podman-5.6.0-7.el9_7

エラータID: AXSA:2025-11510:12

Release date: 
Thursday, December 11, 2025 - 14:40
Subject: 
podman-5.6.0-7.el9_7
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

Security Fix(es):

* runc: container escape and denial of service due to arbitrary write gadgets and procfs write redirects (CVE-2025-52881)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-52881
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

Solution: 

Update packages.

CVEs: 
CVE-2025-52881
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
Additional Info: 

N/A

Download: 

SRPMS
  1. podman-5.6.0-7.el9_7.src.rpm
    MD5: 4144bcc3a4c8fa3ed65dc86f6acb988a
    SHA-256: 4400da21895677d4ee3171b992381a6569fc0927f32d480bf46ef42169878ac9
    Size: 21.96 MB

Asianux Server 9 for x86_64
  1. podman-5.6.0-7.el9_7.x86_64.rpm
    MD5: 3f49b45d59e04e67cbb7718f57f7ece2
    SHA-256: a50f08f9816be892a04e5bbdb3af1162f0aa3c5ee54ab58dfc11bdb2f1721a4a
    Size: 16.02 MB
  2. podman-docker-5.6.0-7.el9_7.noarch.rpm
    MD5: 1dfbad51559351f1b759926bb5644550
    SHA-256: d502de5f5a7a95ac53b5b8a2e89694229bf6dbdf97f8145525e7f79a7047830b
    Size: 109.36 kB
  3. podman-plugins-5.6.0-7.el9_7.x86_64.rpm
    MD5: 9324e0bf6849f2ee49aebf980122d815
    SHA-256: 475e5e9834decc9a97b8de17b3146bc46d024e63aa4f2345eb25e69370f2f14f
    Size: 1.46 MB
  4. podman-remote-5.6.0-7.el9_7.x86_64.rpm
    MD5: b3c241c19908de186e5ed27d701976e6
    SHA-256: 0dc9de473365082dc76a35b2c13467eb0a44edfcfd1d1444e2b2a330291649ed
    Size: 9.90 MB
  5. podman-tests-5.6.0-7.el9_7.x86_64.rpm
    MD5: eb8a8c0bfbf61adae648a5c001406e88
    SHA-256: 3aa5b6a37c91bc1e93317b803ea8ad08fe99b7a658a4598533a1b49889cbc3d6
    Size: 11.42 MB