Impact When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply: They use Landlock rulesets that are supposed to restrict networking (through landlock.V4, landlock.V5, or self-configured). These Landlock rulesets are used in best-effort mode. Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of V4/V5 and .BestEffort()): err := landlock.V5.BestEffort().Restrict(…) This is a bug in the Go-Landlock library and does not affect programs that use Landlock via C or other language bindings. The bug only affects networking restrictions. File system restrictions continue to work as expected. Patches Patched in: https://github.com/landlock-lsm/go-landlock/commit/fb3ad845df462d013f9c8a965c496617c6a5778b Users should upgrade to: v0.0.0-20241013234402-fb3ad845df46 Go package dependencies can be updated using go get -u from the project directory. Projects on Github might get notified by Dependabot, once this advisory is public. Workarounds None. References Currently none. The existing users of Go-Landlock on Github have the following bugs filed: * https://github.com/Foxboron/ssh-the-planet/issues/1 * https://github.com/ngergs/websrv/issues/15 *…Read More