Operating System:

[RedHat]

Published:

16 November 2022

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2022.5879 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.5879
                    podman security and bug fix update
                             16 November 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           podman
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-27191 CVE-2021-34558 CVE-2021-33197
                   CVE-2021-20291 CVE-2021-20199 CVE-2021-4024
                   CVE-2020-28852 CVE-2020-28851 

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2022:7954

Comment: CVSS (Max):  7.5 CVE-2022-27191 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: podman security and bug fix update
Advisory ID:       RHSA-2022:7954-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7954
Issue date:        2022-11-15
CVE Names:         CVE-2020-28851 CVE-2020-28852 CVE-2021-4024 
                   CVE-2021-20199 CVE-2021-20291 CVE-2021-33197 
                   CVE-2021-34558 CVE-2022-27191 
=====================================================================

1. Summary:

An update for podman is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The podman tool manages pods, container images, and containers. It is part
of the libpod library, which is for applications that use container pods.
Container pods is a concept in Kubernetes.

Security Fix(es):

* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing
- - -u- extension (CVE-2020-28851)

* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing
bcp47 tag (CVE-2020-28852)

* podman: podman machine spawns gvproxy with port bound to all IPs
(CVE-2021-4024)

* podman: Remote traffic to rootless containers is seen as orginating from
localhost (CVE-2021-20199)

* containers/storage: DoS via malicious image (CVE-2021-20291)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
1919050 - CVE-2021-20199 podman: Remote traffic to rootless containers is seen as orginating from localhost
1939485 - CVE-2021-20291 containers/storage: DoS via malicious image
1972303 - TMPDIR is not working in podman pull and podman load [rhel-9.0 beta]
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
2026675 - CVE-2021-4024 podman: podman machine spawns gvproxy with port bound to all IPs
2040379 - Podman exe failed to cleanup dir with NFS
2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
2081349 - podman defaults to old network stack on RHEL9
2088116 - podman does not require netavark
2092798 - podman installation includes runc as a dependency
2097694 - Allow mounting -v /run:/run without leaking .containerenv file to the host

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
podman-4.2.0-3.el9.src.rpm

aarch64:
podman-4.2.0-3.el9.aarch64.rpm
podman-catatonit-debuginfo-4.2.0-3.el9.aarch64.rpm
podman-debuginfo-4.2.0-3.el9.aarch64.rpm
podman-debugsource-4.2.0-3.el9.aarch64.rpm
podman-gvproxy-4.2.0-3.el9.aarch64.rpm
podman-gvproxy-debuginfo-4.2.0-3.el9.aarch64.rpm
podman-plugins-4.2.0-3.el9.aarch64.rpm
podman-plugins-debuginfo-4.2.0-3.el9.aarch64.rpm
podman-remote-4.2.0-3.el9.aarch64.rpm
podman-remote-debuginfo-4.2.0-3.el9.aarch64.rpm
podman-tests-4.2.0-3.el9.aarch64.rpm

noarch:
podman-docker-4.2.0-3.el9.noarch.rpm

ppc64le:
podman-4.2.0-3.el9.ppc64le.rpm
podman-catatonit-debuginfo-4.2.0-3.el9.ppc64le.rpm
podman-debuginfo-4.2.0-3.el9.ppc64le.rpm
podman-debugsource-4.2.0-3.el9.ppc64le.rpm
podman-gvproxy-4.2.0-3.el9.ppc64le.rpm
podman-gvproxy-debuginfo-4.2.0-3.el9.ppc64le.rpm
podman-plugins-4.2.0-3.el9.ppc64le.rpm
podman-plugins-debuginfo-4.2.0-3.el9.ppc64le.rpm
podman-remote-4.2.0-3.el9.ppc64le.rpm
podman-remote-debuginfo-4.2.0-3.el9.ppc64le.rpm
podman-tests-4.2.0-3.el9.ppc64le.rpm

s390x:
podman-4.2.0-3.el9.s390x.rpm
podman-catatonit-debuginfo-4.2.0-3.el9.s390x.rpm
podman-debuginfo-4.2.0-3.el9.s390x.rpm
podman-debugsource-4.2.0-3.el9.s390x.rpm
podman-gvproxy-4.2.0-3.el9.s390x.rpm
podman-gvproxy-debuginfo-4.2.0-3.el9.s390x.rpm
podman-plugins-4.2.0-3.el9.s390x.rpm
podman-plugins-debuginfo-4.2.0-3.el9.s390x.rpm
podman-remote-4.2.0-3.el9.s390x.rpm
podman-remote-debuginfo-4.2.0-3.el9.s390x.rpm
podman-tests-4.2.0-3.el9.s390x.rpm

