ELSA-2025-23543

Опубликовано: 22 дек. 2025

Источник: oracle-oval

Платформа: Oracle Linux 8

Описание

ELSA-2025-23543: container-tools:rhel8 security update (IMPORTANT)

aardvark-dns buildah [2:1.33.13-1]

update to the latest content of https://github.com/containers/buildah/tree/release-1.33 (https://github.com/containers/buildah/commit/65707d0)
fixes '[Minor Incident] CVE-2025-52881 container-tools:rhel8/buildah: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [rhel-8.10.z]'
Resolves: RHEL-126916

[2:1.33.12-3]

rebuild for CVE-2025-58183
Resolves: RHEL-125644

cockpit-podman conmon containernetworking-plugins containers-common container-selinux criu crun fuse-overlayfs libslirp netavark oci-seccomp-bpf-hook podman [4.9.4-25.0.1]

Fixes issue of container created in cgroupv2 not start in cgroupv1 [Orabug: 36136813]
Fixes container memory limit not set after host is rebooted with cgroupv2 [Orabug: 36136802]
Fixes issue of podman execvp error while using podmansh [Orabug: 36756665]

[4:4.9.4-25]

update to the latest content of https://github.com/containers/podman/tree/v4.9-rhel (https://github.com/containers/podman/commit/638f1d2)
fixes '[Minor Incident] CVE-2025-52881 container-tools:rhel8/podman: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [rhel-8.10.z]'
Resolves: RHEL-126904

python-podman runc skopeo slirp4netns udica

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

Module container-tools:ol8 is enabled

aardvark-dns

1.10.1-2.module+el8.10.0+90735+426876b9

buildah

1.33.13-1.module+el8.10.0+90735+426876b9

buildah-tests

1.33.13-1.module+el8.10.0+90735+426876b9

cockpit-podman

84.1-1.module+el8.10.0+90735+426876b9

conmon

2.1.10-1.module+el8.10.0+90735+426876b9

container-selinux

2.229.0-2.module+el8.10.0+90735+426876b9

containernetworking-plugins

1.4.0-6.module+el8.10.0+90735+426876b9

containers-common

1-82.0.1.module+el8.10.0+90735+426876b9

crit

3.18-5.module+el8.10.0+90735+426876b9

criu

3.18-5.module+el8.10.0+90735+426876b9

criu-devel

3.18-5.module+el8.10.0+90735+426876b9

criu-libs

3.18-5.module+el8.10.0+90735+426876b9

crun

1.14.3-2.module+el8.10.0+90735+426876b9

fuse-overlayfs

1.13-1.module+el8.10.0+90735+426876b9

libslirp

4.4.0-2.module+el8.10.0+90735+426876b9

libslirp-devel

4.4.0-2.module+el8.10.0+90735+426876b9

netavark

1.10.3-1.module+el8.10.0+90735+426876b9

oci-seccomp-bpf-hook

1.2.10-1.module+el8.10.0+90735+426876b9

podman

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-catatonit

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-docker

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-gvproxy

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-plugins

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-remote

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-tests

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

python3-criu

3.18-5.module+el8.10.0+90735+426876b9

python3-podman

4.9.0-3.module+el8.10.0+90735+426876b9

runc

1.2.9-2.module+el8.10.0+90735+426876b9

skopeo

1.14.5-5.module+el8.10.0+90735+426876b9

skopeo-tests

1.14.5-5.module+el8.10.0+90735+426876b9

slirp4netns

1.2.3-1.module+el8.10.0+90735+426876b9

udica

0.2.6-21.module+el8.10.0+90735+426876b9

Oracle Linux x86_64

Module container-tools:ol8 is enabled

aardvark-dns

1.10.1-2.module+el8.10.0+90735+426876b9

buildah

1.33.13-1.module+el8.10.0+90735+426876b9

buildah-tests

1.33.13-1.module+el8.10.0+90735+426876b9

cockpit-podman

84.1-1.module+el8.10.0+90735+426876b9

conmon

2.1.10-1.module+el8.10.0+90735+426876b9

container-selinux

2.229.0-2.module+el8.10.0+90735+426876b9

containernetworking-plugins

1.4.0-6.module+el8.10.0+90735+426876b9

containers-common

1-82.0.1.module+el8.10.0+90735+426876b9

crit

3.18-5.module+el8.10.0+90735+426876b9

criu

3.18-5.module+el8.10.0+90735+426876b9

criu-devel

3.18-5.module+el8.10.0+90735+426876b9

criu-libs

3.18-5.module+el8.10.0+90735+426876b9

crun

1.14.3-2.module+el8.10.0+90735+426876b9

fuse-overlayfs

1.13-1.module+el8.10.0+90735+426876b9

libslirp

4.4.0-2.module+el8.10.0+90735+426876b9

libslirp-devel

4.4.0-2.module+el8.10.0+90735+426876b9

netavark

1.10.3-1.module+el8.10.0+90735+426876b9

oci-seccomp-bpf-hook

1.2.10-1.module+el8.10.0+90735+426876b9

podman

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-catatonit

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-docker

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-gvproxy

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-plugins

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-remote

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

podman-tests

4.9.4-25.0.1.module+el8.10.0+90735+426876b9

python3-criu

3.18-5.module+el8.10.0+90735+426876b9

python3-podman

4.9.0-3.module+el8.10.0+90735+426876b9

runc

1.2.9-2.module+el8.10.0+90735+426876b9

skopeo

1.14.5-5.module+el8.10.0+90735+426876b9

skopeo-tests

1.14.5-5.module+el8.10.0+90735+426876b9

slirp4netns

1.2.3-1.module+el8.10.0+90735+426876b9

udica

0.2.6-21.module+el8.10.0+90735+426876b9

Связанные CVE

CVE-2025-52881

Ссылки на источники

Связанные уязвимости

CVE-2025-52881

CVSS3: 7.5

ubuntu

2 месяца назад

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.