Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5879 podman security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: podman Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-27191 CVE-2021-34558 CVE-2021-33197 CVE-2021-20291 CVE-2021-20199 CVE-2021-4024 CVE-2020-28852 CVE-2020-28851 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:7954 Comment: CVSS (Max): 7.5 CVE-2022-27191 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: podman security and bug fix update Advisory ID: RHSA-2022:7954-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7954 Issue date: 2022-11-15 CVE Names: CVE-2020-28851 CVE-2020-28852 CVE-2021-4024 CVE-2021-20199 CVE-2021-20291 CVE-2021-33197 CVE-2021-34558 CVE-2022-27191 ===================================================================== 1. Summary: An update for podman is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fix(es): * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - - -u- extension (CVE-2020-28851) * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852) * podman: podman machine spawns gvproxy with port bound to all IPs (CVE-2021-4024) * podman: Remote traffic to rootless containers is seen as orginating from localhost (CVE-2021-20199) * containers/storage: DoS via malicious image (CVE-2021-20291) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag 1919050 - CVE-2021-20199 podman: Remote traffic to rootless containers is seen as orginating from localhost 1939485 - CVE-2021-20291 containers/storage: DoS via malicious image 1972303 - TMPDIR is not working in podman pull and podman load [rhel-9.0 beta] 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 2026675 - CVE-2021-4024 podman: podman machine spawns gvproxy with port bound to all IPs 2040379 - Podman exe failed to cleanup dir with NFS 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server 2081349 - podman defaults to old network stack on RHEL9 2088116 - podman does not require netavark 2092798 - podman installation includes runc as a dependency 2097694 - Allow mounting -v /run:/run without leaking .containerenv file to the host 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: podman-4.2.0-3.el9.src.rpm aarch64: podman-4.2.0-3.el9.aarch64.rpm podman-catatonit-debuginfo-4.2.0-3.el9.aarch64.rpm podman-debuginfo-4.2.0-3.el9.aarch64.rpm podman-debugsource-4.2.0-3.el9.aarch64.rpm podman-gvproxy-4.2.0-3.el9.aarch64.rpm podman-gvproxy-debuginfo-4.2.0-3.el9.aarch64.rpm podman-plugins-4.2.0-3.el9.aarch64.rpm podman-plugins-debuginfo-4.2.0-3.el9.aarch64.rpm podman-remote-4.2.0-3.el9.aarch64.rpm podman-remote-debuginfo-4.2.0-3.el9.aarch64.rpm podman-tests-4.2.0-3.el9.aarch64.rpm noarch: podman-docker-4.2.0-3.el9.noarch.rpm ppc64le: podman-4.2.0-3.el9.ppc64le.rpm podman-catatonit-debuginfo-4.2.0-3.el9.ppc64le.rpm podman-debuginfo-4.2.0-3.el9.ppc64le.rpm podman-debugsource-4.2.0-3.el9.ppc64le.rpm podman-gvproxy-4.2.0-3.el9.ppc64le.rpm podman-gvproxy-debuginfo-4.2.0-3.el9.ppc64le.rpm podman-plugins-4.2.0-3.el9.ppc64le.rpm