Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1594 Important: container-tools:rhel8 security and bug fix update 7 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: container-tools Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 8 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-5736 Reference: ESB-2019.0749 ESB-2019.0723 ESB-2019.0679 ESB-2019.0612 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:0975 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: container-tools:rhel8 security and bug fix update Advisory ID: RHSA-2019:0975-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:0975 Issue date: 2019-05-07 CVE Names: CVE-2019-5736 ===================================================================== 1. Summary: An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. (CVE-2019-5736) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * [stream rhel8] rebase container-selinux to 2.94 (BZ#1693675) * [stream rhel8] unable to mount disk at `/var/lib/containers` via `systemd` unit when `container-selinux` policy installed (BZ#1695669) * [stream rhel8] don't allow a container to connect to random services (BZ#1695689) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1664908 - CVE-2019-5736 runc: Execution of malicious containers allows for container escape and access to host filesystem 1693675 - [stream rhel8] rebase container-selinux to 2.94 1695669 - [stream rhel8] unable to mount disk at `/var/lib/containers` via `systemd` unit when `container-selinux` policy installed 1695689 - [stream rhel8] don't allow a container to connect to random services 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: buildah-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.src.rpm container-selinux-2.94-1.git1e99f1d.module+el8.0.0+2958+4e823551.src.rpm containernetworking-plugins-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.src.rpm fuse-overlayfs-0.3-2.module+el8.0.0+2958+4e823551.src.rpm oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.src.rpm oci-umount-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.src.rpm podman-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.src.rpm runc-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.src.rpm skopeo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.src.rpm slirp4netns-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.src.rpm aarch64: buildah-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.aarch64.rpm buildah-debuginfo-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.aarch64.rpm buildah-debugsource-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.aarch64.rpm containernetworking-plugins-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.aarch64.rpm containernetworking-plugins-debuginfo-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.aarch64.rpm containernetworking-plugins-debugsource-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.aarch64.rpm containers-common-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.aarch64.rpm fuse-overlayfs-0.3-2.module+el8.0.0+2958+4e823551.aarch64.rpm fuse-overlayfs-debuginfo-0.3-2.module+el8.0.0+2958+4e823551.aarch64.rpm fuse-overlayfs-debugsource-0.3-2.module+el8.0.0+2958+4e823551.aarch64.rpm oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.aarch64.rpm oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.aarch64.rpm oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.aarch64.rpm oci-umount-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.aarch64.rpm oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.aarch64.rpm oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.aarch64.rpm podman-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.aarch64.rpm podman-debuginfo-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.aarch64.rpm podman-debugsource-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.aarch64.rpm runc-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.aarch64.rpm runc-debuginfo-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.aarch64.rpm runc-debugsource-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.aarch64.rpm skopeo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.aarch64.rpm skopeo-debuginfo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.aarch64.rpm skopeo-debugsource-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.aarch64.rpm slirp4netns-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.aarch64.rpm slirp4netns-debuginfo-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.aarch64.rpm slirp4netns-debugsource-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.aarch64.rpm noarch: container-selinux-2.94-1.git1e99f1d.module+el8.0.0+2958+4e823551.noarch.rpm podman-docker-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.noarch.rpm ppc64le: buildah-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.ppc64le.rpm buildah-debuginfo-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.ppc64le.rpm buildah-debugsource-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.ppc64le.rpm containernetworking-plugins-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.ppc64le.rpm containernetworking-plugins-debuginfo-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.ppc64le.rpm containernetworking-plugins-debugsource-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.ppc64le.rpm containers-common-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.ppc64le.rpm fuse-overlayfs-0.3-2.module+el8.0.0+2958+4e823551.ppc64le.rpm fuse-overlayfs-debuginfo-0.3-2.module+el8.0.0+2958+4e823551.ppc64le.rpm fuse-overlayfs-debugsource-0.3-2.module+el8.0.0+2958+4e823551.ppc64le.rpm oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.ppc64le.rpm oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.ppc64le.rpm oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.ppc64le.rpm oci-umount-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.ppc64le.rpm oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.ppc64le.rpm oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.ppc64le.rpm podman-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.ppc64le.rpm podman-debuginfo-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.ppc64le.rpm podman-debugsource-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.ppc64le.rpm runc-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.ppc64le.rpm runc-debuginfo-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.ppc64le.rpm runc-debugsource-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.ppc64le.rpm