Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

RedHat: RHSA-2021-4154 Moderate: Container-Tools Security Bug Fix

red hat
Calendar Grey November 9, 2021
Dist Redhat Esm H88
Minor enhancement update for Red Hat's container-utilities:rhel8 resolving possible vulnerabilities and optimizing efficiency.
An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
* buildah: Host environment variables leaked in build container when using chroot isolation (CVE-2021-3602)
* containers/storage: DoS via malicious image (CVE-2021-20291)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.

Topics%20covered

Topics Covered

security advisory security issue Red Hat bug fix DoS Moderate severity container-tools

References

https://access.redhat.com/security/cve/CVE-2021-3602 https://access.redhat.com/security/cve/CVE-2021-20291 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/8.5_release_notes/index

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: buildah-1.22.3-2.module+el8.5.0+12582+56d94c81.src.rpm cockpit-podman-33-1.module+el8.5.0+12582+56d94c81.src.rpm conmon-2.0.29-1.module+el8.5.0+12582+56d94c81.src.rpm container-selinux-2.167.0-1.module+el8.5.0+12582+56d94c81.src.rpm containernetworking-plugins-1.0.0-1.module+el8.5.0+12582+56d94c81.src.rpm containers-common-1-2.module+el8.5.0+12582+56d94c81.src.rpm criu-3.15-3.module+el8.5.0+12582+56d94c81.src.rpm crun-1.0-1.module+el8.5.0+12582+56d94c81.src.rpm fuse-overlayfs-1.7.1-1.module+el8.5.0+12582+56d94c81.src.rpm libslirp-4.4.0-1.module+el8.5.0+12582+56d94c81.src.rpm oci-seccomp-bpf-hook-1.2.3-3.module+el8.5.0+12582+56d94c81.src.rpm podman-3.3.1-9.module+el8.5.0+12697+018f24d7.src.rpm python-podman-3.2.0-2.module+el8.5.0+12582+56d94c81.src.rpm runc-1.0.2-1.module+el8.5.0+12582+56d94c81.src.rpm skopeo-1.4.2-0.1.module+el8.5.0+12582+56d94c81.src.rpm slirp4netns-1.1.8-1.module+el8.5.0+12582+56d94c81.src.rpm toolbox-0.0.99.3-0.4.module+el8.5.0+12682+a4eeb084.src.rpm udica-0.2.5-2.module+el8.5.0+12582+56d94c81.src.rpm
aarch64: buildah-1.22.3-2.module+el8.5.0+12582+56d94c81.aarch64.rpm buildah-debuginfo-1.22.3-2.module+el8.5.0+12582+56d94c81.aarch64.rpm

Read the Full Advisory


Advisory ID: RHSA-2021:4154-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4154
Issue date: 2021-11-09

Topic

An update for the container-tools:rhel8 module is now available for Red HatEnterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory security issue Red Hat bug fix DoS Moderate severity container-tools

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

1914687 - Rebase to github.com/containers/toolbox

1928935 - RFE: Let `podman volume prune` show the volumes that are going to be removed

1932399 - IPv6 errors after exiting crictl

1933775 - shortname for ubi8-minimal leads to "Repo not found" error [RHEL 8.5]

1933776 - podman 3.0.1 ships with a v2 go module [RHEL 8.5]

1934415 - Work on 8.5.0 container-tools module.

1934480 - Podman will pull image for rootless CNI

1937641 - Regression: Overlay mounts is broken on existing directories. [rhel-8.5.0]

1937830 - regressions cp command in Podman v3.0 [rhel-8.5.0]

1939485 - CVE-2021-20291 containers/storage: DoS via malicious image

1940037 - toolbox does not provide /:/host mount required for sosreport

1940054 - Support logging into a registry if necessary

1940082 - toolbox does not support a config file

1940493 - [gss][podman]Getting the error while starting container "Error: readlink /var/lib/containers/storage/overlay/l/XXX no such file or directory" [rhel-8.5.0]

1941380 - Podman - secondary groups not available in container when using userns=keep-id

1947432 - podman run --pid=host command causes OCI permission error

1947999 - rootless podman --cgroup-manager=cgroupfs run command causes OCI permission error when CGroups V2 is enabled

1952204 - shortnames for containerized images

1952698 - Permission on /dev/null are changing from 666 to 777 after running podman as root

1957299 - Podman "--format" does not support "join"

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here