- Issued:
- 2024-09-12
- Updated:
- 2024-09-12
RHBA-2024:6650 - Bug Fix Advisory
Synopsis
Updated rhel9/flatpak-runtime and rhel9/flatpak-sdk container images update
Type/Severity
Bug Fix Advisory
Topic
Updated rhel9/flatpak-runtime and rhel9/flatpak-sdk container images are now available in the Red Hat container registry.
Description
Flatpak is a system for running graphical applications as containers. A Flatpak application has access to content from two container images - the application itself, and the runtime image. To build against a particular runtime image, a corresponding SDK image is used.
flatpak-runtime provides the runtime image and flatpak-sdk provides the SDK image.
This updates the rhel9/flatpak-runtime and the rhel9/flatpak-sdk container images in the Red Hat container registry.
Solution
To install and use Red Hat Enterprise Linux Flatpak content available in the the Red Hat Container Catalog, make sure that you have the latest version of the Flatpak client installed on your system:
yum update flatpak
After updating the Flatpak packages, add the Flatpak remote to your system. This enables the Flatpak client and gnome-software to find RHEL Flatpak content available on the Red Hat Container Catalog:
flatpak remote-add rhel https://flatpaks.redhat.io/rhel.flatpakrepo
Provide the credentials for your Red Hat Enterprise Linux account:
podman login registry.redhat.io
Podman only saves credentials until the user logs out. To save your credentials permanently, run:
cp $XDG_RUNTIME_DIR/containers/auth.json $HOME/.config/flatpak/oci-auth.json
To enable the RHEL Flatpak remote for a set of workstations within an organization, you should use a Registry Service Account. Credentials can be installed system-wide at /etc/flatpak/oci-auth.json.
Then, you can install the runtime and the SDK:
flatpak install rhel com.redhat.Platform//el8
flatpak install rhel com.redhat.Sdk//el8
Generally, you do not need to install the runtime explicitly. It is installed along with an application that uses it.
If you have previously installed the runtime or SDK, you can update to the latest version by running:
flatpak update
The SDK is used by using flatpak-builder with a manifest that includes:
{
[...]
"runtime": "com.redhat.Platform",
"runtime-version": "el8",
"sdk": "com.redhat.Sdk",
}
For more information about the image, search the <image_name> in the Red Hat Ecosystem Catalog: https://catalog.redhat.com/software/containers/search.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64
- Red Hat Enterprise Linux Server - AUS 9.6 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
- Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64
- Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64
- Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x
Fixes
- BZ - 2265797 - CVE-2023-52463 kernel: efivarfs: force RO when remounting if SetVariable is not supported
- BZ - 2269434 - CVE-2024-26629 kernel: nfsd: fix RELEASE_LOCKOWNER
- BZ - 2269436 - CVE-2024-26630 kernel: mm: cachestat: fix folio read-after-free in cache walk
- BZ - 2273141 - CVE-2024-26720 kernel: mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again
- BZ - 2275678 - CVE-2024-26886 kernel: Bluetooth: af_bluetooth: Fix deadlock
- BZ - 2278206 - CVE-2024-26946 kernel: kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address
- BZ - 2281052 - CVE-2024-35791 kernel: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()
- BZ - 2281151 - CVE-2024-35797 kernel: mm: cachestat: fix two shmem bugs
- BZ - 2281727 - CVE-2024-35875 kernel: x86/coco: Require seeding RNG with RDRAND on CoCo systems
- BZ - 2281968 - CVE-2024-36000 kernel: mm/hugetlb: fix missing hugetlb_lock for resv uncharge
- BZ - 2282709 - CVE-2023-52801 kernel: iommufd: Fix missing update of domains_itree after splitting iopt_area
- BZ - 2284271 - CVE-2024-36883 kernel: net: fix out-of-bounds access in ops_init
- BZ - 2284402 - CVE-2024-36019 kernel: regmap: maple: Fix cache corruption in regcache_maple_drop()
- BZ - 2292836 - CVE-2024-38428 wget: Misinterpretation of input may lead to improper behavior
- BZ - 2293273 - CVE-2024-38619 kernel: usb-storage: alauda: Check whether the media is initialized
- BZ - 2293276 - CVE-2024-36979 kernel: net: bridge: mst: fix vlan use-after-free
- BZ - 2293440 - CVE-2024-38559 kernel: scsi: qedf: Ensure the copied buf is NUL terminated
- BZ - 2293950 - CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
- BZ - 2293958 - CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
- BZ - 2293959 - CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
- BZ - 2294676 - CVE-2024-37371 krb5: GSS message token handling
- BZ - 2294677 - CVE-2024-37370 krb5: GSS message token handling
- BZ - 2297511 - CVE-2024-40927 kernel: xhci: Handle TD clearing for multiple streams case
- BZ - 2297520 - CVE-2024-40936 kernel: cxl/region: Fix memregion leaks in devm_cxl_add_region()
- BZ - 2300010 - CVE-2024-40897 orc: Stack-based buffer overflow vulnerability in ORC
- BZ - 2300409 - CVE-2024-41040 kernel: net/sched: Fix UAF when resolving a clash
- BZ - 2300414 - CVE-2024-41044 kernel: ppp: reject claimed-as-LCP but actually malformed packets
- BZ - 2300429 - CVE-2024-41055 kernel: mm: prevent derefencing NULL ptr in pfn_section_valid()
- BZ - 2300491 - CVE-2024-41096 kernel: PCI/MSI: Fix UAF in msi_capability_init
- BZ - 2300520 - CVE-2024-42082 kernel: xdp: Remove WARN() from __xdp_reg_mem_model()
- BZ - 2300713 - CVE-2024-42096 kernel: x86: stop playing stack games in profile_pc()
- BZ - 2301465 - CVE-2024-42102 kernel: Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again"
- BZ - 2301496 - CVE-2024-42131 kernel: mm: avoid overflows in dirty throttling logic
- BZ - 2301637 - CVE-2024-41073 kernel: nvme: avoid double free special payload
CVEs
- CVE-2023-52463
- CVE-2023-52801
- CVE-2024-6923
- CVE-2024-26629
- CVE-2024-26630
- CVE-2024-26720
- CVE-2024-26886
- CVE-2024-26946
- CVE-2024-29510
- CVE-2024-33869
- CVE-2024-33870
- CVE-2024-34397
- CVE-2024-35791
- CVE-2024-35797
- CVE-2024-35875
- CVE-2024-36000
- CVE-2024-36019
- CVE-2024-36883
- CVE-2024-36979
- CVE-2024-37370
- CVE-2024-37371
- CVE-2024-38428
- CVE-2024-38559
- CVE-2024-38619
- CVE-2024-39331
- CVE-2024-40897
- CVE-2024-40927
- CVE-2024-40936
- CVE-2024-41040
- CVE-2024-41044
- CVE-2024-41055
- CVE-2024-41073
- CVE-2024-41096
- CVE-2024-42082
- CVE-2024-42096
- CVE-2024-42102
- CVE-2024-42131
x86_64
| rhel9/flatpak-sdk@sha256:f1355e3c2074d159ecef15614b568d5a1e38d9bdb80c609b8e394f3128064537 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
