-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: container-tools:rhel8 security, bug fix, and enhancement update
Advisory ID:       RHSA-2019:3403-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3403
Issue date:        2019-11-05
CVE Names:         CVE-2019-10214 CVE-2019-14378 
====================================================================
1. Summary:

An update for the container-tools:rhel8 module is now available for Red Hat
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The container-tools module contains tools for working with containers,
notably podman, buildah, skopeo, and runc.

Security Fix(es):

* QEMU: slirp: heap buffer overflow during packet reassembly
(CVE-2019-14378)

* containers/image: not enforcing TLS when sending username+password
credentials to token servers leading to credential disclosure
(CVE-2019-10214)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1655211 - podman exec seems to assume console even if -ti is not used
1661597 - Under podman, python recompiles sources even if they are compiled in build time
1671023 - timeout not working with podman pull on rhel8 beta
1672581 - podman does not respect -q option while pulling an image
1674519 - Not able to create volumes using Dockerfile using podman
1677251 - AVC while running php container [x86_64 only]
1677264 - There is no certs.d directory for podman currently
1689255 - don't allow a container to connect to random services
1690514 - rootless unable to access subscription: non-root podman should read /usr/share/containers/mounts.conf
1691543 - rootless unable to access subscription: bad permissions on /usr/share/rhel/secrets
1692513 - unable to mount disk at `/var/lib/containers` via `systemd` unit when `container-selinux` policy installed
1693154 - Varlink subcommand is missing for podman in rhel-8.0
1693424 - rootless: cannot specify gid= mount options for unmapped gid in rootless containers
1707220 - Add event notifications (blocking cockpit-podman)
1719626 - podman exec rc-code needs to distinguish between stopped containers and non existing ones
1719994 - [8.1.0] Registries.conf not configured to search registry.access.redhat.com
1720646 - python-podman-api needs python-psutil at runtime
1720654 - rebase packages
1721247 - [rhel-8.1.0] build without the `no_openssl` buildtag
1721638 - Podman build segfaults on Dockerfiles with RUN instruction
1723879 - Performance Problems with Podman on systems with IO load
1728700 - Unable to install container-selinux 2.107
1730281 - podman leaks kernel memory due to return code stored in tmpfs
1731117 - podman exec leaks an exec_pid_ file for every exec in tmpfs
1732508 - CVE-2019-10214 containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure
1734745 - CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly
1734809 - Wrong AppStream ID
1737077 - after a podman rm --all, sometimes one cannot recreate a previously existing container
1739961 - cannot find "static" IPAM module and IPAM support for the host-device module
1740079 - race/corruption: podman failed to launch containers
1741157 - exit status from command run in container not forwarded to outside
1743685 - Regression: rootless: podman run --rm hangs

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
buildah-1.9.0-5.module+el8.1.0+4240+893c1ab8.src.rpm
cockpit-podman-4-1.module+el8.1.0+4081+b29780af.src.rpm
container-selinux-2.107-2.module+el8.1.0+4081+b29780af.src.rpm
containernetworking-plugins-0.8.1-2.module+el8.1.0+4081+b29780af.src.rpm
fuse-overlayfs-0.4.1-1.module+el8.1.0+4081+b29780af.src.rpm
oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.src.rpm
oci-umount-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.src.rpm
podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.src.rpm
python-podman-api-1.2.0-0.1.gitd0a45fe.module+el8.1.0+4081+b29780af.src.rpm
runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.src.rpm
skopeo-0.1.37-5.module+el8.1.0+4240+893c1ab8.src.rpm
slirp4netns-0.3.0-4.module+el8.1.0+4306+1d917805.src.rpm
toolbox-0.0.4-1.module+el8.1.0+4081+b29780af.src.rpm

