RHSA-2020:1227 - Security Advisory

Topic

An update for podman is now available for Red Hat Enterprise Linux 7 Extras.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

Security Fix(es):

• podman: resolving symlink in host filesystem leads to unexpected results of copy operation (CVE-2019-18466)
• containers/image: Container images read entire image manifest into memory (CVE-2020-1702)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• [extras-rhel-7] conmon binary stripped but debuginfo not generated (BZ#1650395)
• Cannot run systemd-container with SCL service due to RHSA-2019:2091 fix (BZ#1758509)
• Podman does not enforce registries.block in the registries.conf file (BZ#1787666)
• podman and podman-manpages needs merging (BZ#1788549)
• podman should be linked against gpgme-pthread (BZ#1793083)
• podman cannot support load tarball which the name with colon but docker can support this (BZ#1797599)
• podman (1.6.4) rhel 8.1 no route to host from inside container [extras-rhel-7.8/podman] (BZ#1806895)
• Podman can't reuse a container name, even if the container that was using it is no longer around [extras-rhel-7.8/podman] (BZ#1807437)
• podman exec does not reads from stdin [extras-rhel-7.8/podman] (BZ#1807586)
• [FJ8.2 Bug]: [REG]The "--group-add" option of "podman create" doesn't function. [extras-rhel-7.8/podman] (BZ#1808702)

Enhancement(s):

• [RFE] sctp support for podman (BZ#1664218)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

• BZ - 1650395 - [extras-rhel-7] conmon binary stripped but debuginfo not generated
• BZ - 1744588 - CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpected results of copy operation
• BZ - 1758509 - Cannot run systemd-container with SCL service due to RHSA-2019:2091 fix
• BZ - 1788549 - podman and podman-manpages needs merging
• BZ - 1792796 - CVE-2020-1702 containers/image: Container images read entire image manifest into memory
• BZ - 1797599 - podman cannot support load tarball which the name with colon but docker can support this
• BZ - 1806895 - podman (1.6.4) rhel 8.1 no route to host from inside container [extras-rhel-7.8/podman]
• BZ - 1807437 - Podman can't reuse a container name, even if the container that was using it is no longer around [extras-rhel-7.8/podman]
• BZ - 1807586 - podman exec does not reads from stdin [extras-rhel-7.8/podman]
• BZ - 1808702 - [FJ8.2 Bug]: [REG]The "--group-add" option of "podman create" doesn't function. [extras-rhel-7.8/podman]

CVEs

• CVE-2019-18466
• CVE-2020-1702

References

• https://access.redhat.com/security/updates/classification/#moderate