Описание
Podman Improper Certificate Validation; machine missing TLS verification
Impact
The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack.
Patches
https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3 Fixed in v5.5.2
Workarounds
Download the disk image manually via some other tool that verifies the TLS connection. Then pass the local image as file path (podman machine init --image ./somepath)
Ссылки
- https://github.com/containers/podman/security/advisories/GHSA-65gg-3w2w-hr4h
- https://nvd.nist.gov/vuln/detail/CVE-2025-6032
- https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3
- https://access.redhat.com/errata/RHSA-2025:10295
- https://access.redhat.com/errata/RHSA-2025:10549
- https://access.redhat.com/errata/RHSA-2025:10550
- https://access.redhat.com/errata/RHSA-2025:10551
- https://access.redhat.com/errata/RHSA-2025:10668
- https://access.redhat.com/errata/RHSA-2025:9726
- https://access.redhat.com/errata/RHSA-2025:9751
- https://access.redhat.com/errata/RHSA-2025:9766
- https://access.redhat.com/security/cve/CVE-2025-6032
- https://bugzilla.redhat.com/show_bug.cgi?id=2372501
Пакеты
github.com/containers/podman/v4
>= 4.8.0, <= 4.9.5
Отсутствует
github.com/containers/podman/v5
< 5.5.2
5.5.2
Связанные уязвимости
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
A flaw was found in Podman. The podman machine init command fails to v ...
ELSA-2025-10551: container-tools:rhel8 security update (IMPORTANT)