A flaw was found in cri-o up to version 1.10.2-dev. Pod workloads fails to drop capabilities when switching to a non-root
user. This allows a non root user to create a pod and start it successfully even when the container needs privileged permissions.
Created cri-o tracking bugs for this issue:
Affects: fedora-all [bug 1578110]
I believe this is fixed in cri-o-1.10.1-1.git728df92.fc27
Name: OpenShift team (Red Hat)
Can we get some clarification on CVE-2018-1000400 status?
https://access.redhat.com/security/cve/cve-2018-1000400 state is "Will not fix"
and it is linked to this bz.
A customer has query about this CVE:
What problem/issue/behavior are you having trouble with? What do you expect to see?
https://access.redhat.com/security/cve/cve-2018-1000400 states that cri-o package is affected (and won't be fixed) in OpenShift 3 without any mention of the minor version. Please confirm if the cri-o package in 3.11 is affected or not and which version contains the fix. If it's still affected, we'd like to request a fix backport.