Headline
Red Hat Security Advisory 2022-8431-01
Red Hat Security Advisory 2022-8431-01 - The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Issues addressed include an information leakage vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Low: podman security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8431-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8431
Issue date: 2022-11-15
CVE Names: CVE-2022-2989 CVE-2022-2990
====================================================================
- Summary:
An update for podman is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
- Description:
The podman tool manages pods, container images, and containers. It is part
of the libpod library, which is for applications that use container pods.
Container pods is a concept in Kubernetes.
Security Fix(es):
podman: possible information disclosure and modification (CVE-2022-2989)
buildah: possible information disclosure and modification (CVE-2022-2990)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
(podman image trust) does not support the new trust type "sigstoreSigned
" (BZ#2120436)dnf-update broken for podman/catatonit (BZ#2123319)
podman creates lock file in /etc/cni/net.d/cni.lock instead of /run/lock/
(BZ#2123905)podman kill may deadlock [RHEL 9.1] (BZ#2124716)
containers config.json gets empty after sudden power loss (BZ#2136278)
PANIC podman API service endpoint handler panic (BZ#2136287)
Enhancement(s):
Podman volume plugin timeout should be configurable [rhel-9.1.0 Z]
(BZ#2124676)[RFE]Podman support to perform custom actions on unhealthy containers
(BZ#2136281)
- Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2120436 - (podman image trust) does not support the new trust type "sigstoreSigned "
2121445 - CVE-2022-2989 podman: possible information disclosure and modification
2121453 - CVE-2022-2990 buildah: possible information disclosure and modification
2123319 - dnf-update broken for podman/catatonit
2123905 - podman creates lock file in /etc/cni/net.d/cni.lock instead of /run/lock/
2124676 - Podman volume plugin timeout should be configurable [rhel-9.1.0 Z]
2124716 - podman kill may deadlock [RHEL 9.1]
2136278 - containers config.json gets empty after sudden power loss [rhel-9.1.0.z]
2136281 - [RFE]Podman support to perform custom actions on unhealthy containers [rhel-9.1.0.z]
2136287 - PANIC podman API service endpoint handler panic [rhel-9.1.0.z]
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
podman-4.2.0-7.el9_1.src.rpm
aarch64:
podman-4.2.0-7.el9_1.aarch64.rpm
podman-catatonit-4.2.0-7.el9_1.aarch64.rpm
podman-catatonit-debuginfo-4.2.0-7.el9_1.aarch64.rpm
podman-debuginfo-4.2.0-7.el9_1.aarch64.rpm
podman-debugsource-4.2.0-7.el9_1.aarch64.rpm
podman-gvproxy-4.2.0-7.el9_1.aarch64.rpm
podman-gvproxy-debuginfo-4.2.0-7.el9_1.aarch64.rpm
podman-plugins-4.2.0-7.el9_1.aarch64.rpm
podman-plugins-debuginfo-4.2.0-7.el9_1.aarch64.rpm
podman-remote-4.2.0-7.el9_1.aarch64.rpm
podman-remote-debuginfo-4.2.0-7.el9_1.aarch64.rpm
podman-tests-4.2.0-7.el9_1.aarch64.rpm
noarch:
podman-docker-4.2.0-7.el9_1.noarch.rpm
ppc64le:
podman-4.2.0-7.el9_1.ppc64le.rpm
podman-catatonit-4.2.0-7.el9_1.ppc64le.rpm
podman-catatonit-debuginfo-4.2.0-7.el9_1.ppc64le.rpm
podman-debuginfo-4.2.0-7.el9_1.ppc64le.rpm
podman-debugsource-4.2.0-7.el9_1.ppc64le.rpm
podman-gvproxy-4.2.0-7.el9_1.ppc64le.rpm
podman-gvproxy-debuginfo-4.2.0-7.el9_1.ppc64le.rpm
podman-plugins-4.2.0-7.el9_1.ppc64le.rpm
podman-plugins-debuginfo-4.2.0-7.el9_1.ppc64le.rpm
podman-remote-4.2.0-7.el9_1.ppc64le.rpm
podman-remote-debuginfo-4.2.0-7.el9_1.ppc64le.rpm
podman-tests-4.2.0-7.el9_1.ppc64le.rpm
s390x:
podman-4.2.0-7.el9_1.s390x.rpm
podman-catatonit-4.2.0-7.el9_1.s390x.rpm
podman-catatonit-debuginfo-4.2.0-7.el9_1.s390x.rpm
podman-debuginfo-4.2.0-7.el9_1.s390x.rpm
podman-debugsource-4.2.0-7.el9_1.s390x.rpm
podman-gvproxy-4.2.0-7.el9_1.s390x.rpm
podman-gvproxy-debuginfo-4.2.0-7.el9_1.s390x.rpm
podman-plugins-4.2.0-7.el9_1.s390x.rpm
podman-plugins-debuginfo-4.2.0-7.el9_1.s390x.rpm
podman-remote-4.2.0-7.el9_1.s390x.rpm
podman-remote-debuginfo-4.2.0-7.el9_1.s390x.rpm
podman-tests-4.2.0-7.el9_1.s390x.rpm
x86_64:
podman-4.2.0-7.el9_1.x86_64.rpm
podman-catatonit-4.2.0-7.el9_1.x86_64.rpm
podman-catatonit-debuginfo-4.2.0-7.el9_1.x86_64.rpm
podman-debuginfo-4.2.0-7.el9_1.x86_64.rpm
podman-debugsource-4.2.0-7.el9_1.x86_64.rpm
podman-gvproxy-4.2.0-7.el9_1.x86_64.rpm
podman-gvproxy-debuginfo-4.2.0-7.el9_1.x86_64.rpm
podman-plugins-4.2.0-7.el9_1.x86_64.rpm
