x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-7ww5-4wqc-m92c

[GoVulnBot]

In GitHub Security Advisory GHSA-7ww5-4wqc-m92c, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/containerd/containerd	1.7.11	>= 1.7.0, <= 1.7.10

Cross references:

• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-43816 #278 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-23648 #344 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-5j5w-g665-5m35 #360 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-31030 #482 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd/cmd: GHSA-36xw-fx78-c5r4 #784 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-742w-89gc-8m9c #803 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-32760, GHSA-c72p-9xmj-rx3w #921 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-41103, GHSA-c2h3-6mxw-7mvq #938 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-23471 #1147 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-21334 #2321 LEGACY_FALSE_POSITIVE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-259w-8hf6-59c2 #1573
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-259w-8hf6-59c2 #1573
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-hmfx-3pcx-653p #1574
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-hmfx-3pcx-653p #1574

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/containerd/containerd
      versions:
        - introduced: TODO (earliest fixed "1.7.11", vuln range ">= 1.7.0, <= 1.7.10")
      packages:
        - package: github.com/containerd/containerd
    - module: github.com/containerd/containerd
      versions:
        - introduced: TODO (earliest fixed "1.6.26", vuln range "<= 1.6.25")
      packages:
        - package: github.com/containerd/containerd
summary: containerd allows RAPL to be accessible to a container
ghsas:
    - GHSA-7ww5-4wqc-m92c
references:
    - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-7ww5-4wqc-m92c
    - fix: https://github.com/containerd/containerd/commit/67d356cb3095f3e8f8ad7d36f9a733fea1e7e28c
    - fix: https://github.com/containerd/containerd/commit/746b910f05855c8bfdb4415a1c0f958b234910e5
    - advisory: https://github.com/advisories/GHSA-7ww5-4wqc-m92c

[jba]

One of the vulnerable packages, contrib/apparmor, is used in several main programs. To mention two examples, github.com/github.com/devx/boss and github.com/stellarproject/orbit both vendor the containerd repo, including the above package.

[gopherbot]

Change https://go.dev/cl/552855 mentions this issue: data/reports: add GO-2023-2412.yaml