podman-1.6.4-26.el7
エラータID: AXSA:2020-887:04
The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.
Security Fix(es):
* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
* podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API (CVE-2020-14370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* podman does not use $TMPDIR loading a tar file (BZ#1877699)
CVE-2020-14040
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
CVE-2020-14370
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
Update packages.
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
N/A
SRPMS
- podman-1.6.4-26.el7.src.rpm
MD5: 1bfc4b1fc18180c067a5260d89930aa8
SHA-256: ea240b6cc7a68a9fe998e8e67a5f152af25c6a988bcdc99b139813786fa89367
Size: 9.06 MB
Asianux Server 7 for x86_64
- podman-1.6.4-26.el7.x86_64.rpm
MD5: cfdec28b05615ed14d8ca6d30509906e
SHA-256: a1fce41e04dd0a713da3bdbb230d8585cae7ede7794e95e3ce2b827c6840b22f
Size: 12.85 MB - podman-docker-1.6.4-26.el7.noarch.rpm
MD5: 313ffdd0063f212532c6666ffe777251
SHA-256: 18b13827dc848e3374ddb9ccca0ee42e48f5fe626f72715426c9c0488455d6ad
Size: 30.17 kB