Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: container-tools:rhel8 security, bug fix, and enhancement update

Related Vulnerabilities: CVE-2021-36221   CVE-2021-41190   CVE-2022-1708   CVE-2022-2990   CVE-2022-27191   CVE-2022-29162  

Source

Synopsis

Moderate: container-tools:rhel8 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

Security Fix(es):

  • golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)
  • cri-o: memory exhaustion on the node when access to the kube api (CVE-2022-1708)
  • golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
  • opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)
  • buildah: possible information disclosure and modification (CVE-2022-2990)
  • runc: incorrect handling of inheritable capabilities (CVE-2022-29162)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.7 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 1820551 - Automatically starting a container on boot is not possible through cockpit WebUI
  • BZ - 1941727 - Module meta data is wrong
  • BZ - 1945929 - Every podman run invocation generates two "Couldn't stat device /dev/char/10:200: No such file or directory" lines in the journal
  • BZ - 1974423 - No equivalent buildah bud argument to docker build --ssh
  • BZ - 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
  • BZ - 1996050 - [RFE] podman to create a rootless container that attempts to publish ports from a host with static IPv6 address.
  • BZ - 2005866 - Udica was rebased prematurely
  • BZ - 2009264 - Cannot get logs with --follow
  • BZ - 2009346 - Podman name resolution not working as expected
  • BZ - 2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion
  • BZ - 2027662 - Udica crashes when processing inspect file without capabilities
  • BZ - 2028408 - Podman healthcheck fails if the command contains unicode characters.
  • BZ - 2030195 - Add restart-sec option to systemd generate
  • BZ - 2039045 - /etc/containers/registries.conf missing registry.redhat.io terms-based registry definition
  • BZ - 2052697 - Inconsistency in how the podman service behaves depending on whether it is providing API via UNIX or TCP socket.
  • BZ - 2053990 - runc has unversioned dependency on libseccomp
  • BZ - 2055313 - Creating a pod uses bad infra_image registry in podman
  • BZ - 2059666 - There is no man page for Containerfile provided by containers-common
  • BZ - 2062697 - [cockpit-podman] RHEL 8.7 Tier 0 Localization
  • BZ - 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
  • BZ - 2066145 - The results showed significant difference between with and without --no-stream option for podman stats
  • BZ - 2068006 - CentOS Stream 8 podman: symbol lookup error: podman: undefined symbol: seccomp_notify_fd [rhel-8.7.0]
  • BZ - 2072452 - error during chown: storage-chown-by-maps: lgetxattr usr/bin/ping: value too large for defined data type
  • BZ - 2073958 - Podman v3.4.2 regression with hosts file breaks getHostAddress() call
  • BZ - 2078925 - podman command crash with segment fault in rootless user mode
  • BZ - 2079759 - skopeo segfaults after rebuild with golang-1.18
  • BZ - 2079761 - podman fails to build with golang-1.18
  • BZ - 2081836 - networking is broken when building containers due to missing container networking package dependencies
  • BZ - 2083570 - symlinks doesn't work on volumes under podman when SELINUX is enabled
  • BZ - 2083997 - catatonit not found when starting pod (podman 4.0 under RHEL 8.6)
  • BZ - 2085361 - CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api
  • BZ - 2086398 - CVE-2022-29162 runc: incorrect handling of inheritable capabilities
  • BZ - 2086757 - Error: plugin type="bridge" failed (add): failed to find plugin "bridge" in path
  • BZ - 2090609 - ERRO[0009] Error forwarding signal 18 to container using rootless user with timeout+sleep in the podman run command
  • BZ - 2090920 - Podman load keeps stale files in TMPDIR
  • BZ - 2093079 - Podman does not detect volume from the volume plugin, unlike docker
  • BZ - 2094610 - Healthcheck does not get executed if --interval not specified in Dockerfile
  • BZ - 2094875 - podman not being able to mount devices during podman build
  • BZ - 2095097 - [RFE] Podman copying the entries of /etc/hosts in the container
  • BZ - 2096264 - podman images --format incompatibility with docker
  • BZ - 2097865 - Removing podman-2:4.0.2-6.module+el8.6.0+14877+f643d2d6.x86_64 does not remove podman socket if sudo systemctl enable podman.socket has been run prior to yum remove podman
  • BZ - 2100740 - podman can not force remove paused container
  • BZ - 2102140 - ADD Dockerfile reference is not validating HTTP status code [rhel8]
  • BZ - 2102361 - Mostly-confined containers which create their own user and mount namespaces can't mount overlay filesystems
  • BZ - 2102381 - podman image failed with ERRO[0000] Unmounting /home/maor/.local/share/containers/storage/overlay/XX/merged: invalid argument
  • BZ - 2113941 - podman did not set selinux labels to symbolic links
  • BZ - 2117699 - podman 4.2 version bump
  • BZ - 2117928 - Error: runc: exec failed: unable to start container process: open /dev/pts/0: operation not permitted: OCI permission denied
  • BZ - 2118231 - mount through procfd: operation not permitted: OCI permission denied
  • BZ - 2119072 - podman gating test issues in RHEL8.7
  • BZ - 2120651 - Add beta keys to default-policy.json
  • BZ - 2121453 - CVE-2022-2990 buildah: possible information disclosure and modification

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started