podman-plugins-debuginfo-4.2.0-7.el9_1.x86_64.rpm
podman-remote-4.2.0-7.el9_1.x86_64.rpm
podman-remote-debuginfo-4.2.0-7.el9_1.x86_64.rpm
podman-tests-4.2.0-7.el9_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-2989
https://access.redhat.com/security/cve/CVE-2022-2990
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PgvNzjgjWX9erEAQguiQ/+JYtEo5V+1Su78CX7r6glTmZEO6RZJ3hv
FTyFEAhZEYiamgHlphr+1NXhZoEvd3pucb5xDwDROjGHeb6clIHHS+IAYixXIJpb
kYQ+h+/68WQ9T1gNr48h5YMAuZ8UmvwoPRx6yOjbeX8NMIPJIIOcPtqwkrNWo81x
/wcZU+88QA+icw627FU1yMPaAGJB6frMaQ9hCpbv6s3IgJ7bon9caWuegSXpK/JN
2RbrZ65xxB5L3boMyHkdy9YEvlauHPc/QA1JMQPNYRBnssWQJhYz5MDWrFpvG2R8
jrtO9D5juKovt5sfedapNr9Fn6gEr2ZdaeSIuqPRUyXEHJlukvgr121Yjc1Uv2xa
0sKXLE8psKJ0dmvIz+L+iCzsrt5raFCqQg/ML2q8ILYI4bmfO1ce3IejbXlvRFFS
ApR0+XE2NcnDImrhu5xIqzAjFowQPjSbEdvXxx+CO2YgJ/sIBr6zJld+3EFUqTbn
iuGKtVhYtx1HX8LZz2vfSIIpwRwU5Mi5t4vMSdB9yQopnHLpb3sEzI1A1J7NC3Fb
Ryx5/VqMxGI56YnhVVg8ZnP3IxMxgRXyQfA/aJaJk+32BQD0LghuhM/AKT9e9nIj
MqeIr8uZVbJ0nczSLFrWK7PA6iQuQTSGFLVJo1f2nfgLbdKKZnMAM1H1bx7fuqzV
ejEpRhQR84E=8u+K
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Gentoo Linux Security Advisory 202407-12 - Multiple vulnerabilities have been discovered in Podman, the worst of which could lead to privilege escalation. Versions greater than or equal to 4.9.4 are affected.
Ubuntu Security Notice 6295-1 - It was discovered that Podman incorrectly handled certain supplementary groups. An attacker could possibly use this issue to expose sensitive information or execute binary code.
Red Hat Security Advisory 2023-1328-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2990: An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has d...
Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.
Red Hat Security Advisory 2023-2802-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include denial of service and information leakage vulnerabilities.
Red Hat Security Advisory 2022-8008-01 - The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Issues addressed include denial of service and information leakage vulnerabilities.
An update for podman is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2989: podman: possible information disclosure and modification * CVE-2022-2990: buildah: possible information disclosure and modification
An update for podman is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2989: podman: possible information disclosure and modification * CVE-2022-2990: buildah: possible information disclosure and modification
An update for buildah is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20291: containers/storage: DoS via malicious image * CVE-2021-33195: golang: net: lookup functions may return invalid host names * CVE-2021-33197: golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty * CVE-2021-33198: golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very l...
An update for buildah is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20291: containers/storage: DoS via malicious image * CVE-2021-33195: golang: net: lookup functions may return invalid host names * CVE-2021-33197: golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty * CVE-2021-33198: golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very l...
Red Hat Security Advisory 2022-7457-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include information leakage and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2022-7822-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include an information leakage vulnerability.
Red Hat Security Advisory 2022-7822-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include an information leakage vulnerability.
An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2989: podman: possible information disclosure and modification * CVE-2022-2990: buildah: possible information disclosure and modification
An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2989: podman: possible information disclosure and modification * CVE-2022-2990: buildah: possible information disclosure and modification
An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-36221: golang: net/http/httputil: panic due to racy read of persistConn after handler panic * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-2990: buildah: possible information disclosure and modification * CVE-...
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
Linus Torvalds says Retbleed has been addressed in the Linux kernel, but code complexity means the release will be delayed by a week to give more time for testing.