-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3998
                    podman security and bug fix update
                             11 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           podman
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14370 CVE-2020-14040 

Reference:         ESB-2020.3890
                   ESB-2020.3700
                   ESB-2020.3488
                   ESB-2020.3081
                   ESB-2020.2714
                   ESB-2020.2517

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:5056

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: podman security and bug fix update
Advisory ID:       RHSA-2020:5056-01
Product:           Red Hat Enterprise Linux Extras
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:5056
Issue date:        2020-11-10
CVE Names:         CVE-2020-14040 CVE-2020-14370 
=====================================================================

1. Summary:

An update for podman is now available for Red Hat Enterprise Linux 7
Extras.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux 7 Extras - noarch, ppc64le, s390x, x86_64

3. Description:

The podman tool manages pods, container images, and containers. It is part
of the libpod library, which is for applications that use container pods.
Container pods is a concept in Kubernetes.

Security Fix(es):

* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)

* podman: environment variables leak between containers when started via
Varlink or Docker-compatible REST API (CVE-2020-14370)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* podman does not use $TMPDIR loading a tar file (BZ#1877699)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite 
loop in encoding/unicode could lead to crash
1874268 - CVE-2020-14370 podman: environment variables leak between containers 
when started via Varlink or Docker-compatible REST API
1877699 - podman does not use $TMPDIR loading a tar file.

6. Package List:

Red Hat Enterprise Linux 7 Extras:

Source:
podman-1.6.4-26.el7_9.src.rpm

noarch:
podman-docker-1.6.4-26.el7_9.noarch.rpm

ppc64le:
podman-1.6.4-26.el7_9.ppc64le.rpm
podman-debuginfo-1.6.4-26.el7_9.ppc64le.rpm

s390x:
podman-1.6.4-26.el7_9.s390x.rpm
podman-debuginfo-1.6.4-26.el7_9.s390x.rpm

x86_64:
podman-1.6.4-26.el7_9.x86_64.rpm
podman-debuginfo-1.6.4-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux 7 Extras:

Source:
podman-1.6.4-26.el7_9.src.rpm

noarch:
podman-docker-1.6.4-26.el7_9.noarch.rpm

x86_64:
podman-1.6.4-26.el7_9.x86_64.rpm
podman-debuginfo-1.6.4-26.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14040
https://access.redhat.com/security/cve/CVE-2020-14370
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX6qb4tzjgjWX9erEAQjtQBAAl4L73GDuxD2cS9lthlmb+raa76xfbh41
q8W8cmcr+nNwbJi1xgMgCJMouFe053GxogJLN+XxQeQgmkS0832GcHulkDIsKNDW
7NfR/4bxfQlTIlEuVgbAnHSF+M/yWmFzdSsiDwfcMCkOObq8bhQBORxm6P/vDK9j
0UXB1FniJf2WN+0eWGyh/KOwyh2sE13+1QM3SrGasn+o7GBrgUZ7tvtv/VN+dYsV
IC+Q4FFc61vKC48G8rVjEWDPCteFRRpX8d2R+E+xwnWpxeLL0H7I4I+Xi45ul9q1
qLHdvthkog3F9sBWvatej4CvSESB8c1qUUbPVqBSudBigcmJhgBjt/QnKa2KMjt9
7w4cSSKC36MzGIUL9VT4N+UmcPQh4ttHElFVxQPUfXdVaTCfeonGUquiV8P6Rgot
0LAtLNqk7yUXnDVtkCXCmqlIhyosjBLWVNUKcTrJHJ7KFmPG+hYt2HvoYJ6tBmnF
Rh5HtPTxt2GpNHrOjfHHciuQU98IcVZtDNttsV6CUaBviRwW+bY1k5SzxCTMshuL
QTU6H2sRROrDCcm7+45xV04DKsUj/3ht6RT+obUduzGGm8f4/kLBKpRB1xvt7xe9
6g+SriQdRpz4A7wsSqQjQlhen8q5uzcTdlLjQjGgspJwr+AI34jDiS6gTs1BY8I/
PAXkpmF6eR0=
=gMv+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX6t8PONLKJtyKPYoAQjPtBAAp8SflbtgKNchSUBvZ+pvWnBvvQ/zXNZk
xqr2uGdL0kJ0rB4tF7eoMdfJ1fj1+Dr8OTEjqgIfoo1UvVtPQo7dMAjjgnlGmuzV
28U/KBpbIn87YJCx6u7lbGTC6inM02cJdBRKtQQ0yB1/wfPsIDt1GEEGuk4TyToy
51kY7m/V8QK7NOwBW09LhicJGQoHNzSqYo4tv2opOhVARkMw51AjcJPOartiTIlk
9Sm1yDwe/T4tNGV8d++77GKGFAohiRn0kT9GA0bjnou0bJgO93CDzdnaw2kTdeou
Tu+gWjjB0maS872O9ev0Z09CcNRbTpKffdWr1GnXoG2xCfaLfhIQ7GcmRBesOiEJ
1CXBza4rGuK0ugNzLl/kyreZ+QFLcJJeJxmd6foINJMI4RX424oa/DH1imQSlwWm
+pz2wmWg7o05he8aK4oMhUUyXe0yrU+130bli/LXlw2J1CwJz9WLIuLgL8Jeq/bN
1JZXlCXpiOJsYbZZbVUZAyXBh8JIsuygHMRDRlUP2c52vvmvuTrGe4ZkfmXnO/Gd
v32Y3gRo5c30teDXtNcQgeOsAmqIh/YB/ImoO7q9b2O3sxR4+AEOMnKAf9LTC/kj
58CVuzXnOiB/Ae9STS+amy6P9YIDH6ivZywJw/nnwFUOj1v6L7nz1h7v6F5C3oGl
nf2DYNkS+58=
=N+hh
-----END PGP SIGNATURE-----