Описание
ELSA-2022-7469: container-tools:4.0 security and bug fix update (MODERATE)
buildah [1:1.24.5-2]
- update to the latest content of https://github.com/containers/buildah/tree/release-1.24 (https://github.com/containers/buildah/commit/8cc4586)
- Related: #2061390
[1:1.24.5-1]
- update to the latest content of https://github.com/containers/buildah/tree/release-1.24 (https://github.com/containers/buildah/commit/83c5f26)
- Related: #2061390
cockpit-podman [46-1]
- update to https://github.com/cockpit-project/cockpit-podman/releases/tag/46
- Related: #2061390
conmon [2:2.1.4-1]
- update to https://github.com/containers/conmon/releases/tag/v2.1.4
- Related: #2061390
containernetworking-plugins [1:1.1.1-2]
- bump golang BR to 1.17.7
- Related: #2061390
[1:1.1.1-1]
- update to https://github.com/containernetworking/plugins/releases/tag/v1.1.1
- Related: #2061390
containers-common [2:1-35.0.1]
- Updated removed references [Orabug: 33473101] (Alex Burmashev)
- Adjust registries.conf (Nikita Gerasimov)
- remove references to RedHat registry (Nikita Gerasimov)
[2:1-35]
- update vendored components and configuration files
- Related: #2061390
[2:1-34]
- update shortnames and be sure to remove rhel-els
- Related: #2061390
[2:1-33]
- additional fix for unqualified registries
- Related: #2061390
oci-seccomp-bpf-hook [1.2.5-1]
- update to https://github.com/containers/oci-seccomp-bpf-hook/releases/tag/v1.2.5
- Related: #2061390
podman [2:4.0.2-8]
- update to the latest content of https://github.com/containers/podman/tree/v4.0-rhel (https://github.com/containers/podman/commit/33084eb)
- Related: #2061390
[2:4.0.2-7]
- update to the latest content of https://github.com/containers/podman/tree/v4.0-rhel (https://github.com/containers/podman/commit/3efe4c2)
- Related: #2061390
[2:4.0.2-6]
- update to the latest content of https://github.com/containers/podman/tree/v4.0-rhel (https://github.com/containers/podman/commit/bfc8b36)
- Related: #2061390
[2:4.0.2-5]
- update to the latest content of https://github.com/containers/podman/tree/v4.0-rhel (https://github.com/containers/podman/commit/2e12f02)
- Related: #2061390
[2:4.0.2-4]
- update gvisor-tap-vsock to 0.2.0 to fix compilation with golang 1.18
- Related: #2061390
[2:4.0.2-3]
- update to the latest content of https://github.com/containers/podman/tree/v4.0-rhel (https://github.com/containers/podman/commit/6cb5039)
- Related: #2061390
[2:4.0.2-2]
- update to the latest content of https://github.com/containers/podman/tree/v4.0-rhel (https://github.com/containers/podman/commit/ce91610)
- Related: #2061390
[2:4.0.2-1]
- update to the latest content of https://github.com/containers/podman/tree/v4.0-rhel (https://github.com/containers/podman/commit/94aa329)
- Related: #2061390
python-podman [4.0.0-1]
- bump to v4.0.0
- Related: #2001445
runc [1:1.1.4-1]
- update to https://github.com/opencontainers/runc/releases/tag/v1.1.4
- Related: #2061390
skopeo [2:1.6.2-5]
- update to the latest content of https://github.com/containers/skopeo/tree/release-1.6 (https://github.com/containers/skopeo/commit/c20c32d)
- Related: #2061390
[2:1.6.2-4]
- update to the latest content of https://github.com/containers/skopeo/tree/release-1.6 (https://github.com/containers/skopeo/commit/f952195)
- Related: #2061390
[2:1.6.2-3]
- update to the latest content of https://github.com/containers/skopeo/tree/release-1.6 (https://github.com/containers/skopeo/commit/4414e52)
- Related: #2061390
[2:1.6.2-2]
- update to the latest content of https://github.com/containers/skopeo/tree/release-1.6 (https://github.com/containers/skopeo/commit/4336972)
- Related: #2061390
[2:1.6.2-1]
- update to the latest content of https://github.com/containers/skopeo/tree/release-1.6 (https://github.com/containers/skopeo/commit/540efb3)
- Related: #2061390
slirp4netns [1.1.8-2]
- fix gating - dont use insecure functions - thanks to Marc-Andre Lureau
- Related: #2001445
[1.1.8-1]
- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.8
