITY UPDATE: incorrect usage of PYTHONPATH environment variable
- debian/patches/CVE-2024-48990.patch: chdir to a clean directory
to avoid loading arbirary objects, sanitize PYTHONPATH before
spawning a new python interpreter
- CVE-2024-48990
* SECURITY UPDATE: race condition for checking path to python
- debian/patches/CVE-2024-48991.patch: sync path for both check
and usage for python interpreter
- CVE-2024-48991
* SECURITY UPDATE: incorrect usage of RUBYLIB environment variable
- debian/patches/CVE-2024-48992.patch: chdir to a clean directory
to avoid loading arbirary objects, sanitize RUBYLIB before
spawning a new ruby interpreter
- CVE-2024-48992
* SECURITY UPDATE: incorrect usage of Perl ScanDeps
- debian/patches/CVE-2024-11003.patch: remove usage of ScanDeps
to avoid parsing arbitrary code
- CVE-2024-11003
-- Sudhakar Verma <sudhakar.verma at canonical.com> Thu, 14 Nov 2024
14:59:09 +0530
** Changed in: needrestart (Ubuntu Noble)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-11003
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-48990
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-48991
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-48992
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to needrestart in Ubuntu.
https://bugs.launchpad.net/bugs/2084571
Title:
needrestart: container restart is broken
Status in needrestart package in Ubuntu:
Fix Released
Status in needrestart source package in Noble:
Fix Released
Status in needrestart source package in Oracular:
Fix Committed
Status in needrestart source package in Plucky:
Fix Released
Bug description:
[ Impact ]
needrestart supports restarting containers with outdated binaries when
running in the context of the hypervisor, however said support appears
to be broken in Noble and Oracular.
While we do not want to handle containers as part of the APT-triggered
restarts, the user might rely on that particular feature in their own
scripts.
This will get fixed by backporting an upstream fix, as well as
amending the Ubuntu-mode patch.
[ Test plan ]
```
apt install -t noble-proposed needrestart
lxc launch ubuntu-daily:noble to-be-restarted
lxc exec to-be-restarted touch /tmp/restart-marker
lxc exec to-be-restarted apt remove needrestart # we don't want it to restart outdated services from within the container!
lxc exec to-be-restarted apt reinstall libc6 # should make a whole lot of things outdated.
apt reinstall libc-bin # the actual package doesn't matter, we just want the needrestart hook in an APT context
sleep 3 # to be sure, wait a bit for any container restart to take effect (but there should be none)
lxc exec to-be-restarted stat /tmp/restart-marker # This is SUPPOSED TO WORK, we don't want the APT hook to touch containers
needrestart -r a
sleep 3 # to make sure any restart has time to take effect
lxc exec to-be-restarted stat /tmp/restart-marker # This is SUPPOSED TO FAIL, the container should have restarted.
```
[ Where problems could occur ]
While the "Ubuntu mode" code is touched to avoid restarting containers, errors in that code could lead to
us restarting user containers during unattended-upgrades, hence the relevant test in the test plan.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/needrestart/+bug/2084571/+subscriptions
More information about the foundations-bugs
mailing list