SUSE-SU-2022:3655-1

Опубликовано: 19 окт. 2022

Источник: suse-cvrf

Описание

Security update for buildah

This update for buildah fixes the following issues:

Buildah was updated to version 1.27.1:

CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
CVE-2022-2990: Fixed a possible information disclosure and modification (bsc#1202812).

Список пакетов

SUSE Linux Enterprise Module for Containers 15 SP4

buildah-1.27.1-150400.3.8.1

openSUSE Leap 15.4

buildah-1.27.1-150400.3.8.1

Ссылки

https://www.suse.com/support/update/announcement/2022/suse-su-20223655-1/
Link for SUSE-SU-2022:3655-1
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012578.html
E-Mail link for SUSE-SU-2022:3655-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1167864
SUSE Bug 1167864
https://bugzilla.suse.com/1181961
SUSE Bug 1181961
https://bugzilla.suse.com/1202812
SUSE Bug 1202812
https://www.suse.com/security/cve/CVE-2020-10696/
SUSE CVE CVE-2020-10696 page
https://www.suse.com/security/cve/CVE-2021-20206/
SUSE CVE CVE-2021-20206 page
https://www.suse.com/security/cve/CVE-2022-2990/
SUSE CVE CVE-2022-2990 page

Описание

A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.

Затронутые продукты

SUSE Linux Enterprise Module for Containers 15 SP4:buildah-1.27.1-150400.3.8.1

openSUSE Leap 15.4:buildah-1.27.1-150400.3.8.1

Ссылки

https://www.suse.com/security/cve/CVE-2020-10696.html
CVE-2020-10696
https://bugzilla.suse.com/1167864
SUSE Bug 1167864

Описание

An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Затронутые продукты

SUSE Linux Enterprise Module for Containers 15 SP4:buildah-1.27.1-150400.3.8.1

openSUSE Leap 15.4:buildah-1.27.1-150400.3.8.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-20206.html
CVE-2021-20206
https://bugzilla.suse.com/1181961
SUSE Bug 1181961

Описание

An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

Затронутые продукты

SUSE Linux Enterprise Module for Containers 15 SP4:buildah-1.27.1-150400.3.8.1

openSUSE Leap 15.4:buildah-1.27.1-150400.3.8.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-2990.html
CVE-2022-2990
https://bugzilla.suse.com/1202812
SUSE Bug 1202812

SUSE-SU-2022:3655-1

Описание

Список пакетов

SUSE Linux Enterprise Module for Containers 15 SP4

openSUSE Leap 15.4

Ссылки

Уязвимость: CVE-2020-10696

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2021-20206

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2022-2990

Описание

Затронутые продукты

Ссылки