aarch64:
buildah-1.9.0-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
buildah-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
buildah-debugsource-1.9.0-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
buildah-tests-1.9.0-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
buildah-tests-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
containernetworking-plugins-0.8.1-2.module+el8.1.0+4081+b29780af.aarch64.rpm
containernetworking-plugins-debuginfo-0.8.1-2.module+el8.1.0+4081+b29780af.aarch64.rpm
containernetworking-plugins-debugsource-0.8.1-2.module+el8.1.0+4081+b29780af.aarch64.rpm
containers-common-0.1.37-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
fuse-overlayfs-0.4.1-1.module+el8.1.0+4081+b29780af.aarch64.rpm
fuse-overlayfs-debuginfo-0.4.1-1.module+el8.1.0+4081+b29780af.aarch64.rpm
fuse-overlayfs-debugsource-0.4.1-1.module+el8.1.0+4081+b29780af.aarch64.rpm
oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.aarch64.rpm
oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.aarch64.rpm
oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.aarch64.rpm
oci-umount-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.aarch64.rpm
oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.aarch64.rpm
oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.aarch64.rpm
podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
podman-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
podman-debugsource-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
podman-remote-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
podman-remote-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
podman-tests-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.aarch64.rpm
runc-debuginfo-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.aarch64.rpm
runc-debugsource-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.aarch64.rpm
skopeo-0.1.37-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
skopeo-debuginfo-0.1.37-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
skopeo-debugsource-0.1.37-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
skopeo-tests-0.1.37-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm
slirp4netns-0.3.0-4.module+el8.1.0+4306+1d917805.aarch64.rpm
slirp4netns-debuginfo-0.3.0-4.module+el8.1.0+4306+1d917805.aarch64.rpm
slirp4netns-debugsource-0.3.0-4.module+el8.1.0+4306+1d917805.aarch64.rpm
toolbox-0.0.4-1.module+el8.1.0+4081+b29780af.aarch64.rpm

noarch:
cockpit-podman-4-1.module+el8.1.0+4081+b29780af.noarch.rpm
container-selinux-2.107-2.module+el8.1.0+4081+b29780af.noarch.rpm
podman-docker-1.4.2-5.module+el8.1.0+4240+893c1ab8.noarch.rpm
podman-manpages-1.4.2-5.module+el8.1.0+4240+893c1ab8.noarch.rpm
python-podman-api-1.2.0-0.1.gitd0a45fe.module+el8.1.0+4081+b29780af.noarch.rpm

ppc64le:
buildah-1.9.0-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
buildah-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
buildah-debugsource-1.9.0-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
buildah-tests-1.9.0-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
buildah-tests-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
containernetworking-plugins-0.8.1-2.module+el8.1.0+4081+b29780af.ppc64le.rpm
containernetworking-plugins-debuginfo-0.8.1-2.module+el8.1.0+4081+b29780af.ppc64le.rpm
containernetworking-plugins-debugsource-0.8.1-2.module+el8.1.0+4081+b29780af.ppc64le.rpm
containers-common-0.1.37-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
fuse-overlayfs-0.4.1-1.module+el8.1.0+4081+b29780af.ppc64le.rpm
fuse-overlayfs-debuginfo-0.4.1-1.module+el8.1.0+4081+b29780af.ppc64le.rpm
fuse-overlayfs-debugsource-0.4.1-1.module+el8.1.0+4081+b29780af.ppc64le.rpm
oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.ppc64le.rpm
oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.ppc64le.rpm
oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.ppc64le.rpm
oci-umount-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.ppc64le.rpm
oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.ppc64le.rpm
oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.ppc64le.rpm
podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
podman-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
podman-debugsource-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
podman-remote-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
podman-remote-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
podman-tests-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.ppc64le.rpm
runc-debuginfo-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.ppc64le.rpm
runc-debugsource-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.ppc64le.rpm
skopeo-0.1.37-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
skopeo-debuginfo-0.1.37-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
skopeo-debugsource-0.1.37-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
skopeo-tests-0.1.37-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm
slirp4netns-0.3.0-4.module+el8.1.0+4306+1d917805.ppc64le.rpm
slirp4netns-debuginfo-0.3.0-4.module+el8.1.0+4306+1d917805.ppc64le.rpm
slirp4netns-debugsource-0.3.0-4.module+el8.1.0+4306+1d917805.ppc64le.rpm
toolbox-0.0.4-1.module+el8.1.0+4081+b29780af.ppc64le.rpm