podman-plugins-debuginfo-4.2.0-3.el9.ppc64le.rpm podman-remote-4.2.0-3.el9.ppc64le.rpm podman-remote-debuginfo-4.2.0-3.el9.ppc64le.rpm podman-tests-4.2.0-3.el9.ppc64le.rpm s390x: podman-4.2.0-3.el9.s390x.rpm podman-catatonit-debuginfo-4.2.0-3.el9.s390x.rpm podman-debuginfo-4.2.0-3.el9.s390x.rpm podman-debugsource-4.2.0-3.el9.s390x.rpm podman-gvproxy-4.2.0-3.el9.s390x.rpm podman-gvproxy-debuginfo-4.2.0-3.el9.s390x.rpm podman-plugins-4.2.0-3.el9.s390x.rpm podman-plugins-debuginfo-4.2.0-3.el9.s390x.rpm podman-remote-4.2.0-3.el9.s390x.rpm podman-remote-debuginfo-4.2.0-3.el9.s390x.rpm podman-tests-4.2.0-3.el9.s390x.rpm x86_64: podman-4.2.0-3.el9.x86_64.rpm podman-catatonit-debuginfo-4.2.0-3.el9.x86_64.rpm podman-debuginfo-4.2.0-3.el9.x86_64.rpm podman-debugsource-4.2.0-3.el9.x86_64.rpm podman-gvproxy-4.2.0-3.el9.x86_64.rpm podman-gvproxy-debuginfo-4.2.0-3.el9.x86_64.rpm podman-plugins-4.2.0-3.el9.x86_64.rpm podman-plugins-debuginfo-4.2.0-3.el9.x86_64.rpm podman-remote-4.2.0-3.el9.x86_64.rpm podman-remote-debuginfo-4.2.0-3.el9.x86_64.rpm podman-tests-4.2.0-3.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-28851 https://access.redhat.com/security/cve/CVE-2020-28852 https://access.redhat.com/security/cve/CVE-2021-4024 https://access.redhat.com/security/cve/CVE-2021-20199 https://access.redhat.com/security/cve/CVE-2021-20291 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2022-27191 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhTNzjgjWX9erEAQi3cg/+MBUAmnN6lN8i+PpVh7F+cKBIZF08OYvD ILPTVTIUYchZ1I6YhNJDV5zYe4erHJ2kK6Hx0ougoDHFIJYFrzrh5wRyAA0rYq69 9j+tSW5strpI3+umJjusRkwR4G/0w6WUUMWyMRAWwB8iFs/aV9SYp/Me+63hkL96 EUdq5zeMKgL8YSngno5cNRB64m+Loz+xL3xUBDI6D/tQTNQJieXQrt4OmRcHy5mL aergtSamlu0LTG4WFbAEjuXg3aG+YbRsDZK/pcSyGE3HpQGytXwPyl5kaTuZa2A1 lLCJuT03Y9pNKe4CLNwZVN54tVXcuAYoZRKdt2+ezaa86pNIwSdd11QO8UZNNi5a FvvOH9QUm68l2ZE6Et5v3qj/gTzh3m+mhPONc4qDnCpEpUiIx8/ufSls3yJdk38r eiUDwySfDnLkqcHSDkvK4XHoGeMNFeX5Inc5aEMWObJp0UsY7853rmmQxAP0znsA zRkA/2txdIyKEOjX2Ndc5/weVZZnm2hINyalQYMGKpfKFosEtls7Fzqw6u0uKZxA FbhQXlZG345K3WS+m8VK0wtXmxVjbaK9kaQ2FvEORsCFKITEaK5SoFtgvf2JOcCd sO/Pzy+6k/wu1DsyRqurc4DKMtylJvf2ICsGB6rxbmwif76Q7RoW6aVKc/pFdZA3 50yYHqkbOJU= =0pbG - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Qr/ckNZI30y1K9AQgM/RAAszSXz2VkZ0h/NhqNJDdQLqlZ8E2QRKZ2 bEyWxxZjMrm5sgJ+PXQmHX2A7Ydk+tAkxcz/zR82cJbB38t4OyqwS7aUPGGwda6x xKgizzOK41LdufCJoFRBktlKqczhBXUgRulp1lCfidFq82UsJPXiczEmDA559GXE 8m633JtFcT8I/5P776ftabAnYYxQpG4UWNWGUm+yGFcsTZdKpdbcUJdx+YS9Uwbc Y6/mFjUdVbE7gXyYWm/nrrGGWZIXioF56xBDj2F73k1auW+lls57ShT6/AkhyFU1 eKpsY6rsBK4fDau9J5+oDLbpfPVBmHF+UoUrWYhQVNdpHfdc+Bas8/0WbhPn7/oI G2jq4GCrFlkBxL0tskNyR6iQIwKWYBy7nFUGO6nezjchvsCb9FoNuBxxRJ32wzox UHsih16OGrQq3anpGnZms7C1fAyuMoAvc2bDCzDpijG7Jzg4uxwqmkKy93Hws7bk 0PNLd1THB709kN8xwQqvntCMYDUOjN+v2bWe38ag9xzakfO0teoEZhC3rzIIQsR+ D4g2kTvmpdmVIFnttdfXqDB8+YQ0/i4RNXzSbZAFS/LavfdF2cQmnlnGiT6wkOeD x8hbXFqODIzvb9yd/cWLdJBAgQl53+HUYj+N9CmtKwyTCpTMbKlPIsGNpO9O/hs5 07be3GNCAGo= =RYZQ -----END PGP SIGNATURE-----