Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1147 podman security, bug fix, and enhancement update 1 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: podman Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Overwrite Arbitrary Files -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-1702 CVE-2019-18466 Reference: ESB-2020.0933 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:1227 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: podman security, bug fix, and enhancement update Advisory ID: RHSA-2020:1227-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://access.redhat.com/errata/RHSA-2020:1227 Issue date: 2020-03-31 CVE Names: CVE-2019-18466 CVE-2020-1702 ===================================================================== 1. Summary: An update for podman is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux 7 Extras - noarch, ppc64le, s390x, x86_64 3. Description: The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fix(es): * podman: resolving symlink in host filesystem leads to unexpected results of copy operation (CVE-2019-18466) * containers/image: Container images read entire image manifest into memory (CVE-2020-1702) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * [extras-rhel-7] conmon binary stripped but debuginfo not generated (BZ#1650395) * Cannot run systemd-container with SCL service due to RHSA-2019:2091 fix (BZ#1758509) * Podman does not enforce registries.block in the registries.conf file (BZ#1787666) * podman and podman-manpages needs merging (BZ#1788549) * podman should be linked against gpgme-pthread (BZ#1793083) * podman cannot support load tarball which the name with colon but docker can support this (BZ#1797599) * podman (1.6.4) rhel 8.1 no route to host from inside container [extras-rhel-7.8/podman] (BZ#1806895) * Podman can't reuse a container name, even if the container that was using it is no longer around [extras-rhel-7.8/podman] (BZ#1807437) * podman exec does not reads from stdin [extras-rhel-7.8/podman] (BZ#1807586) * [FJ8.2 Bug]: [REG]The "--group-add" option of "podman create" doesn't function. [extras-rhel-7.8/podman] (BZ#1808702) Enhancement(s): * [RFE] sctp support for podman (BZ#1664218) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1650395 - [extras-rhel-7] conmon binary stripped but debuginfo not generated 1744588 - CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpected results of copy operation 1758509 - Cannot run systemd-container with SCL service due to RHSA-2019:2091 fix 1788549 - podman and podman-manpages needs merging 1792796 - CVE-2020-1702 containers/image: Container images read entire image manifest into memory 1797599 - podman cannot support load tarball which the name with colon but docker can support this 1806895 - podman (1.6.4) rhel 8.1 no route to host from inside container [extras-rhel-7.8/podman] 1807437 - Podman can't reuse a container name, even if the container that was using it is no longer around [extras-rhel-7.8/podman] 1807586 - podman exec does not reads from stdin [extras-rhel-7.8/podman] 1808702 - [FJ8.2 Bug]: [REG]The "--group-add" option of "podman create" doesn't function. [extras-rhel-7.8/podman] 6. Package List: Red Hat Enterprise Linux 7 Extras: Source: podman-1.6.4-16.el7_8.src.rpm noarch: podman-docker-1.6.4-16.el7_8.noarch.rpm ppc64le: podman-1.6.4-16.el7_8.ppc64le.rpm podman-debuginfo-1.6.4-16.el7_8.ppc64le.rpm s390x: podman-1.6.4-16.el7_8.s390x.rpm podman-debuginfo-1.6.4-16.el7_8.s390x.rpm x86_64: podman-1.6.4-16.el7_8.x86_64.rpm podman-debuginfo-1.6.4-16.el7_8.x86_64.rpm Red Hat Enterprise Linux 7 Extras: Source: podman-1.6.4-16.el7_8.src.rpm noarch: podman-docker-1.6.4-16.el7_8.noarch.rpm x86_64: podman-1.6.4-16.el7_8.x86_64.rpm podman-debuginfo-1.6.4-16.el7_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-18466 https://access.redhat.com/security/cve/CVE-2020-1702 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXoPf99zjgjWX9erEAQjdHA/+Oqk+XcsMWVkfj+1ZbVYczkGcnWC01hDW Emgu22gTuMtdwuDG9lHy0vLMPva64FzkWV0marDYkkCuCS2cUD/irzoA0X/m4/GZ Yho4BQ+6fCWZ/3P0C+F+xCrz7FWFy/Ib4rV4KhyaKq9qjB6W9guXfRR3Pxe5oohX 6euia8BdVw6sdNLG9tCrhENYM/zb76zwWWuwVWBYYsCHh2b6v2P6zutIoKhon1hN LQ2LIwFjfjFJxXuDDpTIt2Y4y7SkTGsJ/DGUyyHyCbKAf84+t3srN3q/B7DM2O8I x4vZLmL6kiZ88dfHl3Z8y6SL7+8xUBHAfvllEqRm6DRXpPMVBSDnVHuf8AGBI/EY 2HOAMUqE2UKYXaX7ZbbnVRZGf7MlBjrdGJs28QOid0FgJB4y1qPdymSst35pWPHd G0OXhj3WxeE4Pfb6gzRRowMGTipRIAMuGDCGJKL9hcg9gC9l/Yianf0mrg8SLzUC QwkQDbY1goUDbW8eLv9peFiwBz755CwOLP9G6t8Vmj+zNiTRy5vuadSpLYOzkLK1 8tEbMS51rH+fWAq4Egmwsvu5XMcMcY/00NfgXMBIBrVFIcYN2yzXHdijEF9jqABz bNgIaM15wHAOZxc5Qey1a5/CMlm449WXQYrn1I+P9LCU+ZOqHOOxM0+RtSqdlPYG +ymH1Ihp5tE= =8y7H - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXoQ+/2aOgq3Tt24GAQiAoQ//aZBLAXBpxW8p/pBxHfAeFZ/GA+3uArUh ogiJQ5guCaXilUVKcS1JBMCQHs03702oXx/3qE5GfgqZuIZjGEjAfBrHPVxdZ4vj mM7iOy7BA+AlCBbUi1uuSmjySwOfX5GXgg67k5WkmJ+gkbiMm/+7hrhZcEwO8oWd 3n3Ti0MdPSfS1ZuXpXUSVhRlukfCG+2r2dD9cN9BhqOivKWcLXfUgTzo1LccMJat oKu8qFL64INokihpek72C+UoqsKSLxO57bmmwxzvpNBWJu/712wYvyJMv8L4md0p TY4IvPkApxfYkV5yQhuZHsQU3UajOXGUXRr8cQuLZfSbmYBsuts1ceDUAgJIeGfG tswXQmZf/VfWO8XatBvqBLSqnxDSKBICXj5CliDBrbvpfjgxeivQrkZoEQsHfMFU tiq+XgD0WhzltatahjJNvqNCnl2cT6DusW6fbmaEP7sgtiWTae1YhUtvnshSy6yh vatmCyiYJj0Sb0n44LEGAm62RIxyaqBVcI0QYWA7RhP0t+zm1SENB7eerZWK9MSn XnvveRHSZ4z5YxObssRndg9KpIU08CadU95DeJVPjEqe/8B1gv0P47yD51a3ZzZA 0IoP1uQqJEi1CQnYy8FIJF90B1rQizGuPWbzZgLnIhcfC8Fx6MrlAt09aXeSccKS IsV6mPFgdjs= =vLDd -----END PGP SIGNATURE-----