s390x:
buildah-1.9.0-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
buildah-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
buildah-debugsource-1.9.0-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
buildah-tests-1.9.0-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
buildah-tests-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
containernetworking-plugins-0.8.1-2.module+el8.1.0+4081+b29780af.s390x.rpm
containernetworking-plugins-debuginfo-0.8.1-2.module+el8.1.0+4081+b29780af.s390x.rpm
containernetworking-plugins-debugsource-0.8.1-2.module+el8.1.0+4081+b29780af.s390x.rpm
containers-common-0.1.37-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
fuse-overlayfs-0.4.1-1.module+el8.1.0+4081+b29780af.s390x.rpm
fuse-overlayfs-debuginfo-0.4.1-1.module+el8.1.0+4081+b29780af.s390x.rpm
fuse-overlayfs-debugsource-0.4.1-1.module+el8.1.0+4081+b29780af.s390x.rpm
oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.s390x.rpm
oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.s390x.rpm
oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.s390x.rpm
oci-umount-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.s390x.rpm
oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.s390x.rpm
oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.s390x.rpm
podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
podman-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
podman-debugsource-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
podman-remote-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
podman-remote-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
podman-tests-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.s390x.rpm
runc-debuginfo-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.s390x.rpm
runc-debugsource-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.s390x.rpm
skopeo-0.1.37-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
skopeo-debuginfo-0.1.37-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
skopeo-debugsource-0.1.37-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
skopeo-tests-0.1.37-5.module+el8.1.0+4240+893c1ab8.s390x.rpm
slirp4netns-0.3.0-4.module+el8.1.0+4306+1d917805.s390x.rpm
slirp4netns-debuginfo-0.3.0-4.module+el8.1.0+4306+1d917805.s390x.rpm
slirp4netns-debugsource-0.3.0-4.module+el8.1.0+4306+1d917805.s390x.rpm
toolbox-0.0.4-1.module+el8.1.0+4081+b29780af.s390x.rpm

x86_64:
buildah-1.9.0-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
buildah-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
buildah-debugsource-1.9.0-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
buildah-tests-1.9.0-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
buildah-tests-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
containernetworking-plugins-0.8.1-2.module+el8.1.0+4081+b29780af.x86_64.rpm
containernetworking-plugins-debuginfo-0.8.1-2.module+el8.1.0+4081+b29780af.x86_64.rpm
containernetworking-plugins-debugsource-0.8.1-2.module+el8.1.0+4081+b29780af.x86_64.rpm
containers-common-0.1.37-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
fuse-overlayfs-0.4.1-1.module+el8.1.0+4081+b29780af.x86_64.rpm
fuse-overlayfs-debuginfo-0.4.1-1.module+el8.1.0+4081+b29780af.x86_64.rpm
fuse-overlayfs-debugsource-0.4.1-1.module+el8.1.0+4081+b29780af.x86_64.rpm
oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.x86_64.rpm
oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.x86_64.rpm
oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.x86_64.rpm
oci-umount-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.x86_64.rpm
oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.x86_64.rpm
oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.x86_64.rpm
podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
podman-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
podman-debugsource-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
podman-remote-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
podman-remote-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
podman-tests-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64.rpm
runc-debuginfo-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64.rpm
runc-debugsource-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64.rpm
skopeo-0.1.37-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
skopeo-debuginfo-0.1.37-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
skopeo-debugsource-0.1.37-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
skopeo-tests-0.1.37-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm
slirp4netns-0.3.0-4.module+el8.1.0+4306+1d917805.x86_64.rpm
slirp4netns-debuginfo-0.3.0-4.module+el8.1.0+4306+1d917805.x86_64.rpm
slirp4netns-debugsource-0.3.0-4.module+el8.1.0+4306+1d917805.x86_64.rpm
toolbox-0.0.4-1.module+el8.1.0+4081+b29780af.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-10214
https://access.redhat.com/security/cve/CVE-2019-14378
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----Version: GnuPG v1

iQIVAwUBXcHqpdzjgjWX9erEAQgWdhAAiIp2qMGDNdBjAveysGwYsamOPmUQLpek
NxLzZEE4g9c1Xp8dmetUB51n11vP8UPpXM7ALUlY4zD548JruMrs4FYuxYVFYQcn
YWZR05g3S/qHT3SrcbubkibtW5kICOEK9/2HK5RIbrCIAAQWTEBd0vSpDlboaYLU
lu/rw+1h2yNl4Hr89DCyB/x/4XrItU8MzUbBDxLBT8ReF7vf6NmiKuNmQ6tecilO
3DvP40I/sepXWwbCYNJvnV7Tst31U45D4/TQoIhwBnvM4Cd3zvAQ9Z+K5Jbk5tCp
pNN7RmVfy8L6oKH2QRku34ieLhi0Za4PW4p6h8xl0mL2VJv8Tyvot0BL1Va8yJTp
8v3dUWFU+ONXlmKK1sf3Pmw11kn5D9Pa6xVzRL0YjXveE6Gs3Q0wHE+fHTMRtJIj
4fkiJTcAEAFGvetH6YwoHDTI3+hnCg3XcpLctFFU5xB2jiYDa48qmEQwUzsiCknK
Ja6zkEo2yvam2YU9QZk3F5IxNq812O0VEkP0PKb3FxNmzmFEX0VyZ1ZwJsAdunny
xCnp5qvQTnptLs11XytQKP7bOERqzsNCTQGBGGf9G3beA44XOJAOgmLOh7T5PUpU
2THkTPPU8bFJSA9kOvhh926kg1hGjqk1Z6ixSHtGNXlZn0x0FWrK00ZbSEQuqhHg
lSo2gYaJ4CE=3uAc
-----END PGP SIGNATURE-------RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2019-3403:01 Important: container-tools:rhel8 security, bug fix,

