container-tools:rhel8 security, bug fix, and enhancement update

エラータID: AXSA:2022-3571:01

Release date: 
Wednesday, July 20, 2022 - 06:56
Subject: 
container-tools:rhel8 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

Security Fix(es):

* psgo: Privilege escalation in 'podman top' (CVE-2022-1227)
* prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
* podman: Default inheritable capabilities for linux container should be empty (CVE-2022-27649)
* crun: Default inheritable capabilities for linux container should be empty (CVE-2022-27650)
* buildah: Default inheritable capabilities for linux container should be empty (CVE-2022-27651)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

CVE-2022-1227
A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.
CVE-2022-21698
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
CVE-2022-27649
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
CVE-2022-27650
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
CVE-2022-27651
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.

Modularity name: container-tools
Stream name: rhel8

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. buildah-1.24.2-4.module+el8+1442+7dde0cd6.src.rpm
    MD5: 889199112afe4ca7053232ff3ac7971a
    SHA-256: 5a973007f65234d3daba84554a6f371287aabbc748fa205c60442456bf87934b
    Size: 13.30 MB
  2. cockpit-podman-43-1.module+el8+1442+7dde0cd6.src.rpm
    MD5: d28864ced983195748d8d6021a25eaa5
    SHA-256: 6f5459b129c15c42db08e18d9c7ae1ee7fe54d5f8c39b5da9711e505f94b7f1a
    Size: 728.17 kB
  3. conmon-2.1.0-1.module+el8+1442+7dde0cd6.src.rpm
    MD5: d669fc31b2389420af248b5d547bbd58
    SHA-256: f722fe365644b3c53ea84cde073fb9c50d7e8bd6bbf4b84d248626fd8643a347
    Size: 168.63 kB
  4. containernetworking-plugins-1.0.1-2.module+el8+1442+7dde0cd6.src.rpm
    MD5: f942dc31f5426431ebd282c0970a8d4e
    SHA-256: fa6d40f7d12a3fb1fec615bd3802d857c3972fcc435511e1f7454c1a85fe8534
    Size: 2.84 MB
  5. containers-common-1-27.module+el8+1442+7dde0cd6.src.rpm
    MD5: 2c8f547fb4090779d51448d17ef4f96b
    SHA-256: 73b11e2c3886c446e16ee1c5f062495f0fc35e417dcdec604770c7c0b52f6267
    Size: 35.42 MB
  6. container-selinux-2.179.1-1.module+el8+1442+7dde0cd6.src.rpm
    MD5: 771b3c6b1389bd754c29f6353e2c6e39
    SHA-256: 73d81fa2ed2e061c0fde369820497c71cc558c35af7f48c8f6476bd442150f68
    Size: 55.28 kB
  7. criu-3.15-3.module+el8+1442+7dde0cd6.src.rpm
    MD5: de37027dc7ec12aed452bfddf1fab4fa
    SHA-256: 18f2648bbf6bbb63f2795e122982365aa54e575fcdb12c9a5ca44d66cbbf6d62
    Size: 914.17 kB
  8. crun-1.4.4-1.module+el8+1442+7dde0cd6.src.rpm
    MD5: 6d046f66fb86197c6e9092b424f905a8
    SHA-256: 42d54c93ee829264787907d4d915a9bb75a926148ff9f98398f6ca4d30e1e6f9
    Size: 1.88 MB
  9. fuse-overlayfs-1.8.2-1.module+el8+1442+7dde0cd6.src.rpm
    MD5: 05149a0ffe7ff172e7dee21b4c65ad60
    SHA-256: c9bdda67caf52c6504d38ce50e810a0f1c971f49f8c6b6bf7bed2d937db83219
    Size: 115.17 kB
