podman security and bug fix update

2024-05-1014:32:42

Rockylinux Product Errata

errata.rockylinux.org

podman

security

bug fixes

rocky linux 9

cve

container escape

liveness probe

image copy

docker cli

s2i

sigsegv

CVSS3

8.6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

17.1%

JSON

An update is available for podman.
This update affects Rocky Linux 9.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list
The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

Security Fixes:

podman: golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)
podman: buildah: full container escape at build time (CVE-2024-1753)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fixes:

liveness probe not called by podman when using httpGet (JIRA:Rocky Linux-28633)
Unable to copy image from one virtual machine to another using “podman image scp” (JIRA:Rocky Linux-28629)
[v4.9] Backport two docker CLI compatibility fixes (JIRA:Rocky Linux-28636)
Issue in podman causing S2I to fail in overwriting ENTRYPOINT (JIRA:Rocky Linux-14922)
Need to backport podman fix for SIGSEGV in Rocky Linux 9.3/8.9 for UBI based containers (JIRA:Rocky Linux-26843)

OSVersionArchitecturePackageVersionFilename
rocky9aarch64podman< 4.9.4-3.el9_4podman-4:4.9.4-3.el9_4.aarch64.rpm
rocky9ppc64lepodman< 4.9.4-3.el9_4podman-4:4.9.4-3.el9_4.ppc64le.rpm
rocky9s390xpodman< 4.9.4-3.el9_4podman-4:4.9.4-3.el9_4.s390x.rpm
rocky9x86_64podman< 4.9.4-3.el9_4podman-4:4.9.4-3.el9_4.x86_64.rpm
rocky9aarch64podman-debuginfo< 4.9.4-3.el9_4podman-debuginfo-4:4.9.4-3.el9_4.aarch64.rpm
rocky9ppc64lepodman-debuginfo< 4.9.4-3.el9_4podman-debuginfo-4:4.9.4-3.el9_4.ppc64le.rpm
rocky9s390xpodman-debuginfo< 4.9.4-3.el9_4podman-debuginfo-4:4.9.4-3.el9_4.s390x.rpm
rocky9x86_64podman-debuginfo< 4.9.4-3.el9_4podman-debuginfo-4:4.9.4-3.el9_4.x86_64.rpm
rocky9aarch64podman-debugsource< 4.9.4-3.el9_4podman-debugsource-4:4.9.4-3.el9_4.aarch64.rpm
rocky9ppc64lepodman-debugsource< 4.9.4-3.el9_4podman-debugsource-4:4.9.4-3.el9_4.ppc64le.rpm

OS	Version	Architecture	Package	Version	Filename
rocky	9	aarch64	podman	< 4.9.4-3.el9_4	podman-4:4.9.4-3.el9_4.aarch64.rpm
rocky	9	ppc64le	podman	< 4.9.4-3.el9_4	podman-4:4.9.4-3.el9_4.ppc64le.rpm
rocky	9	s390x	podman	< 4.9.4-3.el9_4	podman-4:4.9.4-3.el9_4.s390x.rpm
rocky	9	x86_64	podman	< 4.9.4-3.el9_4	podman-4:4.9.4-3.el9_4.x86_64.rpm
rocky	9	aarch64	podman-debuginfo	< 4.9.4-3.el9_4	podman-debuginfo-4:4.9.4-3.el9_4.aarch64.rpm
rocky	9	ppc64le	podman-debuginfo	< 4.9.4-3.el9_4	podman-debuginfo-4:4.9.4-3.el9_4.ppc64le.rpm
rocky	9	s390x	podman-debuginfo	< 4.9.4-3.el9_4	podman-debuginfo-4:4.9.4-3.el9_4.s390x.rpm
rocky	9	x86_64	podman-debuginfo	< 4.9.4-3.el9_4	podman-debuginfo-4:4.9.4-3.el9_4.x86_64.rpm
rocky	9	aarch64	podman-debugsource	< 4.9.4-3.el9_4	podman-debugsource-4:4.9.4-3.el9_4.aarch64.rpm
rocky	9	ppc64le	podman-debugsource	< 4.9.4-3.el9_4	podman-debugsource-4:4.9.4-3.el9_4.ppc64le.rpm