skopeo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.ppc64le.rpm skopeo-debuginfo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.ppc64le.rpm skopeo-debugsource-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.ppc64le.rpm slirp4netns-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.ppc64le.rpm slirp4netns-debuginfo-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.ppc64le.rpm slirp4netns-debugsource-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.ppc64le.rpm s390x: buildah-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.s390x.rpm buildah-debuginfo-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.s390x.rpm buildah-debugsource-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.s390x.rpm containernetworking-plugins-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.s390x.rpm containernetworking-plugins-debuginfo-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.s390x.rpm containernetworking-plugins-debugsource-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.s390x.rpm containers-common-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.s390x.rpm fuse-overlayfs-0.3-2.module+el8.0.0+2958+4e823551.s390x.rpm fuse-overlayfs-debuginfo-0.3-2.module+el8.0.0+2958+4e823551.s390x.rpm fuse-overlayfs-debugsource-0.3-2.module+el8.0.0+2958+4e823551.s390x.rpm oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.s390x.rpm oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.s390x.rpm oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.s390x.rpm oci-umount-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.s390x.rpm oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.s390x.rpm oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.s390x.rpm podman-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.s390x.rpm podman-debuginfo-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.s390x.rpm podman-debugsource-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.s390x.rpm runc-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.s390x.rpm runc-debuginfo-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.s390x.rpm runc-debugsource-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.s390x.rpm skopeo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.s390x.rpm skopeo-debuginfo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.s390x.rpm skopeo-debugsource-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.s390x.rpm slirp4netns-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.s390x.rpm slirp4netns-debuginfo-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.s390x.rpm slirp4netns-debugsource-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.s390x.rpm x86_64: buildah-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.x86_64.rpm buildah-debuginfo-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.x86_64.rpm buildah-debugsource-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551.x86_64.rpm containernetworking-plugins-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.x86_64.rpm containernetworking-plugins-debuginfo-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.x86_64.rpm containernetworking-plugins-debugsource-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551.x86_64.rpm containers-common-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.x86_64.rpm fuse-overlayfs-0.3-2.module+el8.0.0+2958+4e823551.x86_64.rpm fuse-overlayfs-debuginfo-0.3-2.module+el8.0.0+2958+4e823551.x86_64.rpm fuse-overlayfs-debugsource-0.3-2.module+el8.0.0+2958+4e823551.x86_64.rpm oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.x86_64.rpm oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.x86_64.rpm oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551.x86_64.rpm oci-umount-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.x86_64.rpm oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.x86_64.rpm oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551.x86_64.rpm podman-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.x86_64.rpm podman-debuginfo-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.x86_64.rpm podman-debugsource-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551.x86_64.rpm runc-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.x86_64.rpm runc-debuginfo-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.x86_64.rpm runc-debugsource-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba.x86_64.rpm skopeo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.x86_64.rpm skopeo-debuginfo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.x86_64.rpm skopeo-debugsource-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551.x86_64.rpm slirp4netns-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.x86_64.rpm slirp4netns-debuginfo-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.x86_64.rpm slirp4netns-debugsource-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-5736 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXNEITNzjgjWX9erEAQgVAg/6A72eZ4vzQ4L+4rZb5iTCuq3mJfWKd6C7 w4UIYaWPi3XAI73RqpK3xR/ekSRv+9ufktupd2buAiF3iPLdGTRmvUC2j1WV2Ab9 7BiUNn5+2NNjX8C+zmzcYQpYXycTIu/SIKcvEO3heXmypFLjhbUXg8cdVQLDug5o WPX/qTpk0uz5+c9mMe7jDE47CfdVjomcESf3hc3HBNjWqAcX8g3Q/ty/94pYvazX sxfBnm1c8efFg+AQT1Gigwyg2LQEAq3Rq5a5neZbDSxaAy5//3OcO0eHj2SECxU9 BDwbETZXfy1JAgS0m2bA06CX8n7ff65A9EhiCKFzQ8yoA0A+EUMQpYfpO6sK3m4H i+k3DAhzAFasJ2DXKeTJGD9oDTySn0COh4kvKSkm8NGASSdPBZbPbnGYt3HEi8Bw OhJA9Hhus1Z16g+02TGfaRxpgyeT93fqxqjZ1qbtiycRRe0g2Uqzlml+mP99VcgB eC1fDzQuRWWNrS5Zvtq5nSGIy53YpR4vGW93LKjJQ4EWMo+l5Qorwq8W4Hxb4185 4Nz2Zp6csWgxL/Gup8eTHO32lVXqeUDNgd9vM1zKOxov3YSPoGkSFvMXXGSTDfIm m+IrnwyrCSE4yWEiMuyuIqewdQpK2AIytgTn5DJ5ywQRwsrYNyH3xc0EXCmDXR0N luGqsxP1S6w= =+EbU - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXNEfyGaOgq3Tt24GAQjpbRAAp9C1ENFo2EvVF+vSrIEXitd51vAeE/ye KdJQG9XCCdl3ASO3hONlhnYYghqB784veruY8Jq+J9CYBD0AlouuJaMGrzZ5ZAyy kmCbMxMc3camie3sZp040s7f1GBwOA27NdkYdrWZPHm4KoU13Y6TmRrA8csVbl1H Lg65aiGiMa7SXzB9571X5tExfLXVSIfLmqpB+dK+rd7AWvrLPcOvNKZkxQ3DZfi7 G1IOUNCRi2UldPvO4KL06nJ6esdZXjOmYgA6R5oku7qDMvbJt9AhGY4MECwlOk3W CU/cq9khdRjY048FoWhacx9qoBYsB3e0oXDMEZSphKYYUOpOwD2mctBJOBngI1Mh qYr4N/WxMEuQsooqRjSarpABXavCOmf1ErzU7G+v2l9YHDRqINRjpGly/zZXFgFx 0/m8YG4Zs2QmFKn4uDUBOZUJiSUUOXbm6WRsLXYzt1S4qSzTnyhM+wEtbS+EpmX4 3v1vDw3fJzpHAHm1kLKToMNRx5gFI+2VfW1p4KIqRvfg8x+d399DtEnfsbPKwve3 CYJuauO8ih1NEArteZkYmLhHLPDQpLQbCWq5fb1lnwnU1a8W2/EVSzyzzGawrhvX 92xhrRdgp11FXINVqw4U3okV+vsnh2WVUaPDCbw4kJGE/3r2k6HqKK4WfRfw5Qw3 pM8WHfTuRT8= =/IRH -----END PGP SIGNATURE-----