  10. libslirp-4.4.0-1.module+el8+1442+7dde0cd6.src.rpm
    MD5: 5940145841e9fce939e3a8c25c54d913
    SHA-256: 014300b1d2c6f36905715ed27e0c5b61c9cf16b22741202ec28f42e23cff1ed0
    Size: 114.78 kB
  11. oci-seccomp-bpf-hook-1.2.3-3.module+el8+1442+7dde0cd6.src.rpm
    MD5: 0fe28122dcd0b544c0abe867b969c2e7
    SHA-256: 40552e5644c9b4d9c77fc3441b8f602b1830a1d00a6a3a253a01ac0ffe365a77
    Size: 1.08 MB
  12. podman-4.0.2-6.module+el8+1442+7dde0cd6.src.rpm
    MD5: 36a041f9d992d56b5116168fdd495ed8
    SHA-256: 046de21a8e78b8e61a8b196b176a3b8737ec27aadbcec097a6bf64a25244ca37
    Size: 16.37 MB
  13. python-podman-4.0.0-1.module+el8+1442+7dde0cd6.src.rpm
    MD5: 5000265e8df567b2c849cdd842abe123
    SHA-256: 373aab5187b524e1bfebecdccdf5c24098ad8bee48c7bda05d204c08e114b64e
    Size: 79.35 kB
  14. runc-1.0.3-2.module+el8+1442+7dde0cd6.src.rpm
    MD5: 43bb9f5eccbb30efef8b33af47cbd48b
    SHA-256: 4044b7aeb2d73ce968d5bf3ea9cabde1f4cf81314b761ba53eff4b7e5a73b0fe
    Size: 2.26 MB
  15. skopeo-1.6.1-2.module+el8+1442+7dde0cd6.src.rpm
    MD5: b3732878a1511d691189ceda2ff49d19
    SHA-256: 058f9aa28cfd4df8e7d5705f5d4eaf3e326cf145759a9dcc791c089bbcc75837
    Size: 6.19 MB
  16. slirp4netns-1.1.8-2.module+el8+1442+7dde0cd6.src.rpm
    MD5: fee31f000070bcefbb74bb582bc775d5
    SHA-256: 06b7ff8aaa740b5199ed5f5a15405889cae4cf28b7964192fa013b3e26d6b8c9
    Size: 69.39 kB
  17. toolbox-0.0.99.3-0.4.module+el8+1442+7dde0cd6.src.rpm
    MD5: 08e0e21e8f014497fea0a3a2a0146610
    SHA-256: 0695b496573b310288f2984df2c0c2f6cc8400274a3223f5ea06781909f5159d
    Size: 5.88 MB
  18. udica-0.2.6-2.module+el8+1442+7dde0cd6.src.rpm
    MD5: 1a1d7d515f1967c3981efe3657c80fb5
    SHA-256: c7e70d8f1ee0d15616226f6f49eee339d3f9bd64075d95a34cb3b14be3093ced
    Size: 131.77 kB

Asianux Server 8 for x86_64
  1. buildah-tests-1.24.2-4.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 4adcdd6035deb4fbbbac4bdf17ad49b8
    SHA-256: cf5f31389cdaca75e7369f6a9e2b6bfbd3164076c070197fabd6c907252ff517
    Size: 18.08 MB
  2. buildah-1.24.2-4.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 6890ff08a23ca0cb91d5e65a0e02bf72
    SHA-256: af6300a3613c67cefc7b10694b050a9e195c4723281c5cb3cce55f279b296ea3
    Size: 8.05 MB
  3. buildah-debugsource-1.24.2-4.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: f9381cc82c0028e5915250c992b420bd
    SHA-256: b3765754ddab9653f0adffdd73d56c3f498091bcc48354d284fbf3d339605bcd
    Size: 3.33 MB
  4. cockpit-podman-43-1.module+el8+1442+7dde0cd6.noarch.rpm
    MD5: df9adbf7ec0c17f3f79ba303fd91db99
    SHA-256: 5f3771dc03dff36b879e40e97587361f37cab18dea35be71c3fab0588f9ca959
    Size: 492.33 kB
  5. conmon-debugsource-2.1.0-1.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 187682bfeb7810256da1e275bba43d20
    SHA-256: 54de26386ba8de8abda06429768f9ebf805beca89ea3198950e3efc29840a3e1
    Size: 46.62 kB
  6. conmon-2.1.0-1.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 11d05dc9b0746ec87e47e0722c088e84
