Advisory ROSA-SA-2023-2227

software: buildah 1.30.0
AXIS: ROSA-CHROME

package_evr_string: buildah-1.30.0-2.src.rpm

CVE-ID: CVE-2022-27651
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: There was a bug in the build that caused containers to incorrectly start with non-empty default permissions. A bug was discovered in Moby (Docker Engine) that caused containers to incorrectly run with non-empty inherited capabilities of Linux processes, allowing an attacker with access to programs with inherited file capabilities to elevate those capabilities to the allowed set when running execve(2). This could impact confidentiality and integrity.
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update buildah

CVE-ID: CVE-2022-2990
BDU-ID: None
CVE-Crit: HIGH
CVE-DESC.: Improper handling of additional groups in the Buildah container engine could result in the disclosure of sensitive information or possible data modification if an attacker has direct access to the affected container, where additional groups are used to set permissions and can execute binary code. in that container.
CVE-STATUS: Resolved
CVE-REV: To close, run the command: sudo dnf update buildah