Описание
Security update for podman
This update for podman fixes the following issues:
Updated to version 3.4.7:
- CVE-2022-1227: Fixed an issue that could allow an attacker to publish a malicious image to a public registry and run arbitrary code in the victim's context via the 'podman top' command (bsc#1182428).
- CVE-2022-27191: Fixed a potential crash via SSH under specific configurations (bsc#1197284).
- CVE-2022-21698: Fixed a potential denial of service that affected servers that used Prometheus instrumentation (bsc#1196338).
Список пакетов
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise Micro 5.1
SUSE Linux Enterprise Micro 5.2
SUSE Linux Enterprise Module for Containers 15 SP3
openSUSE Leap 15.3
Ссылки
- Link for SUSE-SU-2022:2839-1
- E-Mail link for SUSE-SU-2022:2839-1
- SUSE Security Ratings
- SUSE Bug 1182428
- SUSE Bug 1196338
- SUSE Bug 1197284
- SUSE CVE CVE-2022-1227 page
- SUSE CVE CVE-2022-21698 page
- SUSE CVE CVE-2022-27191 page
Описание
A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.
Затронутые продукты
Ссылки
- CVE-2022-1227
- SUSE Bug 1182428
Описание
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Затронутые продукты
Ссылки
- CVE-2022-21698
- SUSE Bug 1196338
Описание
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Затронутые продукты
Ссылки
- CVE-2022-27191
- SUSE Bug 1197284