    SHA-256: b217b3785fecc01294d3d2282b7832dc961a59acaf313dcccc5efb38bb4aa928
    Size: 53.94 kB
  7. containernetworking-plugins-debugsource-1.0.1-2.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 7f46daa96e236303ec177b1ad687f08e
    SHA-256: e0a5609b4bf118b85ceb34be80d8ae89180dbccfcf2cbfee34e0d217e36c4010
    Size: 367.07 kB
  8. containernetworking-plugins-1.0.1-2.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 4c5007321d54ff63fc5d6b071e8e5a28
    SHA-256: c9bdb7c56796e420978e3c8c6dc0d28d1e032984098e688ff2fffe0f44bdc638
    Size: 18.34 MB
  9. aardvark-dns-1.0.1-27.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: fbb8501890e9f253f33e819ca5384853
    SHA-256: 28e2fba0e937a51fd0ff832318d27c6ee9c115a257080eec6df7c1d3a3634a75
    Size: 0.99 MB
  10. containers-common-1-27.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: fa514330c7f661d0d62fad55de8b9c7f
    SHA-256: aa00c9273aaccb8dd87577c5d161b08fd2eb62feced1ef9f9a273c08f58125b2
    Size: 93.49 kB
  11. netavark-1.0.1-27.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 74ff79c4e35f221df2b675dab470f498
    SHA-256: ff55f43fbe4130f653ab85b00ba08e204d1c564b51e6c1b39ad0d17993cedc53
    Size: 1.98 MB
  12. container-selinux-2.179.1-1.module+el8+1442+7dde0cd6.noarch.rpm
    MD5: f7a35a9780f96c32f4283969f5a46e8b
    SHA-256: 0dbbd715847e1ec091316e9bcd64ab075b5098a56e92369ccb9ba8364089466e
    Size: 57.51 kB
  13. criu-3.15-3.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 5770ed4b97a18dcc833b03cdfa4ebc74
    SHA-256: f1fcaf212a61a60c03e730fd1a94c76618cd225da571eff428293539bf084a65
    Size: 516.57 kB
  14. criu-devel-3.15-3.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 45de6d5940724c35a703e7b9228aade5
    SHA-256: efe6bf8347f010bf9194a7436dc7b6984e69c3b63bb3d82400f7b4abd7333f1c
    Size: 23.81 kB
  15. python3-criu-3.15-3.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: e545dc4857fa276e61866cc0a2c64a3e
    SHA-256: bd537a6bf3303059a9d1dd7cc2c71bfb6db685ed50ce3ff0a4dbab320e9d876d
    Size: 168.78 kB
  16. criu-libs-3.15-3.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 9577de26b8cf7697b724fa14a831b3e5
    SHA-256: 0a893417141822a97e27c1e8b87edba328e52ecffd2b950e88c68769c30fcb59
    Size: 36.66 kB
  17. criu-debugsource-3.15-3.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 63611f5c50eb72937ed0bf7a60fb9229
    SHA-256: 09cba237a04bfdcd453738c2431b7c36ec3fe3363e202bff86ce1ebe65b4cb02
    Size: 675.33 kB
  18. crit-3.15-3.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 499521045b361ba1c6af0ad98315fcfe
    SHA-256: c685b4218e527520dd3074f4a8a8a7a7d4879f758d1095f8ea9883293bc34753
    Size: 18.60 kB
  19. crun-1.4.4-1.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 3ec206e78ae186675ab68e137c25f412
    SHA-256: 449dbf323e758089e7b4ff394ca60fb28058c4049e83f9f1ca492b81277138fb
    Size: 207.71 kB
  20. crun-debugsource-1.4.4-1.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 10caf575cc59da45e689ba91ea8882fe
    SHA-256: c7ef966737f7e3f0623accaedd17baa92b0b9ed30a0fd6749610c82a977bb0d0
    Size: 156.29 kB
  21. fuse-overlayfs-debugsource-1.8.2-1.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 570fb9f532aa2afc93201d13497d5d35
    SHA-256: b553f60123d98f4b9c1fbeb6a4f7746547462e82e55401c0772085b70b7dd219
    Size: 53.81 kB
  22. fuse-overlayfs-1.8.2-1.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 6366e90cd77985834db13aa3a3c577c9
    SHA-256: 0db117a4ce843d697b17f9e1716cafe22e60cf016541c03a15bbe9c4480f167a
    Size: 71.95 kB
  23. libslirp-4.4.0-1.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 255fe8145b44999d4b6907b67d962897
    SHA-256: c43eaf37cf916b0e757a4b00a9650f592a05969d58e0aa03fdc7bc98dee4785f
    Size: 69.13 kB
  24. libslirp-debugsource-4.4.0-1.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: bb0bac0c184aec1019f3996743c4f248
    SHA-256: 7c6ccdba53145cd9e3cd4ffbd71bd4e41032322bf68da300c71212f3961317a8
    Size: 114.43 kB
  25. libslirp-devel-4.4.0-1.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: d520e5562fee673e1723fced357d3843
    SHA-256: c0b73bc76ee708da3a738e550f309bfa40f5077bc853e74646b31596970fc69e
    Size: 11.29 kB
  26. oci-seccomp-bpf-hook-debugsource-1.2.3-3.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: f9eabbb6159583f7d10b75c821b68cdf
    SHA-256: 7bd683cd0be305a5962334fe163e6708651e568031af2d80255904d3b0fa4f97
    Size: 158.05 kB
  27. oci-seccomp-bpf-hook-1.2.3-3.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 856a37c0c9d2ccabeed94c2b68a3478b
    SHA-256: db7b0298bb68ab1908eba7d86394d38d90fdf50cc1b1e00a8a8e4f49a0b88580
    Size: 1.03 MB
  28. podman-gvproxy-4.0.2-6.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: f5dd1368b65465cecbd3163b3b1ba031
    SHA-256: 564bc9ec6cfa1ff4fecf3e1eb93ec273d840340c8d41c5b027dd407a1d8ed168
    Size: 3.31 MB
  29. podman-plugins-4.0.2-6.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 731e3190ce1df65516dd2d52917e850c
    SHA-256: 7ad3b703462217916c489bf9c2aab8e70976081b12634187029b232663d3ad92
    Size: 3.11 MB
  30. podman-catatonit-4.0.2-6.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 5d168dc2ffe390232d1f1aa8de31b34e
    SHA-256: 101739dd47b2fc202e90ba70a5544fca6d9a647fb8bb2f89e96f33f13959871f
    Size: 352.81 kB
  31. podman-remote-4.0.2-6.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 7728fbb00cd06c4215ed8a95a1e51335
    SHA-256: c2ce09defb717de3383266431a1bb1da7a447744009e3be7d1810c8dc20fd3c4
    Size: 8.16 MB
  32. podman-4.0.2-6.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: fba3a2efcd19ea66c909d725ee4fdda3
    SHA-256: 90d12119a3795bf4f57b9a898f04adacf2c2aacc96b886f10b741a8b9c1cf4df
    Size: 13.26 MB
  33. podman-docker-4.0.2-6.module+el8+1442+7dde0cd6.noarch.rpm
    MD5: 79f01409204dd35808f8ab07e4b63edc
    SHA-256: c1745b1cbc3a054d096409b9a91fc2598de783e21220f8640190d6392231e93a
    Size: 66.51 kB
  34. podman-tests-4.0.2-6.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: de09ccb20ccddaacc72e4649ab397ab8
    SHA-256: a025fea57a6882d633a8a6124f36ce80d16c72fd3e626f7cfc23faa014d76803
    Size: 173.93 kB
  35. podman-debugsource-4.0.2-6.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 7ec70a0269a37509a5f86b18886bd56e
    SHA-256: 5af57659b11e940a4b60b471215913617af37f50d61bd4c17ca78771f19e36c6
    Size: 5.90 MB
  36. python3-podman-4.0.0-1.module+el8+1442+7dde0cd6.noarch.rpm
    MD5: a26dbab49bd652abb9aca7f84b6fcad8
    SHA-256: 439ae4eb00ca98495e4f03ecd4340ff6ecd3d1054d748d4269466593186be2d0
    Size: 148.03 kB
  37. runc-1.0.3-2.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 051e43d9c80a54f0f01edb2d0562c29d
    SHA-256: add60b40cdaadb2af370c6fdbfae3060a52ff51f3ce5155ea4b3ba7e1c901b3b
    Size: 2.98 MB
  38. runc-debugsource-1.0.3-2.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: a2b7d7778d1520bd64334c6536957c91
    SHA-256: b0dc97e7b47fa1752be11fe3b99543f35108a03a7a657080fecc6f8494fff54d
    Size: 916.51 kB
  39. skopeo-debugsource-1.6.1-2.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: b85afc87dad6865c23e9a05eea1a4b4a
    SHA-256: fd811fecf22211cdc1a4ea6fe441e2aac4a49835ec530eb7be82432584fd251d
    Size: 2.52 MB
  40. skopeo-tests-1.6.1-2.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 5736f01b9b3d89b43586cac06a6a290d
    SHA-256: 3ef253a83e00d21300db97d82c7956abf57d3e3cf003b898c69e3cf005d2303c
    Size: 778.24 kB
  41. skopeo-1.6.1-2.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: f111cde6802275394ce7ab6c22d90367
    SHA-256: 5c1536f6e8c35a8fbda6a79347bb9f9f01205c2aed10abd9d5a8136bfe423a44
    Size: 6.65 MB
  42. slirp4netns-debugsource-1.1.8-2.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 344ef3f8720bd367e80c92b48d349e23
    SHA-256: 947c91e19fe119105f7a8992c7c9ab1838fafdf5833908502ed50030dfaf6d4d
    Size: 38.75 kB
  43. slirp4netns-1.1.8-2.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 4417ee6bef8db842571ba762307ef979
    SHA-256: 9327f190fffd6862adabe5d9a64d452166157111c10a1260fcea329c4bed29cc
    Size: 50.17 kB
  44. toolbox-debugsource-0.0.99.3-0.4.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 7d7a221fbce2c7be6fc46b9379966a45
    SHA-256: ffdf667963dbb69c0de0009f7c6a3e236428ac6c410b0629cb420a446b971f62
    Size: 449.73 kB
  45. toolbox-tests-0.0.99.3-0.4.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 49131138cc912d07a3bd5ba3c1f278dc
    SHA-256: 9fe81d251d2d1c7bf02a311f074327f30a29c67c453a609dfaccd580a0ca5bee
    Size: 30.17 kB
  46. toolbox-0.0.99.3-0.4.module+el8+1442+7dde0cd6.x86_64.rpm
    MD5: 9b03834349dbb8e9723e8208e07c5de1
    SHA-256: dbacb7e702a06f3733c7f07e2f78d93eb99a997d87ce68f2546a059e293ba9c0
    Size: 2.19 MB
  47. udica-0.2.6-2.module+el8+1442+7dde0cd6.noarch.rpm
    MD5: c4a661075baf5ef526340bd4b2fb98dc
    SHA-256: 8efc95cb8c2c4f49da4019dc84fb65f06695e5a76572039c0e7695ed66978060
    Size: 47.24 kB