Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2830
Moderate: podman security, bug fix, and enhancement update
30 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: podman
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Linux variants
Impact/Access: Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10152
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:1907
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running podman check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: podman security, bug fix, and enhancement update
Advisory ID: RHSA-2019:1907-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://access.redhat.com/errata/RHSA-2019:1907
Issue date: 2019-07-29
CVE Names: CVE-2019-10152
=====================================================================
1. Summary:
An update for podman is now available for Red Hat Enterprise Linux 7
Extras.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux 7 Extras - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
The podman tool manages pods, container images, and containers. It is part
of the libpod library, which is for applications that use container pods.
Container pods is a concept in Kubernetes.
The following packages have been upgraded to a later upstream version:
podman (1.4.4). (BZ#1717919)
Security Fix(es):
* podman: Improper symlink resolution allows access to host files when
executing `podman cp` on running containers (CVE-2019-10152)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* Error: pod was given but no pod is specified: invalid argument
(BZ#1727873)
* Podman stats failed with Error: unable to obtain cgroup stats
(BZ#1728242)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1715667 - CVE-2019-10152 podman: Improper symlink resolution allows access to host files when executing `podman cp` on running containers
1717919 - rebase to v1.4.4
1727873 - Error: pod was given but no pod is specified: invalid argument
1728242 - Podman stats failed with Error: unable to obtain cgroup stats
6. Package List:
Red Hat Enterprise Linux 7 Extras:
Source:
podman-1.4.4-2.el7.src.rpm
aarch64:
podman-1.4.4-2.el7.aarch64.rpm
podman-debuginfo-1.4.4-2.el7.aarch64.rpm
noarch:
podman-docker-1.4.4-2.el7.noarch.rpm
ppc64le:
podman-1.4.4-2.el7.ppc64le.rpm
podman-debuginfo-1.4.4-2.el7.ppc64le.rpm
s390x:
podman-1.4.4-2.el7.s390x.rpm
podman-debuginfo-1.4.4-2.el7.s390x.rpm
x86_64:
podman-1.4.4-2.el7.x86_64.rpm
podman-debuginfo-1.4.4-2.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-10152
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXT8cPtzjgjWX9erEAQjL9g//VUvLwFnVZOZczqa63vN2/JTrPd6Hn5xB
7vPWONkxgZqXpq9hvL6Dc0qBqJBv8vqATxlSotlI8wus5xlNqp4qr1WtShlej+Pr
GLAbftCPah5jYdSpfNBnpQpKnqkeLwwbVF2cAZWOeb9wmTSJzEm6/kxJy5kf0mGA
gQ0SuAXB8cVGXoidEiNBJ74AXLVsJMccvOlZ+5YcKPRBksiemVqvezMoInsbOBpU
gyXdct4xCHC2x0T2wjKJ0yMPuGGBNHAs9xLSyINkxAMLtY5Eg+eCyUxiDBnPL7Tx
r2FMoupH6J0goblLj5RUMkkWHNLhKJhJUT6D0SLzJVXEOtJGJQC45M0UAmBskLUq
l8anAWG5Vkk3vEUvJBw+1/rCvzBLHXB0p7DwAtwtrCaTimqEn8OIIFTfbTRxW0Ud
ilQG0+FoKlpA1RNMnFCnPITh/LqS92vhzll+G+tZnvch13wqJiM6BQq5l9uuFSgc
T+wk3sdaOLNYyqIuQwRTQll5gppwmCG+0tOqkXpeP1+48GDOXr4XgScZUWKM0qmH
jPw3BJOrUqFBYPR7cWLX00nEO/kkFZNThUB+6hjAS566a+45ayYE6s51w8gXCjsQ
m1QuvfjcfeQd1ostJwzLOqQCMFZ6t59PiwZpexWoneRiUjrPgBMCfClPrb6/STHP
gcXvoQYp09A=
=brFW
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXT/XH2aOgq3Tt24GAQhhIhAAgL8Ox9TP5dTJ0LaTcsPXGaxvwdf9HC7u
UxUdNyx7goTdaLhhi95dtvRdy6OMEEBqBpO7zoDL5OnJdrB3bSnJc6bWMFuSDR05
MP5j4hgwlhAot/pTU1b/tjVFkVPztqs9hqi8HZ+IHpKfopIQRw/vIAhzVxiCG1fp
snIrSeZlqzdZ1DYcMmP8B900Omk/KfEaBhn2IrmI0Pk0pX5tB4yEUH/8wS/4fYe+
s0v8vGxzEQGu2JQjyo+n6lwQz8Q19EUhge3c8dtJjr1mPrmcrn0rUaLqVTHjHmqi
ytYcH9Hg3RA2N0RPZBZJOjOJEnQKFeghn3slEfwt8JpqGgtv8i3Ukh26Sqdlonva
CWjMErLjyxhmIfIHItujm5mCZTHs7M4sAb9GeLHMQYA1ry0JosJw+nNB+qJ16L+5
rQevFDJNWgWStscKFX9ftWYyrM2/PJsxBfKWvJYPfOQJHWbf0xGpXs6lWlemZ+q7
Kgi5R+eKNiiPt555x4J06C3R8crwe9IP+mbIDMCSp9nBiwUoz2e6nd8mqniD6i1B
o6BefKfHhhzunggFUmvsRoeneOc0BMILwCVfkt0Fw88TZOo52nmhVPNY5ylBgWO8
bJ7b6hWqU/EClc4MtXyqoDb/DrYyXDQ/7LcRr3Wd0vtgzJcSqUL3TAuqleJztw8X
gyCNvIT2CwU=
=pP9n
-----END PGP SIGNATURE-----