On November 27th, the Firecracker team privately disclosed CVE-2019-18960 to us.
This security bug is an improper bounds-check, exploitable by firecracker guests using vsock.

We did determine that ignite was unaffected as the vulnerable vsock feature is currently unused in ignite.

We responded hastily and as a result of an internal miscommunication, we removed release binaries from GitHub and docker-images from DockerHub for ignite v0.6.1 and v0.6.2.

This means ignite v0.6.1 and v0.6.2 are not installable: (#496)
Existing users for these ignite versions are unable to create new vm's on hosts that lack the matching ignite docker-images.

The embargo for disclosing information on this CVE is now lifted.

Ignite v0.6.3 is published containing Firecracker v0.18.1 which resolves the security issue.
Please upgrade to ignite v0.6.3.

Ignite master is now using Firecracker v0.19.1.

We're preliminarily tagging this as wontfix for v0.6.1 and v0.6.2.
This will remain open for a few days.
If users have a need for these older versions to be published, we can attempt to locate and re-publish the build artifacts.