buildah-1.11.6-8.el7

エラータID: AXSA:2020-4680:01

Release date: 
Monday, April 6, 2020 - 08:17
Subject: 
buildah-1.11.6-8.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to:

* Create a working container, either from scratch or using an image as a starting point.

* Create an image, either from a working container or using the instructions in a Dockerfile.

* Build both Docker and OCI images.

Security Fix(es):

* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* rootless buildah does not work with UID in /etc/subuid (BZ#1765469)

* Extras RHEL-7.8 update - buildah (BZ#1791286)

* buildah should be linked against gpgme-pthread (BZ#1793074)

CVE-2020-8945
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. buildah-1.11.6-8.el7.src.rpm
    MD5: aa88b0d50b6b063b34dbe9292f36efc3
    SHA-256: 3f5966a685d2eaac3b0fb500def4a91ef4bba162e9cc1fae109a204255e64004
    Size: 9.85 MB

Asianux Server 7 for x86_64
  1. buildah-1.11.6-8.el7.x86_64.rpm
    MD5: cba000b5c21234d18192890732ac591c
    SHA-256: ccbd36e6d4a2d8d5cb86aee1d4ba66b5f21bdc56f6acf2b2fadc79cb62799455
    Size: 8.80 MB