An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Imp...

Summary

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
* QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378)
* containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure (CVE-2019-10214)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.

Summary

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2019-10214 https://access.redhat.com/security/cve/CVE-2019-14378 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: buildah-1.9.0-5.module+el8.1.0+4240+893c1ab8.src.rpm cockpit-podman-4-1.module+el8.1.0+4081+b29780af.src.rpm container-selinux-2.107-2.module+el8.1.0+4081+b29780af.src.rpm containernetworking-plugins-0.8.1-2.module+el8.1.0+4081+b29780af.src.rpm fuse-overlayfs-0.4.1-1.module+el8.1.0+4081+b29780af.src.rpm oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.src.rpm oci-umount-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.src.rpm podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.src.rpm python-podman-api-1.2.0-0.1.gitd0a45fe.module+el8.1.0+4081+b29780af.src.rpm runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.src.rpm skopeo-0.1.37-5.module+el8.1.0+4240+893c1ab8.src.rpm slirp4netns-0.3.0-4.module+el8.1.0+4306+1d917805.src.rpm toolbox-0.0.4-1.module+el8.1.0+4081+b29780af.src.rpm
aarch64: buildah-1.9.0-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm buildah-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm buildah-debugsource-1.9.0-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm buildah-tests-1.9.0-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm buildah-tests-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm containernetworking-plugins-0.8.1-2.module+el8.1.0+4081+b29780af.aarch64.rpm containernetworking-plugins-debuginfo-0.8.1-2.module+el8.1.0+4081+b29780af.aarch64.rpm containernetworking-plugins-debugsource-0.8.1-2.module+el8.1.0+4081+b29780af.aarch64.rpm containers-common-0.1.37-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm fuse-overlayfs-0.4.1-1.module+el8.1.0+4081+b29780af.aarch64.rpm fuse-overlayfs-debuginfo-0.4.1-1.module+el8.1.0+4081+b29780af.aarch64.rpm fuse-overlayfs-debugsource-0.4.1-1.module+el8.1.0+4081+b29780af.aarch64.rpm oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.aarch64.rpm oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.aarch64.rpm oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.aarch64.rpm oci-umount-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.aarch64.rpm oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.aarch64.rpm oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.aarch64.rpm podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm podman-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm podman-debugsource-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm podman-remote-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm podman-remote-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm podman-tests-1.4.2-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.aarch64.rpm runc-debuginfo-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.aarch64.rpm runc-debugsource-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.aarch64.rpm skopeo-0.1.37-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm skopeo-debuginfo-0.1.37-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm skopeo-debugsource-0.1.37-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm skopeo-tests-0.1.37-5.module+el8.1.0+4240+893c1ab8.aarch64.rpm slirp4netns-0.3.0-4.module+el8.1.0+4306+1d917805.aarch64.rpm slirp4netns-debuginfo-0.3.0-4.module+el8.1.0+4306+1d917805.aarch64.rpm slirp4netns-debugsource-0.3.0-4.module+el8.1.0+4306+1d917805.aarch64.rpm toolbox-0.0.4-1.module+el8.1.0+4081+b29780af.aarch64.rpm
noarch: cockpit-podman-4-1.module+el8.1.0+4081+b29780af.noarch.rpm container-selinux-2.107-2.module+el8.1.0+4081+b29780af.noarch.rpm podman-docker-1.4.2-5.module+el8.1.0+4240+893c1ab8.noarch.rpm podman-manpages-1.4.2-5.module+el8.1.0+4240+893c1ab8.noarch.rpm python-podman-api-1.2.0-0.1.gitd0a45fe.module+el8.1.0+4081+b29780af.noarch.rpm
ppc64le: buildah-1.9.0-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm buildah-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm buildah-debugsource-1.9.0-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm buildah-tests-1.9.0-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm buildah-tests-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm containernetworking-plugins-0.8.1-2.module+el8.1.0+4081+b29780af.ppc64le.rpm containernetworking-plugins-debuginfo-0.8.1-2.module+el8.1.0+4081+b29780af.ppc64le.rpm containernetworking-plugins-debugsource-0.8.1-2.module+el8.1.0+4081+b29780af.ppc64le.rpm containers-common-0.1.37-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm fuse-overlayfs-0.4.1-1.module+el8.1.0+4081+b29780af.ppc64le.rpm fuse-overlayfs-debuginfo-0.4.1-1.module+el8.1.0+4081+b29780af.ppc64le.rpm fuse-overlayfs-debugsource-0.4.1-1.module+el8.1.0+4081+b29780af.ppc64le.rpm oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.ppc64le.rpm oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.ppc64le.rpm oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.ppc64le.rpm oci-umount-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.ppc64le.rpm oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.ppc64le.rpm oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.ppc64le.rpm podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm podman-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm podman-debugsource-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm podman-remote-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm podman-remote-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm podman-tests-1.4.2-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.ppc64le.rpm runc-debuginfo-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.ppc64le.rpm runc-debugsource-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.ppc64le.rpm skopeo-0.1.37-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm skopeo-debuginfo-0.1.37-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm skopeo-debugsource-0.1.37-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm skopeo-tests-0.1.37-5.module+el8.1.0+4240+893c1ab8.ppc64le.rpm slirp4netns-0.3.0-4.module+el8.1.0+4306+1d917805.ppc64le.rpm slirp4netns-debuginfo-0.3.0-4.module+el8.1.0+4306+1d917805.ppc64le.rpm slirp4netns-debugsource-0.3.0-4.module+el8.1.0+4306+1d917805.ppc64le.rpm toolbox-0.0.4-1.module+el8.1.0+4081+b29780af.ppc64le.rpm