- Related: #1883490
udica [0.2.6-3]
- Make sure each section of the inspect exists before accessing (#2027662)
[0.2.6-2]
- Require container-selinux shipping policy templates (#2005866)
[0.2.6-1]
- update to https://github.com/containers/udica/releases/tag/v0.2.6
- Related: #2001445
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module container-tools:4.0 is enabled
aardvark-dns
1.0.1-35.module+el8.7.0+20872+81cbf159
buildah
1.24.5-2.module+el8.7.0+20872+81cbf159
buildah-tests
1.24.5-2.module+el8.7.0+20872+81cbf159
cockpit-podman
46-1.module+el8.7.0+20872+81cbf159
conmon
2.1.4-1.module+el8.7.0+20872+81cbf159
container-selinux
2.189.0-1.module+el8.7.0+20872+81cbf159
containernetworking-plugins
1.1.1-2.module+el8.7.0+20872+81cbf159
containers-common
1-35.0.1.module+el8.7.0+20872+81cbf159
crit
3.15-3.module+el8.7.0+20872+81cbf159
criu
3.15-3.module+el8.7.0+20872+81cbf159
criu-devel
3.15-3.module+el8.7.0+20872+81cbf159
criu-libs
3.15-3.module+el8.7.0+20872+81cbf159
crun
1.5-1.module+el8.7.0+20872+81cbf159
fuse-overlayfs
1.9-1.module+el8.7.0+20872+81cbf159
libslirp
4.4.0-1.module+el8.7.0+20872+81cbf159
libslirp-devel
4.4.0-1.module+el8.7.0+20872+81cbf159
netavark
1.0.1-35.module+el8.7.0+20872+81cbf159
oci-seccomp-bpf-hook
1.2.5-1.module+el8.7.0+20872+81cbf159
podman
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-catatonit
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-docker
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-gvproxy
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-plugins
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-remote
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-tests
4.0.2-8.module+el8.7.0+20872+81cbf159
python3-criu
3.15-3.module+el8.7.0+20872+81cbf159
python3-podman
4.0.0-1.module+el8.7.0+20872+81cbf159
runc
1.1.4-1.module+el8.7.0+20872+81cbf159
skopeo
1.6.2-5.module+el8.7.0+20872+81cbf159
skopeo-tests
1.6.2-5.module+el8.7.0+20872+81cbf159
slirp4netns
1.1.8-2.module+el8.7.0+20872+81cbf159
udica
0.2.6-3.module+el8.7.0+20872+81cbf159
Oracle Linux x86_64
Module container-tools:4.0 is enabled
aardvark-dns
1.0.1-35.module+el8.7.0+20872+81cbf159
buildah
1.24.5-2.module+el8.7.0+20872+81cbf159
buildah-tests
1.24.5-2.module+el8.7.0+20872+81cbf159
cockpit-podman
46-1.module+el8.7.0+20872+81cbf159
conmon
2.1.4-1.module+el8.7.0+20872+81cbf159
container-selinux
2.189.0-1.module+el8.7.0+20872+81cbf159
containernetworking-plugins
1.1.1-2.module+el8.7.0+20872+81cbf159
containers-common
1-35.0.1.module+el8.7.0+20872+81cbf159
crit
3.15-3.module+el8.7.0+20872+81cbf159
criu
3.15-3.module+el8.7.0+20872+81cbf159
criu-devel
3.15-3.module+el8.7.0+20872+81cbf159
criu-libs
3.15-3.module+el8.7.0+20872+81cbf159
crun
1.5-1.module+el8.7.0+20872+81cbf159
fuse-overlayfs
1.9-1.module+el8.7.0+20872+81cbf159
libslirp
4.4.0-1.module+el8.7.0+20872+81cbf159
libslirp-devel
4.4.0-1.module+el8.7.0+20872+81cbf159
netavark
1.0.1-35.module+el8.7.0+20872+81cbf159
oci-seccomp-bpf-hook
1.2.5-1.module+el8.7.0+20872+81cbf159
podman
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-catatonit
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-docker
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-gvproxy
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-plugins
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-remote
4.0.2-8.module+el8.7.0+20872+81cbf159
podman-tests
4.0.2-8.module+el8.7.0+20872+81cbf159
python3-criu
3.15-3.module+el8.7.0+20872+81cbf159
python3-podman
4.0.0-1.module+el8.7.0+20872+81cbf159
runc
1.1.4-1.module+el8.7.0+20872+81cbf159
skopeo
1.6.2-5.module+el8.7.0+20872+81cbf159
skopeo-tests
1.6.2-5.module+el8.7.0+20872+81cbf159
slirp4netns
1.1.8-2.module+el8.7.0+20872+81cbf159
udica
0.2.6-3.module+el8.7.0+20872+81cbf159
Связанные CVE
Связанные уязвимости
Moderate: container-tools:rhel8 security, bug fix, and enhancement update
ELSA-2022-7457: container-tools:ol8 security, bug fix, and enhancement update (MODERATE)
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.