Why don't LXC team announce the release of LXC 2.0.10 and LXC 2.0.11?


(Chengdu Ding) #1

I want to use LXC 2.0.x to support my work. LXC 2.0.10 and LXC 2.0.11 release tarballs are available, but I can’t find a formal announcement in LXC News.

(Stéphane Graber) #2

I believe @brauner is still working on those.

(Chengdu Ding) #3

OK, thank you.

(Stéphane Graber) #4

Well, technically there will be the fix for the runc CVE though that’s nothing embargoed and isn’t considered to be a security issue due to LXC not guaranteeing root safety for privileged containers.

(Chengdu Ding) #5

CVE-2018-6556 is still affecting LXC 2.0.9. What about LXC 2.0.11?

(Stéphane Graber) #6

Hmm, good point, CVE-2018-6556 is fixed with 2.0.10.

@brauner can you make sure that’s in the summary for 2.0.10?

(Chengdu Ding) #7

Excuse me, I’m not sure if CVE-2016-10124 is still affecting LXC 2.0.x. I only find the Security fix in LXC 1.0.10 release announcement.

(Stéphane Graber) #8

That CVE does not affect 2.0.x as it was fixed by some rework in LXC 2.0 and the CVE was to track that code getting backported to 1.0.x.