Synopsis
Moderate: container-tools:rhel8 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Topic
An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
- runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation (CVE-2019-19921)
- containers/image: Container images read entire image manifest into memory (CVE-2020-1702)
- podman: incorrectly allows existing files in volumes to be overwritten by a container when it is created (CVE-2020-1726)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
-
Red Hat Enterprise Linux for x86_64 8 x86_64
-
Red Hat Enterprise Linux for IBM z Systems 8 s390x
-
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
-
Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 1703245 - [RFE] Add button to run terminal within the container
- BZ - 1717357 - buildah images -f "dangling=true" is not working as expect
- BZ - 1731107 - support podman ps filter regular expressions
- BZ - 1732704 - udica should be able to update the generated policy based on AVC denial messages
- BZ - 1732713 - Run container from cockpit-podman with memory limit doesn't work
- BZ - 1748519 - avc: podman run --security-opt label=type:svirt_qemu_net_t
- BZ - 1749999 - podman bash completion error
- BZ - 1754744 - [8.2] Backport Podman's --env-host support to 8.1
- BZ - 1754763 - [8.2] Podman search shows limited numbers of images
- BZ - 1755119 - Read-only podman run errors when one of the volumes it by default mounts as tmpfs are also defined as VOLUME
- BZ - 1756919 - Podman inspect does not parse the keys of the returned JSON
- BZ - 1757693 - Rebase udica to 0.2.0
- BZ - 1757845 - You have to remove that container to be able to reuse that name.: that name is already in use (due to exec user process caused "no such file or directory")
- BZ - 1763454 - libslirp sends RST to app in response to arriving FIN when containerized socket is shutdown() with SHUT_WR
- BZ - 1766774 - podman-1.6.2-1 rootless: Error: slirp4netns failed
- BZ - 1768930 - backport json-file logging support to 1.4.2
- BZ - 1769469 - Selinux won't allow SCTP inter pod communication
- BZ - 1771990 - Varlink subcommand is missing for podman in rhel-8.2
- BZ - 1774755 - syslog getting spammed with `{Created,Removed} slice libcontainer_*`
- BZ - 1775307 - Concurrent 'podman pull/run' sometimes fails with "Error processing tar file(io: read/write on closed pipe)"
- BZ - 1776112 - journald errors out with "write child: broken pipe"
- BZ - 1779834 - [8.2] Deadlock when pulling an image is interrupted
- BZ - 1783267 - Podman is not compiled with FIPS mode - container-tools-rhel8.-8.2.0
- BZ - 1783268 - Skopeo is not compiled with FIPS mode - container-tools-rhel8-8.2.0
- BZ - 1783270 - Buildah is not compiled with FIPS mode - container-tools-rhel8-8.2.0
- BZ - 1783272 - runc is not compiled with FIPS mode - container-tools-rhel8-8.2.0
- BZ - 1783274 - containernetworking-plugins is not compiled with FIPS mode - container-tools-rhel8-8.2.0
- BZ - 1784267 - Remove quay.io from the default search list
- BZ - 1784952 - Buildah needs to support FIPS Mode bind mount in RHEL8.2++ containers.
- BZ - 1788539 - podman and podman-manpages needs merging
- BZ - 1792796 - CVE-2020-1702 containers/image: Container images read entire image manifest into memory
- BZ - 1793084 - "podman play kube" generates wrong UserCommand when creating pod, defaults to /bin/bash
- BZ - 1793598 - podman commands failing and reporting "cannot chdir: Permission denied"
- BZ - 1796107 - CVE-2019-19921 runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation
- BZ - 1801152 - CVE-2020-1726 podman: incorrectly allows existing files in volumes to be overwritten by a container when it is created
- BZ - 1802907 - useradd and groupadd fail under rootless Buildah and podman
- BZ - 1803496 - useradd and groupadd fail under rootless Buildah and podman [stream-container-tools-rhel8-rhel-8.2.0]
- BZ - 1804849 - fuse-overlayfs segfault
- BZ - 1805017 - fuse-overlayfs segfault [stream-container-tools-rhel8-rhel-8.2.0/fuse-overlayfs]
- BZ - 1805212 - podman (1.6.4) rhel 8.1 no route to host from inside container
- BZ - 1806901 - podman (1.6.4) rhel 8.1 no route to host from inside container [stream-container-tools-rhel8-rhel-8.2.0/podman]
- BZ - 1808707 - [FJ8.2 Bug]: [REG]The "--group-add" option of "podman create" doesn't function. [stream-container-tools-rhel8-rhel-8.2.0/podman]
- BZ - 1810053 - Proposed registries.conf for container-tools-rhel8-8.2.0
- BZ - 1811514 - [container-tools:rhel8] Failed to start existing container
- BZ - 1813295 - Skopeo doesn't handle HTTP 429 errors properly
CVEs
References
Vulmon