Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2830 Moderate: podman security, bug fix, and enhancement update 30 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: podman Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Linux variants Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-10152 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:1907 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running podman check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: podman security, bug fix, and enhancement update Advisory ID: RHSA-2019:1907-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://access.redhat.com/errata/RHSA-2019:1907 Issue date: 2019-07-29 CVE Names: CVE-2019-10152 ===================================================================== 1. Summary: An update for podman is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux 7 Extras - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. The following packages have been upgraded to a later upstream version: podman (1.4.4). (BZ#1717919) Security Fix(es): * podman: Improper symlink resolution allows access to host files when executing `podman cp` on running containers (CVE-2019-10152) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Error: pod was given but no pod is specified: invalid argument (BZ#1727873) * Podman stats failed with Error: unable to obtain cgroup stats (BZ#1728242) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1715667 - CVE-2019-10152 podman: Improper symlink resolution allows access to host files when executing `podman cp` on running containers 1717919 - rebase to v1.4.4 1727873 - Error: pod was given but no pod is specified: invalid argument 1728242 - Podman stats failed with Error: unable to obtain cgroup stats 6. Package List: Red Hat Enterprise Linux 7 Extras: Source: podman-1.4.4-2.el7.src.rpm aarch64: podman-1.4.4-2.el7.aarch64.rpm podman-debuginfo-1.4.4-2.el7.aarch64.rpm noarch: podman-docker-1.4.4-2.el7.noarch.rpm ppc64le: podman-1.4.4-2.el7.ppc64le.rpm podman-debuginfo-1.4.4-2.el7.ppc64le.rpm s390x: podman-1.4.4-2.el7.s390x.rpm podman-debuginfo-1.4.4-2.el7.s390x.rpm x86_64: podman-1.4.4-2.el7.x86_64.rpm podman-debuginfo-1.4.4-2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10152 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXT8cPtzjgjWX9erEAQjL9g//VUvLwFnVZOZczqa63vN2/JTrPd6Hn5xB 7vPWONkxgZqXpq9hvL6Dc0qBqJBv8vqATxlSotlI8wus5xlNqp4qr1WtShlej+Pr GLAbftCPah5jYdSpfNBnpQpKnqkeLwwbVF2cAZWOeb9wmTSJzEm6/kxJy5kf0mGA gQ0SuAXB8cVGXoidEiNBJ74AXLVsJMccvOlZ+5YcKPRBksiemVqvezMoInsbOBpU gyXdct4xCHC2x0T2wjKJ0yMPuGGBNHAs9xLSyINkxAMLtY5Eg+eCyUxiDBnPL7Tx r2FMoupH6J0goblLj5RUMkkWHNLhKJhJUT6D0SLzJVXEOtJGJQC45M0UAmBskLUq l8anAWG5Vkk3vEUvJBw+1/rCvzBLHXB0p7DwAtwtrCaTimqEn8OIIFTfbTRxW0Ud ilQG0+FoKlpA1RNMnFCnPITh/LqS92vhzll+G+tZnvch13wqJiM6BQq5l9uuFSgc T+wk3sdaOLNYyqIuQwRTQll5gppwmCG+0tOqkXpeP1+48GDOXr4XgScZUWKM0qmH jPw3BJOrUqFBYPR7cWLX00nEO/kkFZNThUB+6hjAS566a+45ayYE6s51w8gXCjsQ m1QuvfjcfeQd1ostJwzLOqQCMFZ6t59PiwZpexWoneRiUjrPgBMCfClPrb6/STHP gcXvoQYp09A= =brFW - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXT/XH2aOgq3Tt24GAQhhIhAAgL8Ox9TP5dTJ0LaTcsPXGaxvwdf9HC7u UxUdNyx7goTdaLhhi95dtvRdy6OMEEBqBpO7zoDL5OnJdrB3bSnJc6bWMFuSDR05 MP5j4hgwlhAot/pTU1b/tjVFkVPztqs9hqi8HZ+IHpKfopIQRw/vIAhzVxiCG1fp snIrSeZlqzdZ1DYcMmP8B900Omk/KfEaBhn2IrmI0Pk0pX5tB4yEUH/8wS/4fYe+ s0v8vGxzEQGu2JQjyo+n6lwQz8Q19EUhge3c8dtJjr1mPrmcrn0rUaLqVTHjHmqi ytYcH9Hg3RA2N0RPZBZJOjOJEnQKFeghn3slEfwt8JpqGgtv8i3Ukh26Sqdlonva CWjMErLjyxhmIfIHItujm5mCZTHs7M4sAb9GeLHMQYA1ry0JosJw+nNB+qJ16L+5 rQevFDJNWgWStscKFX9ftWYyrM2/PJsxBfKWvJYPfOQJHWbf0xGpXs6lWlemZ+q7 Kgi5R+eKNiiPt555x4J06C3R8crwe9IP+mbIDMCSp9nBiwUoz2e6nd8mqniD6i1B o6BefKfHhhzunggFUmvsRoeneOc0BMILwCVfkt0Fw88TZOo52nmhVPNY5ylBgWO8 bJ7b6hWqU/EClc4MtXyqoDb/DrYyXDQ/7LcRr3Wd0vtgzJcSqUL3TAuqleJztw8X gyCNvIT2CwU= =pP9n -----END PGP SIGNATURE-----