-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: podman security and bug fix update Advisory ID: RHSA-2022:7954-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7954 Issue date: 2022-11-15 CVE Names: CVE-2020-28851 CVE-2020-28852 CVE-2021-4024 CVE-2021-20199 CVE-2021-20291 CVE-2021-33197 CVE-2021-34558 CVE-2022-27191 ==================================================================== 1. Summary: An update for podman is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fix(es): * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension (CVE-2020-28851) * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852) * podman: podman machine spawns gvproxy with port bound to all IPs (CVE-2021-4024) * podman: Remote traffic to rootless containers is seen as orginating from localhost (CVE-2021-20199) * containers/storage: DoS via malicious image (CVE-2021-20291) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag 1919050 - CVE-2021-20199 podman: Remote traffic to rootless containers is seen as orginating from localhost 1939485 - CVE-2021-20291 containers/storage: DoS via malicious image 1972303 - TMPDIR is not working in podman pull and podman load [rhel-9.0 beta] 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 2026675 - CVE-2021-4024 podman: podman machine spawns gvproxy with port bound to all IPs 2040379 - Podman exe failed to cleanup dir with NFS 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server 2081349 - podman defaults to old network stack on RHEL9 2088116 - podman does not require netavark 2092798 - podman installation includes runc as a dependency 2097694 - Allow mounting -v /run:/run without leaking .containerenv file to the host 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: podman-4.2.0-3.el9.src.rpm aarch64: podman-4.2.0-3.el9.aarch64.rpm podman-catatonit-debuginfo-4.2.0-3.el9.aarch64.rpm podman-debuginfo-4.2.0-3.el9.aarch64.rpm podman-debugsource-4.2.0-3.el9.aarch64.rpm podman-gvproxy-4.2.0-3.el9.aarch64.rpm podman-gvproxy-debuginfo-4.2.0-3.el9.aarch64.rpm podman-plugins-4.2.0-3.el9.aarch64.rpm podman-plugins-debuginfo-4.2.0-3.el9.aarch64.rpm podman-remote-4.2.0-3.el9.aarch64.rpm podman-remote-debuginfo-4.2.0-3.el9.aarch64.rpm podman-tests-4.2.0-3.el9.aarch64.rpm noarch: podman-docker-4.2.0-3.el9.noarch.rpm ppc64le: podman-4.2.0-3.el9.ppc64le.rpm podman-catatonit-debuginfo-4.2.0-3.el9.ppc64le.rpm podman-debuginfo-4.2.0-3.el9.ppc64le.rpm podman-debugsource-4.2.0-3.el9.ppc64le.rpm podman-gvproxy-4.2.0-3.el9.ppc64le.rpm podman-gvproxy-debuginfo-4.2.0-3.el9.ppc64le.rpm podman-plugins-4.2.0-3.el9.ppc64le.rpm podman-plugins-debuginfo-4.2.0-3.el9.ppc64le.rpm podman-remote-4.2.0-3.el9.ppc64le.rpm podman-remote-debuginfo-4.2.0-3.el9.ppc64le.rpm podman-tests-4.2.0-3.el9.ppc64le.rpm s390x: podman-4.2.0-3.el9.s390x.rpm podman-catatonit-debuginfo-4.2.0-3.el9.s390x.rpm podman-debuginfo-4.2.0-3.el9.s390x.rpm podman-debugsource-4.2.0-3.el9.s390x.rpm podman-gvproxy-4.2.0-3.el9.s390x.rpm podman-gvproxy-debuginfo-4.2.0-3.el9.s390x.rpm podman-plugins-4.2.0-3.el9.s390x.rpm podman-plugins-debuginfo-4.2.0-3.el9.s390x.rpm podman-remote-4.2.0-3.el9.s390x.rpm podman-remote-debuginfo-4.2.0-3.el9.s390x.rpm podman-tests-4.2.0-3.el9.s390x.rpm x86_64: podman-4.2.0-3.el9.x86_64.rpm podman-catatonit-debuginfo-4.2.0-3.el9.x86_64.rpm podman-debuginfo-4.2.0-3.el9.x86_64.rpm podman-debugsource-4.2.0-3.el9.x86_64.rpm podman-gvproxy-4.2.0-3.el9.x86_64.rpm podman-gvproxy-debuginfo-4.2.0-3.el9.x86_64.rpm podman-plugins-4.2.0-3.el9.x86_64.rpm podman-plugins-debuginfo-4.2.0-3.el9.x86_64.rpm podman-remote-4.2.0-3.el9.x86_64.rpm podman-remote-debuginfo-4.2.0-3.el9.x86_64.rpm podman-tests-4.2.0-3.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-28851 https://access.redhat.com/security/cve/CVE-2020-28852 https://access.redhat.com/security/cve/CVE-2021-4024 https://access.redhat.com/security/cve/CVE-2021-20199 https://access.redhat.com/security/cve/CVE-2021-20291 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2022-27191 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhTNzjgjWX9erEAQi3cg/+MBUAmnN6lN8i+PpVh7F+cKBIZF08OYvD ILPTVTIUYchZ1I6YhNJDV5zYe4erHJ2kK6Hx0ougoDHFIJYFrzrh5wRyAA0rYq69 9j+tSW5strpI3+umJjusRkwR4G/0w6WUUMWyMRAWwB8iFs/aV9SYp/Me+63hkL96 EUdq5zeMKgL8YSngno5cNRB64m+Loz+xL3xUBDI6D/tQTNQJieXQrt4OmRcHy5mL aergtSamlu0LTG4WFbAEjuXg3aG+YbRsDZK/pcSyGE3HpQGytXwPyl5kaTuZa2A1 lLCJuT03Y9pNKe4CLNwZVN54tVXcuAYoZRKdt2+ezaa86pNIwSdd11QO8UZNNi5a FvvOH9QUm68l2ZE6Et5v3qj/gTzh3m+mhPONc4qDnCpEpUiIx8/ufSls3yJdk38r eiUDwySfDnLkqcHSDkvK4XHoGeMNFeX5Inc5aEMWObJp0UsY7853rmmQxAP0znsA zRkA/2txdIyKEOjX2Ndc5/weVZZnm2hINyalQYMGKpfKFosEtls7Fzqw6u0uKZxA FbhQXlZG345K3WS+m8VK0wtXmxVjbaK9kaQ2FvEORsCFKITEaK5SoFtgvf2JOcCd sO/Pzy+6k/wu1DsyRqurc4DKMtylJvf2ICsGB6rxbmwif76Q7RoW6aVKc/pFdZA3 50yYHqkbOJU=0pbG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce