podman-4.9.4-0.1.el9

エラータID: AXSA:2024-7787:03

Release date: 
Wednesday, May 29, 2024 - 19:59
Subject: 
podman-4.9.4-0.1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

Security Fix(es):

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)
* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.4 Release Notes linked from the References section.

CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
CVE-2023-45287
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

Solution: 

Update packages.

CVEs: 
CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
CVE-2023-45287
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
Additional Info: 

N/A

Download: 

SRPMS
  1. podman-4.9.4-0.1.el9.src.rpm
    MD5: 329076186138b530869ca63a2059751c
    SHA-256: 80af074596a620ddef0a732f2718dd1994499372d663785d08a831cdeefd4ff2
    Size: 22.70 MB

Asianux Server 9 for x86_64
  1. podman-4.9.4-0.1.el9.x86_64.rpm
    MD5: 7e6ed51b9e9adc10f7de370d5e105c52
    SHA-256: 7434deb457d7bf7b7260b345746eaa86eb3975a681b564ef2c9ad50fe05d8a21
    Size: 15.55 MB
  2. podman-docker-4.9.4-0.1.el9.noarch.rpm
    MD5: f7b4f9c9d3479dc24f82c9dbd8ebbcda
    SHA-256: 1f5e811441163a6cee6526cfd5d5f39059d13d5c9bd34fe43d933bf00f7491d8
    Size: 106.09 kB
  3. podman-plugins-4.9.4-0.1.el9.x86_64.rpm
    MD5: 53993363d6d2399bf2924910e76dcea5
    SHA-256: f936fd7992a179c96d7e5a07f1f4e1466cc36e6c253d3363acf42ce5148b238c
    Size: 1.28 MB
  4. podman-remote-4.9.4-0.1.el9.x86_64.rpm
    MD5: 793a5daa1e156ec605f1ac3821cf1eb9
    SHA-256: eb42de5c5a15fe71aed4561bed36dc93f6ca6b8a40e6cbb8d70c4771f1ab9614
    Size: 10.23 MB
  5. podman-tests-4.9.4-0.1.el9.x86_64.rpm
    MD5: 808828d3d8ced17858feba5b4708bd6a
    SHA-256: e5de0db51e79bca986cb3c55bd2bf860253e6157ed4c9fe19b9b2327dc8fbc07
    Size: 209.37 kB