Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1664
podman security update
13 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: podman
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Overwrite Arbitrary Files -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-10696 CVE-2020-8945
Reference: ESB-2020.1481
ESB-2020.1333
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:2117
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: podman security update
Advisory ID: RHSA-2020:2117-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2117
Issue date: 2020-05-12
CVE Names: CVE-2020-8945 CVE-2020-10696
=====================================================================
1. Summary:
An update for podman is now available for Red Hat Enterprise Linux 7
Extras.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux 7 Extras - noarch, ppc64le, s390x, x86_64
3. Description:
The podman tool manages pods, container images, and containers. It is part
of the libpod library, which is for applications that use container pods.
Container pods is a concept in Kubernetes.
Security Fix(es):
* buildah: Crafted input tar file may lead to local file overwrite during
image build process (CVE-2020-10696)
* proglottis/gpgme: Use-after-free in GPGME bindings during container image
pull (CVE-2020-8945)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1795838 - CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull
1817651 - CVE-2020-10696 buildah: Crafted input tar file may lead to local file overwrite during image build process
6. Package List:
Red Hat Enterprise Linux 7 Extras:
Source:
podman-1.6.4-18.el7_8.src.rpm
noarch:
podman-docker-1.6.4-18.el7_8.noarch.rpm
ppc64le:
podman-1.6.4-18.el7_8.ppc64le.rpm
podman-debuginfo-1.6.4-18.el7_8.ppc64le.rpm
s390x:
podman-1.6.4-18.el7_8.s390x.rpm
podman-debuginfo-1.6.4-18.el7_8.s390x.rpm
x86_64:
podman-1.6.4-18.el7_8.x86_64.rpm
podman-debuginfo-1.6.4-18.el7_8.x86_64.rpm
Red Hat Enterprise Linux 7 Extras:
Source:
podman-1.6.4-18.el7_8.src.rpm
noarch:
podman-docker-1.6.4-18.el7_8.noarch.rpm
x86_64:
podman-1.6.4-18.el7_8.x86_64.rpm
podman-debuginfo-1.6.4-18.el7_8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-8945
https://access.redhat.com/security/cve/CVE-2020-10696
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXrr+ZNzjgjWX9erEAQiSqhAAlYqZcvuO01y9wZxbsnZBwZYOurO01tOZ
vz2T/5C5qilCkwamf6+Rn5MOKlhRlMhE2BiASs9OMvbsGzD86nOVI1/uBZ9LcIaQ
flnSQ/p2RT6C67YL97Ne1hucXDJBue6pHBgtcUt8vRB1flVRUI1DU1dK2CnuTs9Z
Mp14DJSY2HNIKYWyDJ6FovSozPTc2z3BtZQM5wa/suSdRKmrpJzC0Xky1u7tfk6W
l9HhDypUqS7h901xtE91aom/KxXnVoG3B2Notc0II3aq97kShakrICFK0CK80cNV
vMCMbXsItEekNyP+wXlfyOY1ef8XV45Tjpm6Nmx8o/oCLcjF/56FslykbZKCDOUA
Qch+FMVRJV0vFcv9cIXNNmkCFxF+s3RY7VmgBTbNJE8rmMJb5KAtJ/DJZf4li8XC
WytedOlgZrpPiHWl4Zy8AhasleXGVJP9oxfdBu7uBFclF2lQIWgjBQaQwuRU2NO2
IQ7fETbdVEkFnLVGn7F0vxtlp1F7va0NxXwHQAIMQknyfxmuhNX+rPI6Cl2id5Yb
Rs/GEFTI+qbtfWJSGKAEPFvPvfiucRCRpSG8S6aKKNYvRhLxmVFkWp6n8iMSpJrr
qjnxko7/hoR+azWLB/1uKlrcav7/Lew72iKQXOf7GelLmM2DA1ixdMpVn+ck1N13
1mdoJoJHKyk==43Fw
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXrs6pmaOgq3Tt24GAQjkgxAAhcRX+SUc14EPjt9RwzHwsSFJWNCDIpbs
163CPZ+/+cQf4mAqyRnmlGj2jU93BkssFYzUbqUAwJaR0sh/pNizVc3wmxH9G7Pc
pW2ABsbA7bg4EuCl4O5QXNWDt1+cTCbo/MVQ6N+hO3AfNlywSO3q8W1PZgzE/Ms1
GJ7GAoNiPaa9J8T7xTumOwn70qkKTIHC67tCq37vuJyPenjS7txT+Bu0sNFnrDMp
/Xe9S/FByjKKLRonBaGPMpmcMWxF486MyKA66FCvZ5P6kj2sdALMkSg9r7O4QV32
GYuICdSeB7opt0dJd2egNdRGH3UFytYtxj1pkSSHarHGR7AytOo8c3w93cQgLuJ/
4S+WJkwzPGYMhYkfXQ2P+dUf44k7u0BzSET5LsaT53EjM1eJWmzlePK/+oJaChDg
0USX2e+j1JQSdu63obhturwya7CdyZiARG7kGpitz0ZWk3T94+AMiKs9RPHXpglq
HbKoueU40LUDe3lNq+kJFWDn+0TIAUtSIEqZe7PEPDpaw4x5raz2/DXmJFXJum5t
LMkWjbzdgptsmw1l91ivcPB25DPejCpEHRL1AODa8kjx0U0wk8JadOIFYNiIlGok
aipsCwWVDS1xEGLW3fomlh4rqhzTy6PBMEblDxz28yYbYxiF7nb9YrTSIwtSZpkY
uUHQCoMnB7c=
=Q6iT
-----END PGP SIGNATURE-----