Описание
ELSA-2021-2370: container-tools:3.0 security update (IMPORTANT)
buildah [1.19.7-1.0.1]
- Handling redirect from the docker registry [Orabug: 29874238] (Nikita Gerasimov)
[1.19.7-1]
- update to the latest content of https://github.com/containers/buildah/tree/release-1.19 (https://github.com/containers/buildah/commit/a2854ed)
- Resolves: #1935376
cockpit-podman [29-2]
- fix gating test failure for cockpit-podman
- Related: #1914884
[29-1]
- update to https://github.com/cockpit-project/cockpit-podman/releases/tag/29
- Related: #1883490
conmon [2:2.0.26-1]
- update to https://github.com/containers/conmon/releases/tag/v2.0.26
- Related: #1883490
containernetworking-plugins [0.9.1-1]
- update to https://github.com/containernetworking/plugins/releases/tag/v0.9.1
- Related: #1883490
container-selinux [2:2.158.0-1]
- update to https://github.com/containers/container-selinux/releases/tag/v2.158.0
- Related: #1883490
criu [3.15-1]
- update to https://github.com/checkpoint-restore/criu/releases/tag/v3.15
- Related: #1883490
crun [0.18-2]
- allow to build without glibc-static (thanks to Giuseppe Scrivano)
- Related: #1883490
fuse-overlayfs [1.4.0-2]
- disable openat2 syscall again - still unsupported in current RHEL8 kernel
- Related: #1883490
[1.4.0-1]
- update to https://github.com/containers/fuse-overlayfs/releases/tag/v1.4.0
- Related: #1883490
oci-seccomp-bpf-hook [1.2.0-1]
- revert back to 1.2.0 - build issues
- Related: #1883490
[1.2.1-1]
- update to https://github.com/containers/oci-seccomp-bpf-hook/releases/tag/v1.2.1
- require crun >= 0.17
- Related: #1883490
podman [3.0.1-6.0.1]
- Handling redirect from the docker registry [Orabug: 29874238] (Nikita Gerasimov)
[3.0.1-6]
- update to the latest content of https://github.com/containers/podman/tree/v3.0.1-rhel (https://github.com/containers/podman/commit/ad1aaba)
- Resolves: #1921128
- Resolves: #1936927
- Resolves: #1938234
runc [1.0.0-71.rc92]
- fix CVE-2021-30465
- Related: #1955655
[1.0.0-70.rc92]
- add missing Provides: oci-runtime = 1
- Related: #1883490
[1.0.0-69.rc92]
- still use ExcludeArch as go_arches macro is broken for 8.4
- Related: #1883490
[1.0.0-68.rc92]
- update to https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc92
- propagate proper CFLAGS to CGO_CFLAGS to assure code hardening and optimization
- Related: #1821193
skopeo [1.2.2-7.0.1]
- Ignore rhel-shortnames.conf [JIRA: OLDIS-3902]
- Temporarily update shortnames.conf for oraclelinux to point to docker [JIRA: OLDIS-3902]
- Handling redirect from the docker registry [Orabug: 29874238] (Nikita Gerasimov)
- Add oracle registry into the conf file [Orabug: 29845934 31306708]
[1:1.2.2-7]
- use runc as default OCI runtime in RHEL8
- Resolves: #1940854
slirp4netns [1.1.8-1]
- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.8
- Related: #1883490
udica [0.2.4-1]
- update to https://github.com/containers/udica/releases/tag/v0.2.4
- Related: #1883490
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module container-tools:3.0 is enabled
buildah
1.19.7-1.0.1.module+el8.4.0+20196+91e9c2ae
buildah-tests
1.19.7-1.0.1.module+el8.4.0+20196+91e9c2ae
cockpit-podman
29-2.module+el8.4.0+20196+91e9c2ae
conmon
2.0.26-1.module+el8.4.0+20196+91e9c2ae
container-selinux
2.158.0-1.module+el8.4.0+20196+91e9c2ae
containernetworking-plugins
0.9.1-1.module+el8.4.0+20196+91e9c2ae
containers-common
1.2.2-7.0.1.module+el8.4.0+20196+91e9c2ae
crit
3.15-1.module+el8.4.0+20196+91e9c2ae
criu
3.15-1.module+el8.4.0+20196+91e9c2ae
crun
0.18-2.module+el8.4.0+20196+91e9c2ae
fuse-overlayfs
1.4.0-2.module+el8.4.0+20196+91e9c2ae
libslirp
4.3.1-1.module+el8.4.0+20196+91e9c2ae
libslirp-devel
4.3.1-1.module+el8.4.0+20196+91e9c2ae
oci-seccomp-bpf-hook
1.2.0-1.module+el8.4.0+20196+91e9c2ae
podman
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
podman-catatonit
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
podman-docker
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
podman-plugins
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
podman-remote
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
podman-tests
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
python3-criu
3.15-1.module+el8.4.0+20196+91e9c2ae
runc
1.0.0-71.rc92.module+el8.4.0+20196+91e9c2ae
skopeo
1.2.2-7.0.1.module+el8.4.0+20196+91e9c2ae
skopeo-tests
1.2.2-7.0.1.module+el8.4.0+20196+91e9c2ae
slirp4netns
1.1.8-1.module+el8.4.0+20196+91e9c2ae
udica
0.2.4-1.module+el8.4.0+20196+91e9c2ae
Oracle Linux x86_64
Module container-tools:3.0 is enabled
buildah
1.19.7-1.0.1.module+el8.4.0+20196+91e9c2ae
buildah-tests
1.19.7-1.0.1.module+el8.4.0+20196+91e9c2ae
cockpit-podman
29-2.module+el8.4.0+20196+91e9c2ae
conmon
2.0.26-1.module+el8.4.0+20196+91e9c2ae
container-selinux
2.158.0-1.module+el8.4.0+20196+91e9c2ae
containernetworking-plugins
0.9.1-1.module+el8.4.0+20196+91e9c2ae
containers-common
1.2.2-7.0.1.module+el8.4.0+20196+91e9c2ae
crit
3.15-1.module+el8.4.0+20196+91e9c2ae
criu
3.15-1.module+el8.4.0+20196+91e9c2ae
crun
0.18-2.module+el8.4.0+20196+91e9c2ae
fuse-overlayfs
1.4.0-2.module+el8.4.0+20196+91e9c2ae
libslirp
4.3.1-1.module+el8.4.0+20196+91e9c2ae
libslirp-devel
4.3.1-1.module+el8.4.0+20196+91e9c2ae
oci-seccomp-bpf-hook
1.2.0-1.module+el8.4.0+20196+91e9c2ae
podman
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
podman-catatonit
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
podman-docker
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
podman-plugins
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
podman-remote
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
podman-tests
3.0.1-6.0.1.module+el8.4.0+20196+91e9c2ae
python3-criu
3.15-1.module+el8.4.0+20196+91e9c2ae
runc
1.0.0-71.rc92.module+el8.4.0+20196+91e9c2ae
skopeo
1.2.2-7.0.1.module+el8.4.0+20196+91e9c2ae
skopeo-tests
1.2.2-7.0.1.module+el8.4.0+20196+91e9c2ae
slirp4netns
1.1.8-1.module+el8.4.0+20196+91e9c2ae
udica
0.2.4-1.module+el8.4.0+20196+91e9c2ae
Связанные CVE
Связанные уязвимости
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Dire ...
