diff --git a/SOURCES/containernetworking-plugins-1833220.patch b/SOURCES/containernetworking-plugins-1833220.patch new file mode 100644 index 0000000..67ba232 --- /dev/null +++ b/SOURCES/containernetworking-plugins-1833220.patch @@ -0,0 +1,65 @@ +From 219eb9e0464761c47383d239aba206da695e1a43 Mon Sep 17 00:00:00 2001 +From: Casey Callendrello +Date: Tue, 12 May 2020 15:34:11 +0200 +Subject: [PATCH] ptp, bridge: disable accept_ra on the host-side interface + +The interface plugins should have absolute control over their addressing +and routing. + +Signed-off-by: Casey Callendrello +--- + pkg/ip/link_linux.go | 9 +++++++-- + plugins/main/bridge/bridge.go | 4 ++++ + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/pkg/ip/link_linux.go b/pkg/ip/link_linux.go +index 9bd7f471..f8781cf1 100644 +--- a/pkg/ip/link_linux.go ++++ b/pkg/ip/link_linux.go +@@ -21,10 +21,12 @@ import ( + "net" + "os" + +- "github.com/containernetworking/plugins/pkg/ns" +- "github.com/containernetworking/plugins/pkg/utils/hwaddr" + "github.com/safchain/ethtool" + "github.com/vishvananda/netlink" ++ ++ "github.com/containernetworking/plugins/pkg/ns" ++ "github.com/containernetworking/plugins/pkg/utils/hwaddr" ++ "github.com/containernetworking/plugins/pkg/utils/sysctl" + ) + + var ( +@@ -158,6 +160,9 @@ func SetupVethWithName(contVethName, hostVethName string, mtu int, hostNS ns.Net + if err = netlink.LinkSetUp(hostVeth); err != nil { + return fmt.Errorf("failed to set %q up: %v", hostVethName, err) + } ++ ++ // we want to own the routes for this interface ++ _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_ra", hostVethName), "0") + return nil + }) + if err != nil { +diff --git a/plugins/main/bridge/bridge.go b/plugins/main/bridge/bridge.go +index 13d5cc33..c6a0690d 100644 +--- a/plugins/main/bridge/bridge.go ++++ b/plugins/main/bridge/bridge.go +@@ -36,6 +36,7 @@ import ( + "github.com/containernetworking/plugins/pkg/ns" + "github.com/containernetworking/plugins/pkg/utils" + bv "github.com/containernetworking/plugins/pkg/utils/buildversion" ++ "github.com/containernetworking/plugins/pkg/utils/sysctl" + ) + + // For testcases to force an error after IPAM has been performed +@@ -248,6 +249,9 @@ func ensureBridge(brName string, mtu int, promiscMode, vlanFiltering bool) (*net + return nil, err + } + ++ // we want to own the routes for this interface ++ _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_ra", brName), "0") ++ + if err := netlink.LinkSetUp(br); err != nil { + return nil, err + } diff --git a/SPECS/containernetworking-plugins.spec b/SPECS/containernetworking-plugins.spec index 97b94d3..4303876 100644 --- a/SPECS/containernetworking-plugins.spec +++ b/SPECS/containernetworking-plugins.spec @@ -25,11 +25,14 @@ scl enable go-toolset-1.12 -- go build -buildmode pie -compiler gc -tags="rpm_cr Name: containernetworking-plugins Version: 0.8.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: CNI network plugins License: ASL 2.0 URL: https://%{provider_prefix} Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1833220 +# patch: https://github.com/containernetworking/plugins/pull/484.patch +Patch0: containernetworking-plugins-1833220.patch ExcludeArch: %{ix86} s390 ppc ppc64 BuildRequires: go-toolset-1.12 BuildRequires: git @@ -120,6 +123,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_libexecdir}/cni/* %changelog +* Mon Jun 01 2020 Jindrich Novy - 0.8.3-3 +- fix "CVE-2020-10749 containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters" +- Resolves: #1842334 + * Thu Dec 12 2019 Jindrich Novy - 0.8.3-2 - build with no_openssl