s390x: buildah-1.9.0-5.module+el8.1.0+4240+893c1ab8.s390x.rpm buildah-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.s390x.rpm buildah-debugsource-1.9.0-5.module+el8.1.0+4240+893c1ab8.s390x.rpm buildah-tests-1.9.0-5.module+el8.1.0+4240+893c1ab8.s390x.rpm buildah-tests-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.s390x.rpm containernetworking-plugins-0.8.1-2.module+el8.1.0+4081+b29780af.s390x.rpm containernetworking-plugins-debuginfo-0.8.1-2.module+el8.1.0+4081+b29780af.s390x.rpm containernetworking-plugins-debugsource-0.8.1-2.module+el8.1.0+4081+b29780af.s390x.rpm containers-common-0.1.37-5.module+el8.1.0+4240+893c1ab8.s390x.rpm fuse-overlayfs-0.4.1-1.module+el8.1.0+4081+b29780af.s390x.rpm fuse-overlayfs-debuginfo-0.4.1-1.module+el8.1.0+4081+b29780af.s390x.rpm fuse-overlayfs-debugsource-0.4.1-1.module+el8.1.0+4081+b29780af.s390x.rpm oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.s390x.rpm oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.s390x.rpm oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.s390x.rpm oci-umount-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.s390x.rpm oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.s390x.rpm oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.s390x.rpm podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm podman-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm podman-debugsource-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm podman-remote-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm podman-remote-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm podman-tests-1.4.2-5.module+el8.1.0+4240+893c1ab8.s390x.rpm runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.s390x.rpm runc-debuginfo-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.s390x.rpm runc-debugsource-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.s390x.rpm skopeo-0.1.37-5.module+el8.1.0+4240+893c1ab8.s390x.rpm skopeo-debuginfo-0.1.37-5.module+el8.1.0+4240+893c1ab8.s390x.rpm skopeo-debugsource-0.1.37-5.module+el8.1.0+4240+893c1ab8.s390x.rpm skopeo-tests-0.1.37-5.module+el8.1.0+4240+893c1ab8.s390x.rpm slirp4netns-0.3.0-4.module+el8.1.0+4306+1d917805.s390x.rpm slirp4netns-debuginfo-0.3.0-4.module+el8.1.0+4306+1d917805.s390x.rpm slirp4netns-debugsource-0.3.0-4.module+el8.1.0+4306+1d917805.s390x.rpm toolbox-0.0.4-1.module+el8.1.0+4081+b29780af.s390x.rpm
x86_64: buildah-1.9.0-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm buildah-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm buildah-debugsource-1.9.0-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm buildah-tests-1.9.0-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm buildah-tests-debuginfo-1.9.0-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm containernetworking-plugins-0.8.1-2.module+el8.1.0+4081+b29780af.x86_64.rpm containernetworking-plugins-debuginfo-0.8.1-2.module+el8.1.0+4081+b29780af.x86_64.rpm containernetworking-plugins-debugsource-0.8.1-2.module+el8.1.0+4081+b29780af.x86_64.rpm containers-common-0.1.37-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm fuse-overlayfs-0.4.1-1.module+el8.1.0+4081+b29780af.x86_64.rpm fuse-overlayfs-debuginfo-0.4.1-1.module+el8.1.0+4081+b29780af.x86_64.rpm fuse-overlayfs-debugsource-0.4.1-1.module+el8.1.0+4081+b29780af.x86_64.rpm oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.x86_64.rpm oci-systemd-hook-debuginfo-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.x86_64.rpm oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.1.0+4081+b29780af.x86_64.rpm oci-umount-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.x86_64.rpm oci-umount-debuginfo-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.x86_64.rpm oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.1.0+4081+b29780af.x86_64.rpm podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm podman-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm podman-debugsource-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm podman-remote-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm podman-remote-debuginfo-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm podman-tests-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64.rpm runc-debuginfo-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64.rpm runc-debugsource-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64.rpm skopeo-0.1.37-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm skopeo-debuginfo-0.1.37-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm skopeo-debugsource-0.1.37-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm skopeo-tests-0.1.37-5.module+el8.1.0+4240+893c1ab8.x86_64.rpm slirp4netns-0.3.0-4.module+el8.1.0+4306+1d917805.x86_64.rpm slirp4netns-debuginfo-0.3.0-4.module+el8.1.0+4306+1d917805.x86_64.rpm slirp4netns-debugsource-0.3.0-4.module+el8.1.0+4306+1d917805.x86_64.rpm toolbox-0.0.4-1.module+el8.1.0+4081+b29780af.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity

