Описание
ELSA-2024-0748: container-tools:4.0 security update (IMPORTANT)
buildah cockpit-podman conmon containernetworking-plugins containers-common container-selinux criu crun fuse-overlayfs libslirp oci-seccomp-bpf-hook podman [2:4.0.2-25.0.1]
- update to the latest content of https://github.com/containers/podman/tree/v4.0-rhel (https://github.com/containers/podman/commit/427a15f)
- Resolves: RHEL-17145
running containers python-podman runc [1:1.1.12-1]
- update to https://github.com/opencontainers/runc/releases/tag/v1.1.12
- Resolves: RHEL-21863
skopeo slirp4netns udica
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module container-tools:4.0 is enabled
aardvark-dns
1.0.1-38.0.1.module+el8.9.0+90148+6046e3c3
buildah
1.24.6-7.module+el8.9.0+90148+6046e3c3
buildah-tests
1.24.6-7.module+el8.9.0+90148+6046e3c3
cockpit-podman
46-1.module+el8.9.0+90148+6046e3c3
conmon
2.1.4-2.module+el8.9.0+90148+6046e3c3
container-selinux
2.205.0-3.module+el8.9.0+90148+6046e3c3
containernetworking-plugins
1.1.1-6.module+el8.9.0+90148+6046e3c3
containers-common
1-38.0.1.module+el8.9.0+90148+6046e3c3
crit
3.15-3.module+el8.9.0+90148+6046e3c3
criu
3.15-3.module+el8.9.0+90148+6046e3c3
criu-devel
3.15-3.module+el8.9.0+90148+6046e3c3
criu-libs
3.15-3.module+el8.9.0+90148+6046e3c3
crun
1.8.7-1.module+el8.9.0+90148+6046e3c3
fuse-overlayfs
1.9-2.module+el8.9.0+90148+6046e3c3
libslirp
4.4.0-1.module+el8.9.0+90148+6046e3c3
libslirp-devel
4.4.0-1.module+el8.9.0+90148+6046e3c3
netavark
1.0.1-38.0.1.module+el8.9.0+90148+6046e3c3
oci-seccomp-bpf-hook
1.2.5-2.module+el8.9.0+90148+6046e3c3
podman
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-catatonit
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-docker
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-gvproxy
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-plugins
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-remote
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-tests
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
python3-criu
3.15-3.module+el8.9.0+90148+6046e3c3
python3-podman
4.0.0-2.module+el8.9.0+90148+6046e3c3
runc
1.1.12-1.module+el8.9.0+90148+6046e3c3
skopeo
1.6.2-9.module+el8.9.0+90148+6046e3c3
skopeo-tests
1.6.2-9.module+el8.9.0+90148+6046e3c3
slirp4netns
1.1.8-3.module+el8.9.0+90148+6046e3c3
udica
0.2.6-4.module+el8.9.0+90148+6046e3c3
Oracle Linux x86_64
Module container-tools:4.0 is enabled
aardvark-dns
1.0.1-38.0.1.module+el8.9.0+90148+6046e3c3
buildah
1.24.6-7.module+el8.9.0+90148+6046e3c3
buildah-tests
1.24.6-7.module+el8.9.0+90148+6046e3c3
cockpit-podman
46-1.module+el8.9.0+90148+6046e3c3
conmon
2.1.4-2.module+el8.9.0+90148+6046e3c3
container-selinux
2.205.0-3.module+el8.9.0+90148+6046e3c3
containernetworking-plugins
1.1.1-6.module+el8.9.0+90148+6046e3c3
containers-common
1-38.0.1.module+el8.9.0+90148+6046e3c3
crit
3.15-3.module+el8.9.0+90148+6046e3c3
criu
3.15-3.module+el8.9.0+90148+6046e3c3
criu-devel
3.15-3.module+el8.9.0+90148+6046e3c3
criu-libs
3.15-3.module+el8.9.0+90148+6046e3c3
crun
1.8.7-1.module+el8.9.0+90148+6046e3c3
fuse-overlayfs
1.9-2.module+el8.9.0+90148+6046e3c3
libslirp
4.4.0-1.module+el8.9.0+90148+6046e3c3
libslirp-devel
4.4.0-1.module+el8.9.0+90148+6046e3c3
netavark
1.0.1-38.0.1.module+el8.9.0+90148+6046e3c3
oci-seccomp-bpf-hook
1.2.5-2.module+el8.9.0+90148+6046e3c3
podman
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-catatonit
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-docker
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-gvproxy
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-plugins
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-remote
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
podman-tests
4.0.2-25.0.1.module+el8.9.0+90148+6046e3c3
python3-criu
3.15-3.module+el8.9.0+90148+6046e3c3
python3-podman
4.0.0-2.module+el8.9.0+90148+6046e3c3
runc
1.1.12-1.module+el8.9.0+90148+6046e3c3
skopeo
1.6.2-9.module+el8.9.0+90148+6046e3c3
skopeo-tests
1.6.2-9.module+el8.9.0+90148+6046e3c3
slirp4netns
1.1.8-3.module+el8.9.0+90148+6046e3c3
udica
0.2.6-4.module+el8.9.0+90148+6046e3c3
Связанные CVE
Связанные уязвимости
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel