container-tools security and bug fix update, python-podman-4.2.0-1.el9, toolbox-0.0.99.3-5.el9

エラータID: AXSA:2023-5056:01

Release date: 
Friday, February 10, 2023 - 09:38
Subject: 
container-tools security and bug fix update, python-podman-4.2.0-1.el9, toolbox-0.0.99.3-5.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

aardvark-dns:
Authoritative DNS server for A/AAAA container records

Forwards other request to configured resolvers.
Read more about configuration in `src/backend/mod.rs`.

buildah:
The buildah package provides a command line tool which can be used to
* create a working container from scratch
or
* create a working container from an image as a starting point
* mount/umount a working container's root file system for manipulation
* save container's root file system layer to create a new image
* delete a working container or an image

cockpit-podman:
The Cockpit user interface for Podman containers.

container-selinux:
SELinux policy modules for use with container runtimes.

container-tools:
Latest versions of podman, buildah, skopeo, runc, conmon, CRIU, Udica, etc as
well as dependencies such as container-selinux built and tested together, and
updated.

ontainernetworking-plugins:
The CNI (Container Network Interface) project consists of a specification
and libraries for writing plugins to configure network interfaces in Linux
containers, along with a number of supported plugins. CNI concerns itself
only with network connectivity of containers and removing allocated resources
when the container is deleted.

containers-common:
This package contains common configuration files and documentation for container
tools ecosystem, such as Podman, Buildah and Skopeo.

It is required because the most of configuration files and docs come from projects
which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged
separately.

netavark:
OCI network stack

Netavark is a rust based network stack for containers. It is being
designed to work with Podman but is also applicable for other OCI
container management applications.

Netavark is a tool for configuring networking for Linux containers.
Its features include:
* Configuration of container networks via JSON configuration file
* Creation and management of required network interfaces,
including MACVLAN networks
* All required firewall configuration to perform NAT and port
forwarding as required for containers
* Support for iptables and firewalld at present, with support
for nftables planned in a future release
* Support for rootless containers
* Support for IPv4 and IPv6
* Support for container DNS resolution via aardvark-dns.

oci-seccomp-bpf-hook:
OCI Hook to generate seccomp json files based on EBF syscalls used by container
oci-seccomp-bpf-hook provides a library for applications looking to use
the Container Pod concept popularized by Kubernetes.

podman:
podman (Pod Manager) is a fully featured container engine that is a simple
daemonless tool. podman provides a Docker-CLI comparable command line that
eases the transition from other container engines and allows the management of
pods, containers and images. Simply put: alias docker=podman.
Most podman commands can be run as a regular user, without requiring
additional privileges.

podman uses Buildah(1) internally to create container images.
Both tools share image (not container) storage, hence each can use or
manipulate images (but not containers) created by the other.

Manage Pods, Containers and Container Images
podman Simple management tool for pods, containers and images

python-podman:
python-podman is a library of bindings to use the RESTful API for Podman.

toolbox:
Toolbox is a tool for Linux operating systems, which allows the use of
containerized command line environments. It is built on top of Podman and
other standard container technologies from OCI.

Security Fix(es):
* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u-
extension (CVE-2020-28851)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing
bcp47 tag (CVE-2020-28852)
* podman: podman machine spawns gvproxy with port bound to all IPs
(CVE-2021-4024)
* podman: Remote traffic to rootless containers is seen as orginating from
localhost (CVE-2021-20199)
* containers/storage: DoS via malicious image (CVE-2021-20291)
* golang: net/http/httputil: ReverseProxy forwards connection headers if first
one is empty (CVE-2021-33197)
* golang: crypto/tls: certificate of wrong type is causing TLS client to panic
(CVE-2021-34558)
* golang: net: lookup functions may return invalid host names (CVE-2021-33195)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if
passed inputs with very large exponents (CVE-2021-33198)
* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
* podman: possible information disclosure and modification (CVE-2022-2989)
* buildah: possible information disclosure and modification (CVE-2022-2990)
* golang: net/[http:](http:) improper sanitization of Transfer-Encoding header (CVE-2022-1705)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

CVE(s):
CVE-2020-28851
CVE-2020-28852
CVE-2021-20199
CVE-2021-20291
CVE-2021-33195
CVE-2021-33197
CVE-2021-33198
CVE-2021-34558
CVE-2021-4024
CVE-2022-1705
CVE-2022-2989
CVE-2022-2990
CVE-2022-27191
CVE-2022-30630
CVE-2022-30631
CVE-2022-30632

Solution: 

Update packages.

CVEs: 
CVE-2020-28851
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
CVE-2020-28852
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
CVE-2021-20199
Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.
CVE-2021-20291
A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).
CVE-2021-33195
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
CVE-2021-33197
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
CVE-2021-33198
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
CVE-2021-34558
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
CVE-2021-4024
A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.
CVE-2022-27191
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
CVE-2022-2989
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
CVE-2022-2990
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
CVE-2022-30630
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
CVE-2022-30631
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
CVE-2022-30632
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
CVE-2022-1705
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
Additional Info: 

N/A

Download: 

SRPMS
  1. aardvark-dns-1.1.0-4.el9.src.rpm
    MD5: ce1a2d40bd8aea63d47462744b50ad36
    SHA-256: bbccecee0deed191a61afedf8bdda201e538d5317f039b14679e14f4cba84a79
    Size: 11.06 MB
  2. buildah-1.27.0-2.el9.src.rpm
    MD5: a6c1f2b324f6875c41345b75874a419c
    SHA-256: 9b8dd4ea2e11420fde65a46b47693fc23eda252848e119706a8354612488c49b
    Size: 13.90 MB
  3. cockpit-podman-53-1.el9.src.rpm
    MD5: 584ae54d10a869c6a66112b568062c67
    SHA-256: cdc071de4ea851e30b562b80f7e489a47851b9a7769efbd378c21e0633b22368
    Size: 1.10 MB
  4. containernetworking-plugins-1.1.1-3.el9.src.rpm
    MD5: c0b5e8df55f080bf1366a98462489f66
    SHA-256: 1158f0835026088ba8ea814a983b737db5857bc81ebc38d153e45a4d5938c481
    Size: 2.80 MB
  5. containers-common-1-44.el9.src.rpm
    MD5: f18c853593c8503508b5e93d83c7d0a5
    SHA-256: 5fc50ed4d49f72dcd47b51762da7db41c6f6f0fcbbf820ea3a9ecfab9ec313b9
    Size: 108.70 kB
  6. container-selinux-2.189.0-1.el9.src.rpm
    MD5: 166da44e5f00304e31e3ae0e2e0bd6f8
    SHA-256: b11aa9c49f55b446752275825664f7e015ad9009c8ea7adbcf6f5fa9bab07734
    Size: 44.13 kB
  7. container-tools-1-12.el9.src.rpm
    MD5: 1c196de77816329a43629bb1c3dbc678
    SHA-256: 11d5b8a406fa014a64741fe1ce97444238638d3c7ce63326a9398169aaa290fc
    Size: 8.37 kB
  8. netavark-1.1.0-6.el9.src.rpm
    MD5: b8864ad943d0a42a9b30f71583cde535
    SHA-256: 301a75b4212d5e91f164164d84a331517656b902ea801ff7ec3100b572632df1
    Size: 15.21 MB
  9. oci-seccomp-bpf-hook-1.2.6-1.el9.src.rpm
    MD5: a0b7af0a368a95e3753ac0d3ce9d7567
    SHA-256: c0737cd4f4d2f195befaa1ad0161b3611ed8e7078925c8e3d8a78592aa590bf2
    Size: 1.27 MB
  10. podman-4.2.0-3.el9.src.rpm
    MD5: 6db6ed5e2b73e0e26e84f2b0ac6ce42d
    SHA-256: d93afa52bfc8d2075b80d5200a327dcc8df6ef6bcd5351e9f07080e400c1fe73
    Size: 17.98 MB
  11. python-podman-4.2.0-1.el9.src.rpm
    MD5: e31e3632aac1ef1c219c17ea64f3a4ec
    SHA-256: cf3d4d7662dec5a40e09a7ac86601e55eb1a41afaf2396b83afadb1163611dab
    Size: 81.16 kB
  12. toolbox-0.0.99.3-5.el9.src.rpm
    MD5: efd7eaad03448c2049312b00f67fd72b
    SHA-256: 143d90f6e8dbed65205ebf8e53065644ed1cf533d65f5639a1957e97d12ee0fb
    Size: 2.19 MB

Asianux Server 9 for x86_64
  1. aardvark-dns-1.1.0-4.el9.x86_64.rpm
    MD5: 83bb02a0efe9f212f795bfc45a72b81f
    SHA-256: bb1bc7eac78c28258dca275a44b9131986574d05723de8f80efc51eb2a357422
    Size: 0.97 MB
  2. buildah-1.27.0-2.el9.x86_64.rpm
    MD5: e96593ffc67e534a25c1b94c40822a1c
    SHA-256: b551370ae8384f99bd06ef2e8b26ec5d1f4362e78bea7fde271e280f8e02e835
    Size: 7.90 MB
  3. buildah-tests-1.27.0-2.el9.x86_64.rpm
    MD5: 30db081e66ba80a85636eee90f553360
    SHA-256: 31480b5b48de0191ffb98fbe11f93aa13356dc63d0418993e126b94cb0f89958
    Size: 25.40 MB
  4. cockpit-podman-53-1.el9.noarch.rpm
    MD5: 7e08a413ac8b500df0f9bac74544b4de
    SHA-256: b2ced86a8e967a0b8f6554cc4aa79f05caf641580d6de2a5445bf52a91f3b2b2
    Size: 540.78 kB
  5. containernetworking-plugins-1.1.1-3.el9.x86_64.rpm
    MD5: 1e39ffc96107fe089bbd6a18f6e5eb45
    SHA-256: 811ab0474368bd01cd7d983f547453be256b0a5c5cb86cb446591c470e490446
    Size: 7.56 MB
  6. containers-common-1-44.el9.x86_64.rpm
    MD5: 9ca64d2305df803242dc3afe87948689
    SHA-256: 810c8b439899289b7bb40e15c8211d003d99f465a9b580e652c349faa7f94db2
    Size: 109.48 kB
  7. container-selinux-2.189.0-1.el9.noarch.rpm
    MD5: 0af68b81c841a11ee174f484e3f904e2
    SHA-256: 17dc22f85d2901df8c68deca26e0bd12e8d0b11bc33bbbe9775ef1265d0030d2
    Size: 47.07 kB
  8. container-tools-1-12.el9.noarch.rpm
    MD5: 1e39d901d5d2e2daf73c1aef8f9e5fd2
    SHA-256: ca546de26d7599669a20a4d8a888ebf91622dd044ea9f44ba37d0f0efbb20644
    Size: 7.88 kB
  9. netavark-1.1.0-6.el9.x86_64.rpm
    MD5: 612985ddcd570f96550a0897506b36ae
    SHA-256: fd2f59fc0e415814d4a22cc0138504d08aa69f220a9ab496b3aab6f9f1dc4fe8
    Size: 2.07 MB
  10. oci-seccomp-bpf-hook-1.2.6-1.el9.x86_64.rpm
    MD5: 8640340f38c70315d3b930434683ff00
    SHA-256: 20f0f7f8e9f9428383c399284d15fa27d174fe96e1ea22dc3b0993d135eafaa2
    Size: 1.00 MB
  11. podman-4.2.0-3.el9.x86_64.rpm
    MD5: 6a638966dfc3f481ad6a3c732796261c
    SHA-256: bbe3ec20506c1451e64d43c01b51f882a64e2ddd6a8605c430c1d8af6240e2eb
    Size: 12.05 MB
  12. podman-catatonit-4.2.0-3.el9.x86_64.rpm
    MD5: 254cf99bb065bafc209d90595f842ce5
    SHA-256: 775e1706f4d23d984fa63456e4a28685feae1e4765549c97a5b7f459b9e2b697
    Size: 352.00 kB
  13. podman-docker-4.2.0-3.el9.noarch.rpm
    MD5: 0b1fe19c753dab826f3c04aedcd1abf5
    SHA-256: d84c9039ba97c39cc4bd3d57b9282460e7a6f25c51b7e0610a28f5c7817fab79
    Size: 41.68 kB
  14. podman-gvproxy-4.2.0-3.el9.x86_64.rpm
    MD5: 93c29dad4bc99ee400eacfd1a347dad2
    SHA-256: 8636157b1ac4439c63aad2d93857e4ab904cd831af1b4631c198deac31028b60
    Size: 3.32 MB
  15. podman-plugins-4.2.0-3.el9.x86_64.rpm
    MD5: 6b29ffc2653880ea786e58c1d44a0f9a
    SHA-256: 1c8e0a84480444c8a6a41c478deaf4d6e33440a1e779c60f45f880b13f43bf1e
    Size: 2.52 MB
  16. podman-remote-4.2.0-3.el9.x86_64.rpm
    MD5: fb818874384bc3a09d87e4b16dd1ef8b
    SHA-256: edef34b8560840db597818b2ae0bfccdd9c39eb422b590f1f3022c9e13c9e01e
    Size: 8.11 MB
  17. podman-tests-4.2.0-3.el9.x86_64.rpm
    MD5: 94e8c92e3bc10b681c8975cb36a4d724
    SHA-256: e852bfb345cb9bfbc27e694606dd8d9a07663ebded44bf34bcbdad4221cde4eb
    Size: 151.71 kB
  18. python3-podman-4.2.0-1.el9.noarch.rpm
    MD5: b87cf46c40692d541aaf9f8a9165c96e
    SHA-256: bf753c3998b4288a8363706cab68e577f6a9c031cdb7c964dc7b6cedd1add336
    Size: 143.79 kB
  19. toolbox-0.0.99.3-5.el9.x86_64.rpm
    MD5: f2ceb4a9b991fe0ba9f13da2d145334d
    SHA-256: 14a1dd0da6b14e90739b229ff22bb7ac32454ffe541326f299946ab68cd68242
    Size: 2.21 MB
  20. toolbox-tests-0.0.99.3-5.el9.x86_64.rpm
    MD5: 8aa1a6db03de325ae7454744c8eff12e
    SHA-256: 44093ff5b7b713ee339de59a8f8059ead577f6ba0bd802dc003394edd1bdb577
    Size: 35.24 kB