Headline
Red Hat Security Advisory 2022-6119-01
Red Hat Security Advisory 2022-6119-01 - The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: podman security and bug fix update
Advisory ID: RHSA-2022:6119-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6119
Issue date: 2022-08-22
CVE Names: CVE-2022-2738 CVE-2022-2739
====================================================================
- Summary:
An update for podman is now available for Red Hat Enterprise Linux 7
Extras.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux 7 Extras - noarch, ppc64le, s390x, x86_64
- Description:
The podman tool manages pods, container images, and containers. It is part
of the libpod library, which is for applications that use container pods.
Container pods is a concept in Kubernetes.
Security Fix(es):
podman: Security regression of CVE-2020-8945 due to source code
management issue (CVE-2022-2738)podman: Security regression of CVE-2020-14370 due to source code
management issue (CVE-2022-2739)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
podman-1.6.4-32 prints a
Error: read unixpacket
when running in
interactive mode (BZ#2087994)systemd managed container doesn’t start serving web traffic despite of
starting on system startup. (BZ#2096449)Can not Add url with podman build (BZ#2112217)
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2087994 - podman-1.6.4-32 prints a Error: read unixpacket
when running in interactive mode
2096449 - systemd managed container doesn’t start serving web traffic despite of starting on system startup. [rhel-7.9.z]
2112217 - Can not Add url with podman build
2116923 - CVE-2022-2738 podman: Security regression of CVE-2020-8945 due to source code management issue
2116927 - CVE-2022-2739 podman: Security regression of CVE-2020-14370 due to source code management issue
- Package List:
Red Hat Enterprise Linux 7 Extras:
Source:
podman-1.6.4-36.el7_9.src.rpm
noarch:
podman-docker-1.6.4-36.el7_9.noarch.rpm
ppc64le:
podman-1.6.4-36.el7_9.ppc64le.rpm
podman-debuginfo-1.6.4-36.el7_9.ppc64le.rpm
s390x:
podman-1.6.4-36.el7_9.s390x.rpm
podman-debuginfo-1.6.4-36.el7_9.s390x.rpm
x86_64:
podman-1.6.4-36.el7_9.x86_64.rpm
podman-debuginfo-1.6.4-36.el7_9.x86_64.rpm
Red Hat Enterprise Linux 7 Extras:
Source:
podman-1.6.4-36.el7_9.src.rpm
noarch:
podman-docker-1.6.4-36.el7_9.noarch.rpm
x86_64:
podman-1.6.4-36.el7_9.x86_64.rpm
podman-debuginfo-1.6.4-36.el7_9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-2738
https://access.redhat.com/security/cve/CVE-2022-2739
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYwNxe9zjgjWX9erEAQiJqxAAobPjMUhcXDVl8pGdNuV1LVqw90F/jCi6
drEsqOkhhjntDdLan47CnKz3K5+XiGlMIZEK9z7rGFCZXbTVLY2JJoucvKS0Juty
dYj0VOcvzGMOAmiZLNK4hBEbL0KYRZtaTdeD7rPLJFlyWwzk1TyCUCQ1lSaut6sK
k97/DgHu4cSCaNSjO2/u2rejM9fXTz7FSmFdcldbdtG65xfHiwhMlIXS1WeLGxzg
YpG3CXekEkFZfcAy11fB2jrRFVTXFoPVyPG91gDtqxXNRppq4PhqnkqQUGLGvEyU
IBcnhJM3Wyo7US/IveAxMO+fhM0NfbaZTM1XvdEss1y/y3VBApwB1JTAlRyLGgPe
Q3lIJFhKZCjn8V4JnzqyQdT3g55Ixz5IWOpCExnH2hIObSFDQ/t9zEc+OkzQtyoi
un2iPDokuTFizToAVZZUFjl43HY1EhS8AIHKpt0c7cGCX8XBfbFjOwRSSFYNqIOd
76nentx0E2kVE6u7mBNh6HWD0hR24JtiKb0buI2JnJWQChKUVGWm8yzdhhgf6m99
I62oFNhYNQc/y/TyQtSQ5VYyWC8RgHbBh1GfMK82ODMp9JhOikTjM/whDMBL17q/
rhqe/cJKrnkmNEhhrfJo6rJAFhszpYnC4L1vElDyP23JYswoJie4RLky+ZFw6X/x
kwGrd6nk+J4=u9Pa
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker to gain access to sensitive information stored in environment variables.
The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-8945, which was previously fixed via RHSA-2020:2117. This issue could possibly be used to crash or cause potential code execution in Go applications that use the Go GPGME wrapper library, under certain conditions, during GPG signature verification.
An update for podman is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2738: podman: Security regression of CVE-2020-8945 due to source code management issue * CVE-2022-2739: podman: Security regression of CVE-2020-14370 due to source code management issue
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.