Red Hat Product Errata RHBA-2024:7754 - Bug Fix Advisory
Issued:
2024-10-07
Updated:
2024-10-07

RHBA-2024:7754 - Bug Fix Advisory

Synopsis

Updated rhel8/flatpak-runtime and rhel8/flatpak-sdk container images update

Type/Severity

Bug Fix Advisory

Topic

Updated rhel8/flatpak-runtime and rhel8/flatpak-sdk container images are now available in the Red Hat container registry.

Description

Flatpak is a system for running graphical applications as containers. A Flatpak application has access to content from two container images - the application itself, and the runtime image. To build against a particular runtime image, a corresponding SDK image is used.

flatpak-runtime provides the runtime image and flatpak-sdk provides the SDK image.

Solution

To install and use Red Hat Enterprise Linux Flatpak content available in the the Red Hat Container Catalog, make sure that you have the latest version of the Flatpak client installed on your system:

yum update flatpak

After updating the Flatpak packages, add the Flatpak remote to your system. This enables the Flatpak client and gnome-software to find RHEL Flatpak content available on the Red Hat Container Catalog:

flatpak remote-add rhel https://flatpaks.redhat.io/rhel.flatpakrepo

Provide the credentials for your Red Hat Enterprise Linux account:

podman login registry.redhat.io

Podman only saves credentials until the user logs out. To save your credentials permanently, run:

cp $XDG_RUNTIME_DIR/containers/auth.json $HOME/.config/flatpak/oci-auth.json

To enable the RHEL Flatpak remote for a set of workstations within an organization, you should use a Registry Service Account. Credentials can be installed system-wide at /etc/flatpak/oci-auth.json.

Then, you can install the runtime and the SDK:

flatpak install rhel com.redhat.Platform//el8
flatpak install rhel com.redhat.Sdk//el8

Generally, you do not need to install the runtime explicitly. It is installed along with an application that uses it.

If you have previously installed the runtime or SDK, you can update to the latest version by running:

flatpak update

The SDK is used by using flatpak-builder with a manifest that includes:

{
[...]
"runtime": "com.redhat.Platform",
"runtime-version": "el8",
"sdk": "com.redhat.Sdk",
}

For more information about the image, search the <image_name> in the Red Hat Ecosystem Catalog: https://catalog.redhat.com/software/containers/search.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2280296 - CVE-2024-30203 emacs: Gnus treats inline MIME contents as trusted
  • BZ - 2280298 - CVE-2024-30205 emacs: Org mode considers contents of remote files to be trusted
  • BZ - 2292921 - CVE-2024-4032 python: incorrect IPv4 and IPv6 private ranges
  • BZ - 2293942 - CVE-2024-39331 emacs: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
  • BZ - 2302255 - CVE-2024-6923 cpython: python: email module doesn't properly quotes newlines in email headers, allowing header injection
  • BZ - 2308615 - CVE-2024-45490 libexpat: Negative Length Parsing Vulnerability in libexpat
  • BZ - 2308616 - CVE-2024-45491 libexpat: Integer Overflow or Wraparound
  • BZ - 2308617 - CVE-2024-45492 libexpat: integer overflow
  • BZ - 2309426 - CVE-2024-6232 python: cpython: tarfile: ReDos via excessive backtracking while parsing header values
  • RHEL-48605 - Fedora 40+ mock cannot bootstrap RHEL 8 chroots: nothing provides /usr/libexec/platform-python needed by python3-dnf

CVEs

x86_64

rhel8/flatpak-runtime@sha256:17a112da9bc3f2144590ff92cf9b0ff41880856b83e632c643097cc3b4054f74
rhel8/flatpak-sdk@sha256:fe063766963faa6b0741d0bd063695d4df4cd16c9779638e7e3cf5424962aa5d

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.