-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1147
             podman security, bug fix, and enhancement update
                               1 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           podman
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Overwrite Arbitrary Files -- Existing Account
                   Denial of Service         -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-1702 CVE-2019-18466 

Reference:         ESB-2020.0933

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:1227

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: podman security, bug fix, and enhancement update
Advisory ID:       RHSA-2020:1227-01
Product:           Red Hat Enterprise Linux Extras
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1227
Issue date:        2020-03-31
CVE Names:         CVE-2019-18466 CVE-2020-1702 
=====================================================================

1. Summary:

An update for podman is now available for Red Hat Enterprise Linux 7
Extras.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux 7 Extras - noarch, ppc64le, s390x, x86_64

3. Description:

The podman tool manages pods, container images, and containers. It is part
of the libpod library, which is for applications that use container pods.
Container pods is a concept in Kubernetes.

Security Fix(es):

* podman: resolving symlink in host filesystem leads to unexpected results
of copy operation (CVE-2019-18466)

* containers/image: Container images read entire image manifest into memory
(CVE-2020-1702)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* [extras-rhel-7] conmon binary stripped but debuginfo not generated
(BZ#1650395)

* Cannot run systemd-container with SCL service due to RHSA-2019:2091 fix
(BZ#1758509)

* Podman does not enforce registries.block in the registries.conf file
(BZ#1787666)

* podman and podman-manpages needs merging (BZ#1788549)

* podman should be linked against gpgme-pthread (BZ#1793083)

* podman cannot support load tarball which the name with colon but docker
can support this (BZ#1797599)

* podman (1.6.4) rhel 8.1 no route to host from inside container
[extras-rhel-7.8/podman] (BZ#1806895)

* Podman can't reuse a container name, even if the container that was using
it is no longer around [extras-rhel-7.8/podman] (BZ#1807437)

* podman exec does not reads from stdin [extras-rhel-7.8/podman]
(BZ#1807586)

* [FJ8.2 Bug]: [REG]The "--group-add" option of "podman create" doesn't
function. [extras-rhel-7.8/podman] (BZ#1808702)

Enhancement(s):

* [RFE] sctp support for podman (BZ#1664218)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1650395 - [extras-rhel-7] conmon binary stripped but debuginfo not generated
1744588 - CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpected results of copy operation
1758509 - Cannot run systemd-container with SCL service due to RHSA-2019:2091 fix
1788549 - podman and podman-manpages needs merging
1792796 - CVE-2020-1702 containers/image: Container images read entire image manifest into memory
1797599 - podman cannot support load tarball which the name with colon but docker can support this
1806895 - podman (1.6.4) rhel 8.1 no route to host from inside container [extras-rhel-7.8/podman]
1807437 - Podman can't reuse a container name, even if the container that was using it is no longer around [extras-rhel-7.8/podman]
1807586 - podman exec does not reads from stdin [extras-rhel-7.8/podman]
1808702 - [FJ8.2 Bug]: [REG]The "--group-add" option of "podman create" doesn't function. [extras-rhel-7.8/podman]

6. Package List:

Red Hat Enterprise Linux 7 Extras:

Source:
podman-1.6.4-16.el7_8.src.rpm

noarch:
podman-docker-1.6.4-16.el7_8.noarch.rpm

ppc64le:
podman-1.6.4-16.el7_8.ppc64le.rpm
podman-debuginfo-1.6.4-16.el7_8.ppc64le.rpm

s390x:
podman-1.6.4-16.el7_8.s390x.rpm
podman-debuginfo-1.6.4-16.el7_8.s390x.rpm

x86_64:
podman-1.6.4-16.el7_8.x86_64.rpm
podman-debuginfo-1.6.4-16.el7_8.x86_64.rpm

Red Hat Enterprise Linux 7 Extras:

Source:
podman-1.6.4-16.el7_8.src.rpm

noarch:
podman-docker-1.6.4-16.el7_8.noarch.rpm

x86_64:
podman-1.6.4-16.el7_8.x86_64.rpm
podman-debuginfo-1.6.4-16.el7_8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-18466
https://access.redhat.com/security/cve/CVE-2020-1702
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXoPf99zjgjWX9erEAQjdHA/+Oqk+XcsMWVkfj+1ZbVYczkGcnWC01hDW
Emgu22gTuMtdwuDG9lHy0vLMPva64FzkWV0marDYkkCuCS2cUD/irzoA0X/m4/GZ
Yho4BQ+6fCWZ/3P0C+F+xCrz7FWFy/Ib4rV4KhyaKq9qjB6W9guXfRR3Pxe5oohX
6euia8BdVw6sdNLG9tCrhENYM/zb76zwWWuwVWBYYsCHh2b6v2P6zutIoKhon1hN
LQ2LIwFjfjFJxXuDDpTIt2Y4y7SkTGsJ/DGUyyHyCbKAf84+t3srN3q/B7DM2O8I
x4vZLmL6kiZ88dfHl3Z8y6SL7+8xUBHAfvllEqRm6DRXpPMVBSDnVHuf8AGBI/EY
2HOAMUqE2UKYXaX7ZbbnVRZGf7MlBjrdGJs28QOid0FgJB4y1qPdymSst35pWPHd
G0OXhj3WxeE4Pfb6gzRRowMGTipRIAMuGDCGJKL9hcg9gC9l/Yianf0mrg8SLzUC
QwkQDbY1goUDbW8eLv9peFiwBz755CwOLP9G6t8Vmj+zNiTRy5vuadSpLYOzkLK1
8tEbMS51rH+fWAq4Egmwsvu5XMcMcY/00NfgXMBIBrVFIcYN2yzXHdijEF9jqABz
bNgIaM15wHAOZxc5Qey1a5/CMlm449WXQYrn1I+P9LCU+ZOqHOOxM0+RtSqdlPYG
+ymH1Ihp5tE=
=8y7H
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXoQ+/2aOgq3Tt24GAQiAoQ//aZBLAXBpxW8p/pBxHfAeFZ/GA+3uArUh
ogiJQ5guCaXilUVKcS1JBMCQHs03702oXx/3qE5GfgqZuIZjGEjAfBrHPVxdZ4vj
mM7iOy7BA+AlCBbUi1uuSmjySwOfX5GXgg67k5WkmJ+gkbiMm/+7hrhZcEwO8oWd
3n3Ti0MdPSfS1ZuXpXUSVhRlukfCG+2r2dD9cN9BhqOivKWcLXfUgTzo1LccMJat
oKu8qFL64INokihpek72C+UoqsKSLxO57bmmwxzvpNBWJu/712wYvyJMv8L4md0p
TY4IvPkApxfYkV5yQhuZHsQU3UajOXGUXRr8cQuLZfSbmYBsuts1ceDUAgJIeGfG
tswXQmZf/VfWO8XatBvqBLSqnxDSKBICXj5CliDBrbvpfjgxeivQrkZoEQsHfMFU
tiq+XgD0WhzltatahjJNvqNCnl2cT6DusW6fbmaEP7sgtiWTae1YhUtvnshSy6yh
vatmCyiYJj0Sb0n44LEGAm62RIxyaqBVcI0QYWA7RhP0t+zm1SENB7eerZWK9MSn
XnvveRHSZ4z5YxObssRndg9KpIU08CadU95DeJVPjEqe/8B1gv0P47yD51a3ZzZA
0IoP1uQqJEi1CQnYy8FIJF90B1rQizGuPWbzZgLnIhcfC8Fx6MrlAt09aXeSccKS
IsV6mPFgdjs=
=vLDd
-----END PGP SIGNATURE-----