When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply:
landlock.V4
, landlock.V5
, or self-configured).Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of V4
/V5
and .BestEffort()
):
err := landlock.V5.BestEffort().Restrict(...)
Patched in: https://github.com/landlock-lsm/go-landlock/commit/fb3ad845df462d013f9c8a965c496617c6a5778b Users should upgrade to: v0.0.0-20241013234402-fb3ad845df46
Go package dependencies can be updated using go get -u
from the project directory.
Projects on Github might get notified by Dependabot, once this advisory is public.
None.
Currently none.
The existing users of Go-Landlock on Github have the following bugs filed: * https://github.com/Foxboron/ssh-the-planet/issues/1 * https://github.com/ngergs/websrv/issues/15 * https://github.com/pufferffish/wireproxy/issues/142
{ "nvd_published_at": null, "github_reviewed": true, "github_reviewed_at": "2024-10-14T20:30:25Z", "severity": "LOW", "cwe_ids": [] }