x86_64:
podman-4.2.0-3.el9.x86_64.rpm
podman-catatonit-debuginfo-4.2.0-3.el9.x86_64.rpm
podman-debuginfo-4.2.0-3.el9.x86_64.rpm
podman-debugsource-4.2.0-3.el9.x86_64.rpm
podman-gvproxy-4.2.0-3.el9.x86_64.rpm
podman-gvproxy-debuginfo-4.2.0-3.el9.x86_64.rpm
podman-plugins-4.2.0-3.el9.x86_64.rpm
podman-plugins-debuginfo-4.2.0-3.el9.x86_64.rpm
podman-remote-4.2.0-3.el9.x86_64.rpm
podman-remote-debuginfo-4.2.0-3.el9.x86_64.rpm
podman-tests-4.2.0-3.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-28851
https://access.redhat.com/security/cve/CVE-2020-28852
https://access.redhat.com/security/cve/CVE-2021-4024
https://access.redhat.com/security/cve/CVE-2021-20199
https://access.redhat.com/security/cve/CVE-2021-20291
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2022-27191
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3PhTNzjgjWX9erEAQi3cg/+MBUAmnN6lN8i+PpVh7F+cKBIZF08OYvD
ILPTVTIUYchZ1I6YhNJDV5zYe4erHJ2kK6Hx0ougoDHFIJYFrzrh5wRyAA0rYq69
9j+tSW5strpI3+umJjusRkwR4G/0w6WUUMWyMRAWwB8iFs/aV9SYp/Me+63hkL96
EUdq5zeMKgL8YSngno5cNRB64m+Loz+xL3xUBDI6D/tQTNQJieXQrt4OmRcHy5mL
aergtSamlu0LTG4WFbAEjuXg3aG+YbRsDZK/pcSyGE3HpQGytXwPyl5kaTuZa2A1
lLCJuT03Y9pNKe4CLNwZVN54tVXcuAYoZRKdt2+ezaa86pNIwSdd11QO8UZNNi5a
FvvOH9QUm68l2ZE6Et5v3qj/gTzh3m+mhPONc4qDnCpEpUiIx8/ufSls3yJdk38r
eiUDwySfDnLkqcHSDkvK4XHoGeMNFeX5Inc5aEMWObJp0UsY7853rmmQxAP0znsA
zRkA/2txdIyKEOjX2Ndc5/weVZZnm2hINyalQYMGKpfKFosEtls7Fzqw6u0uKZxA
FbhQXlZG345K3WS+m8VK0wtXmxVjbaK9kaQ2FvEORsCFKITEaK5SoFtgvf2JOcCd
sO/Pzy+6k/wu1DsyRqurc4DKMtylJvf2ICsGB6rxbmwif76Q7RoW6aVKc/pFdZA3
50yYHqkbOJU=
=0pbG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY3Qr/ckNZI30y1K9AQgM/RAAszSXz2VkZ0h/NhqNJDdQLqlZ8E2QRKZ2
bEyWxxZjMrm5sgJ+PXQmHX2A7Ydk+tAkxcz/zR82cJbB38t4OyqwS7aUPGGwda6x
xKgizzOK41LdufCJoFRBktlKqczhBXUgRulp1lCfidFq82UsJPXiczEmDA559GXE
8m633JtFcT8I/5P776ftabAnYYxQpG4UWNWGUm+yGFcsTZdKpdbcUJdx+YS9Uwbc
Y6/mFjUdVbE7gXyYWm/nrrGGWZIXioF56xBDj2F73k1auW+lls57ShT6/AkhyFU1
eKpsY6rsBK4fDau9J5+oDLbpfPVBmHF+UoUrWYhQVNdpHfdc+Bas8/0WbhPn7/oI
G2jq4GCrFlkBxL0tskNyR6iQIwKWYBy7nFUGO6nezjchvsCb9FoNuBxxRJ32wzox
UHsih16OGrQq3anpGnZms7C1fAyuMoAvc2bDCzDpijG7Jzg4uxwqmkKy93Hws7bk
0PNLd1THB709kN8xwQqvntCMYDUOjN+v2bWe38ag9xzakfO0teoEZhC3rzIIQsR+
D4g2kTvmpdmVIFnttdfXqDB8+YQ0/i4RNXzSbZAFS/LavfdF2cQmnlnGiT6wkOeD
x8hbXFqODIzvb9yd/cWLdJBAgQl53+HUYj+N9CmtKwyTCpTMbKlPIsGNpO9O/hs5
07be3GNCAGo=
=RYZQ
-----END PGP SIGNATURE-----