Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: container-tools:rhel8 security, bug fix, and enhancement update

Related Vulnerabilities: CVE-2022-1705   CVE-2022-1962   CVE-2022-27664   CVE-2022-28131   CVE-2022-30629   CVE-2022-30630   CVE-2022-30631   CVE-2022-30632   CVE-2022-30633   CVE-2022-30635   CVE-2022-32148   CVE-2022-32189   CVE-2022-41717   CVE-2023-0778  

Source

Synopsis

Moderate: container-tools:rhel8 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

Security Fix(es):

  • golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
  • golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
  • golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
  • golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
  • golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
  • golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
  • golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
  • golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
  • golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
  • golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
  • golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
  • podman: symlink exchange attack in podman export volume (CVE-2023-0778)
  • golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
  • golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.8 x86_64
  • Red Hat Enterprise Linux for ARM 64 8 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64

Fixes

  • BZ - 2033280 - [container-tools:rhel8/toolbox] toolbox list contains duplicate entries for images with multiple names
  • BZ - 2047290 - Update container-tools:rhel8/toolbox to 0.0.99.3
  • BZ - 2059658 - join template in podman inspect errors when new line is selected as a separator
  • BZ - 2080458 - Podman volume plugin timeout should be configurable
  • BZ - 2089790 - Backport podman's PR 14319 in RHEL's podman 4.0 banch
  • BZ - 2090166 - Error in man podman run manual
  • BZ - 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
  • BZ - 2097708 - [RFE]Podman support to perform custom actions on unhealthy containers
  • BZ - 2106396 - avc: denied { ioctl } for pid=510216 comm="iptables" path="/var/lib/containers/storage/overlay/7d65c03c0ff08daf6366d735723151aa1f2cf165d51be30f62bded9ed586b838/merged" dev="overlay" ino=42308193 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
  • BZ - 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
  • BZ - 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
  • BZ - 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
  • BZ - 2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
  • BZ - 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
  • BZ - 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
  • BZ - 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
  • BZ - 2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
  • BZ - 2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
  • BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
  • BZ - 2116481 - Two aardvark-dns instances trying to use the same port on the same interface (netavark)
  • BZ - 2116922 - podman creates lock file in /etc/cni/net.d/cni.lock instead of /run/lock/
  • BZ - 2120435 - (podman image trust) does not support the new trust type "sigstoreSigned "
  • BZ - 2121841 - Multiple default gateways are created inside container if there are multiple interfaces
  • BZ - 2123415 - Pulling images from registry.access.redhat.com fails to find RPM-GPG-KEY-redhat-beta keys
  • BZ - 2124414 - aardvark-dns: Always return both A and AAAA records no matter what QTYPE is specified in DNS request
  • BZ - 2124416 - aardvark-dns: Recursion Available bit is not set in response header
  • BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
  • BZ - 2124705 - containers-common-1-44 is missing RPM-GPG-KEY-redhat-beta [RHEL 8.7]
  • BZ - 2124952 - Podman volume plugin timeout should be configurable [RHEL 8.8.0]
  • BZ - 2126243 - Podman container got global IPv6 address unexpectedly even when macvlan network is created for pure IPv4 network
  • BZ - 2126697 - containers config.json gets empty after sudden power loss
  • BZ - 2128675 - Need way to tell aardvark DNS to refer to a particular DNS, and not host's configured DNS
  • BZ - 2131741 - [RFE] python-podman: Podman support to perform custom actions on unhealthy containers
  • BZ - 2131836 - PANIC podman API service endpoint handler panic
  • BZ - 2135970 - Podman push image to redhat quay with sigstore was failed
  • BZ - 2135973 - Skopeo push image to redhat quay with sigstore was failed
  • BZ - 2136319 - Buildah push image to redhat quay with sigstore was failed
  • BZ - 2136933 - Two aardvark-dns instances trying to use the same port on the same interface. [rhel-8.8] (aardvark-dns)
  • BZ - 2138434 - podman: ubi8 sticky bit removed from /tmp
  • BZ - 2139052 - The udica version in RHEL 8.7(0.2.6-3) is lower than RHEL 8.6(0.2.6-4)
  • BZ - 2139724 - [cockpit-podman] RHEL 8.8 Tier 0 Localization
  • BZ - 2140084 - SIGSEGV: segmentation violation on s390x
  • BZ - 2140087 - SIGSEGV: segmentation violation on s390x
  • BZ - 2141452 - buildah: ubi8 sticky bit removed from /tmp
  • BZ - 2142711 - Static MAC address is not working inside the container in podman-netavark-mcvlan
  • BZ - 2144754 - FailingStreak is not reset to 0 when the container starts again.
  • BZ - 2152516 - "docker build" doesn't work anymore if it is targeting a podman server
  • BZ - 2153036 - multiple dbus user processes being spawned
  • BZ - 2155828 - podman rm leaves running container behind
  • BZ - 2157930 - podman exec fails with Error: an exec session with ID already exists: exec session already exists
  • BZ - 2158084 - Amend crun package dependencies [rhel-8.8]
  • BZ - 2158469 - Update shortnames.conf
  • BZ - 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
  • BZ - 2161682 - Podman v4.4RC1 can't find /etc/cni/net.d
  • BZ - 2163759 - [container-tools:rhel8/toolbox] Support RHEL 9 Toolbx containers
  • BZ - 2165875 - podman can not start a rootless container with option --privileged and runtime runc
  • BZ - 2168256 - CVE-2023-0778 podman: symlink exchange attack in podman export volume

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started