Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2022-6119-01

Red Hat Security Advisory 2022-6119-01 - The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

Packet Storm
#vulnerability#web#linux#red_hat#kubernetes#docker

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: podman security and bug fix update
Advisory ID: RHSA-2022:6119-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6119
Issue date: 2022-08-22
CVE Names: CVE-2022-2738 CVE-2022-2739
====================================================================

  1. Summary:

An update for podman is now available for Red Hat Enterprise Linux 7
Extras.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux 7 Extras - noarch, ppc64le, s390x, x86_64

  1. Description:

The podman tool manages pods, container images, and containers. It is part
of the libpod library, which is for applications that use container pods.
Container pods is a concept in Kubernetes.

Security Fix(es):

  • podman: Security regression of CVE-2020-8945 due to source code
    management issue (CVE-2022-2738)

  • podman: Security regression of CVE-2020-14370 due to source code
    management issue (CVE-2022-2739)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

  • podman-1.6.4-32 prints a Error: read unixpacket when running in
    interactive mode (BZ#2087994)

  • systemd managed container doesn’t start serving web traffic despite of
    starting on system startup. (BZ#2096449)

  • Can not Add url with podman build (BZ#2112217)

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2087994 - podman-1.6.4-32 prints a Error: read unixpacket when running in interactive mode
2096449 - systemd managed container doesn’t start serving web traffic despite of starting on system startup. [rhel-7.9.z]
2112217 - Can not Add url with podman build
2116923 - CVE-2022-2738 podman: Security regression of CVE-2020-8945 due to source code management issue
2116927 - CVE-2022-2739 podman: Security regression of CVE-2020-14370 due to source code management issue

  1. Package List:

Red Hat Enterprise Linux 7 Extras:

Source:
podman-1.6.4-36.el7_9.src.rpm

noarch:
podman-docker-1.6.4-36.el7_9.noarch.rpm

ppc64le:
podman-1.6.4-36.el7_9.ppc64le.rpm
podman-debuginfo-1.6.4-36.el7_9.ppc64le.rpm

s390x:
podman-1.6.4-36.el7_9.s390x.rpm
podman-debuginfo-1.6.4-36.el7_9.s390x.rpm

x86_64:
podman-1.6.4-36.el7_9.x86_64.rpm
podman-debuginfo-1.6.4-36.el7_9.x86_64.rpm

Red Hat Enterprise Linux 7 Extras:

Source:
podman-1.6.4-36.el7_9.src.rpm

noarch:
podman-docker-1.6.4-36.el7_9.noarch.rpm

x86_64:
podman-1.6.4-36.el7_9.x86_64.rpm
podman-debuginfo-1.6.4-36.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-2738
https://access.redhat.com/security/cve/CVE-2022-2739
https://access.redhat.com/security/updates/classification/#moderate

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYwNxe9zjgjWX9erEAQiJqxAAobPjMUhcXDVl8pGdNuV1LVqw90F/jCi6
drEsqOkhhjntDdLan47CnKz3K5+XiGlMIZEK9z7rGFCZXbTVLY2JJoucvKS0Juty
dYj0VOcvzGMOAmiZLNK4hBEbL0KYRZtaTdeD7rPLJFlyWwzk1TyCUCQ1lSaut6sK
k97/DgHu4cSCaNSjO2/u2rejM9fXTz7FSmFdcldbdtG65xfHiwhMlIXS1WeLGxzg
YpG3CXekEkFZfcAy11fB2jrRFVTXFoPVyPG91gDtqxXNRppq4PhqnkqQUGLGvEyU
IBcnhJM3Wyo7US/IveAxMO+fhM0NfbaZTM1XvdEss1y/y3VBApwB1JTAlRyLGgPe
Q3lIJFhKZCjn8V4JnzqyQdT3g55Ixz5IWOpCExnH2hIObSFDQ/t9zEc+OkzQtyoi
un2iPDokuTFizToAVZZUFjl43HY1EhS8AIHKpt0c7cGCX8XBfbFjOwRSSFYNqIOd
76nentx0E2kVE6u7mBNh6HWD0hR24JtiKb0buI2JnJWQChKUVGWm8yzdhhgf6m99
I62oFNhYNQc/y/TyQtSQ5VYyWC8RgHbBh1GfMK82ODMp9JhOikTjM/whDMBL17q/
rhqe/cJKrnkmNEhhrfJo6rJAFhszpYnC4L1vElDyP23JYswoJie4RLky+ZFw6X/x
kwGrd6nk+J4=u9Pa
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

GHSA-c3wv-qmjj-45r6: Information disclosure in podman

An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.

CVE-2022-2739: Invalid Bug ID

The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker to gain access to sensitive information stored in environment variables.

CVE-2022-2738: Red Hat Customer Portal - Access to 24x7 support and knowledge

The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-8945, which was previously fixed via RHSA-2020:2117. This issue could possibly be used to crash or cause potential code execution in Go applications that use the Go GPGME wrapper library, under certain conditions, during GPG signature verification.

RHSA-2022:6119: Red Hat Security Advisory: podman security and bug fix update

An update for podman is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2738: podman: Security regression of CVE-2020-8945 due to source code management issue * CVE-2022-2739: podman: Security regression of CVE-2020-14370 due to source code management issue

CVE-2020-14370: Invalid Bug ID

An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.

CVE-2020-8945: Ensure finalizers don't deallocate GPGME objects while C code is still using them by mtrmac · Pull Request #23 · proglottis/gpgme

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution