Mageia alert MGASA-2023-0213 (skopeo/buildah/podman)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2023-0213: Updated skopeo/buildah/podman packages fix security vulnerability | |
| Date: | Fri, 07 Jul 2023 07:55:47 +0200 | |
| Message-ID: | <20230707055547.E71CF9FE4E@duvel.mageia.org> | |
| Archive-link: | Article |
MGASA-2023-0213 - Updated skopeo/buildah/podman packages fix security vulnerability Publication date: 07 Jul 2023 URL: https://advisories.mageia.org/MGASA-2023-0213.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-3602, CVE-2021-4024, CVE-2021-20206, CVE-2021-20291, CVE-2021-34558, CVE-2021-41190, CVE-2022-1227, CVE-2022-2989, CVE-2022-2990, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651 Description: Information disclosure flaw was found in Buildah (CVE-2021-3602) podman allows forwarding hosts ports to vm from within vm (CVE-2021-4024) Allows use "../" separators in containernetworking/cni to reference binaries such as 'reboot' in network configuration (CVE-2021-20206) github.com/containers/storage ddos via crafted tar file (CVE-2021-20291) buildah improper checking of X.509 certificate (CVE-2021-34558) buildah improper Content-Type checking (CVE-2021-41190) podman privilege escalation (CVE-2022-1227) podman incorrect handling of the supplementary groups (CVE-2022-2989) buildah incorrect handling of the supplementary groups (CVE-2022-2990) skopeo/podman Denial of Service through unbounded cardinality, and potential memory exhaustion (CVE-2022-21698) buildah/podman AddHostKey denail of service (CVE-2022-27191) podman inheritable file capabilities (CVE-2022-27649) buildah inheritable file capabilities (CVE-2022-27651) References: - https://bugs.mageia.org/show_bug.cgi?id=28885 - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://bugzilla.redhat.com/show_bug.cgi?id=1969264 - https://github.com/containers/buildah/security/advisories... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.opensuse.org/archives/list/security-announc... - https://lists.opensuse.org/archives/list/security-announc... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.opensuse.org/archives/list/security-announc... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.opensuse.org/archives/list/security-announc... - https://lists.opensuse.org/archives/list/security-announc... - https://lists.suse.com/pipermail/sle-security-updates/202... - https://lists.opensuse.org/archives/list/security-announc... - https://access.redhat.com/errata/RHSA-2022:7822 - https://lists.suse.com/pipermail/sle-security-updates/202... - https://lists.opensuse.org/archives/list/security-announc... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.fedoraproject.org/archives/list/package-ann... - https://ubuntu.com/security/notices/USN-6170-1 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3602 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4024 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1227 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2989 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2990 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2... SRPMS: - 8/core/skopeo-1.12.0-2.mga8 - 8/core/conmon-2.1.5-1.mga8 - 8/core/buildah-1.30.0-1.mga8 - 8/core/podman-4.5.1-1.mga8