Advisory ID: RHSA-2019:3403-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2019:3403

Issued Date: : 2019-11-05

CVE Names: CVE-2019-10214 CVE-2019-14378

Topic

An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Topic

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

1655211 - podman exec seems to assume console even if -ti is not used

1661597 - Under podman, python recompiles sources even if they are compiled in build time

1671023 - timeout not working with podman pull on rhel8 beta

1672581 - podman does not respect -q option while pulling an image

1674519 - Not able to create volumes using Dockerfile using podman

1677251 - AVC while running php container [x86_64 only]

1677264 - There is no certs.d directory for podman currently

1689255 - don't allow a container to connect to random services

1690514 - rootless unable to access subscription: non-root podman should read /usr/share/containers/mounts.conf

1691543 - rootless unable to access subscription: bad permissions on /usr/share/rhel/secrets

1692513 - unable to mount disk at `/var/lib/containers` via `systemd` unit when `container-selinux` policy installed

1693154 - Varlink subcommand is missing for podman in rhel-8.0

1693424 - rootless: cannot specify gid= mount options for unmapped gid in rootless containers

1707220 - Add event notifications (blocking cockpit-podman)

1719626 - podman exec rc-code needs to distinguish between stopped containers and non existing ones

1719994 - [8.1.0] Registries.conf not configured to search registry.access.redhat.com

1720646 - python-podman-api needs python-psutil at runtime

1720654 - rebase packages

1721247 - [rhel-8.1.0] build without the `no_openssl` buildtag

1721638 - Podman build segfaults on Dockerfiles with RUN instruction

1723879 - Performance Problems with Podman on systems with IO load

1728700 - Unable to install container-selinux 2.107

1730281 - podman leaks kernel memory due to return code stored in tmpfs

1731117 - podman exec leaks an exec_pid_ file for every exec in tmpfs

1732508 - CVE-2019-10214 containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure

1734745 - CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly

1734809 - Wrong AppStream ID

1737077 - after a podman rm --all, sometimes one cannot recreate a previously existing container

1739961 - cannot find "static" IPAM module and IPAM support for the host-device module

1740079 - race/corruption: podman failed to launch containers

1741157 - exit status from command run in container not forwarded to outside

1743685 - Regression: rootless: podman run --rm hangs