{"type":"TYPE_SECURITY","shortCode":"RL","name":"RLSA-2022:7457","synopsis":"Moderate: container-tools:rhel8 security, bug fix, and enhancement update","severity":"SEVERITY_MODERATE","topic":"An update for the container-tools:rhel8 module is now available for Rocky Linux 8.\nRocky Enterprise Software Foundation Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.","description":"The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\nFor detailed information on changes in this release, see the Rocky Linux 8.7 Release Notes linked from the References section.","solution":null,"affectedProducts":["Rocky Linux 8"],"fixes":[{"ticket":"1820551","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1820551","description":"Automatically starting a container on boot is not possible through cockpit WebUI"},{"ticket":"1941727","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1941727","description":"Module meta data is wrong"},{"ticket":"1945929","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1945929","description":"Every podman run invocation generates two \"Couldn't stat device \/dev\/char\/10:200: No such file or directory\" lines in the journal"},{"ticket":"1974423","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1974423","description":"No equivalent buildah bud argument to docker build --ssh"},{"ticket":"1995656","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1995656","description":"CVE-2021-36221 golang: net\/http\/httputil: panic due to racy read of persistConn after handler panic"},{"ticket":"1996050","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1996050","description":"[RFE] podman to create a rootless container that attempts to publish ports from a host with static IPv6 address."},{"ticket":"2005866","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2005866","description":"Udica was rebased prematurely"},{"ticket":"2009264","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2009264","description":"Cannot get logs with --follow"},{"ticket":"2009346","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2009346","description":"Podman name resolution not working as expected"},{"ticket":"2024938","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2024938","description":"CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion"},{"ticket":"2027662","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2027662","description":"Udica crashes when processing inspect file without capabilities"},{"ticket":"2028408","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2028408","description":"Podman healthcheck fails if the command contains unicode characters."},{"ticket":"2030195","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2030195","description":"Add restart-sec option to systemd generate"},{"ticket":"2039045","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2039045","description":"\/etc\/containers\/registries.conf missing registry.redhat.io terms-based registry definition"},{"ticket":"2052697","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2052697","description":"Inconsistency in how the podman service behaves depending on whether it is providing API via UNIX or TCP socket."},{"ticket":"2053990","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2053990","description":"runc has unversioned dependency on libseccomp"},{"ticket":"2055313","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2055313","description":"Creating a pod uses bad infra_image registry in podman"},{"ticket":"2059666","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2059666","description":"There is no man page for Containerfile provided by containers-common"},{"ticket":"2062697","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2062697","description":"[cockpit-podman] RHEL 8.7 Tier 0 Localization"},{"ticket":"2064702","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2064702","description":"CVE-2022-27191 golang: crash in a golang.org\/x\/crypto\/ssh server"},{"ticket":"2066145","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2066145","description":"The results showed significant difference between with and without --no-stream option for podman stats"},{"ticket":"2068006","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2068006","description":"CentOS Stream 8 podman: symbol lookup error: podman: undefined symbol: seccomp_notify_fd [rhel-8.7.0]"},{"ticket":"2072452","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2072452","description":"error during chown: storage-chown-by-maps: lgetxattr usr\/bin\/ping: value too large for defined data type"},{"ticket":"2073958","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2073958","description":"Podman v3.4.2 regression with hosts file breaks getHostAddress() call"},{"ticket":"2078925","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2078925","description":"podman command crash with segment fault in rootless user mode"},{"ticket":"2079759","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2079759","description":"skopeo segfaults after rebuild with golang-1.18"},{"ticket":"2079761","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2079761","description":"podman fails to build with golang-1.18"},{"ticket":"2081836","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2081836","description":"networking is broken when building containers due to missing container networking package dependencies"},{"ticket":"2083570","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2083570","description":"symlinks doesn't work on volumes under podman when SELINUX is enabled"},{"ticket":"2083997","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2083997","description":"catatonit not found when starting pod (podman 4.0 under RHEL 8.6)"},{"ticket":"2085361","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2085361","description":"CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api"},{"ticket":"2086398","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2086398","description":"CVE-2022-29162 runc: incorrect handling of inheritable capabilities"},{"ticket":"2086757","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2086757","description":"Error: plugin type=\"bridge\" failed (add): failed to find plugin \"bridge\" in path"},{"ticket":"2090609","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2090609","description":"ERRO[0009] Error forwarding signal 18 to container using rootless user with timeout+sleep in the podman run command"},{"ticket":"2090920","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2090920","description":"Podman load keeps stale files in TMPDIR"},{"ticket":"2093079","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2093079","description":"Podman does not detect volume from the volume plugin, unlike docker"},{"ticket":"2094610","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2094610","description":"Healthcheck does not get executed if --interval not specified in Dockerfile"},{"ticket":"2094875","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2094875","description":"podman not being able to mount devices during podman build"},{"ticket":"2095097","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2095097","description":"[RFE] Podman copying the entries of \/etc\/hosts in the container"},{"ticket":"2096264","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2096264","description":"podman images --format incompatibility with docker"},{"ticket":"2097865","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2097865","description":"Removing podman-2:4.0.2-6.module+el8.6.0+14877+f643d2d6.x86_64 does not remove podman socket if sudo systemctl enable podman.socket has been run prior to yum remove podman"},{"ticket":"2100740","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2100740","description":"podman can not force remove paused container"},{"ticket":"2102140","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2102140","description":"ADD Dockerfile reference is not validating HTTP status code [rhel8]"},{"ticket":"2102361","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2102361","description":"Mostly-confined containers which create their own user and mount namespaces can't mount overlay filesystems"},{"ticket":"2102381","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2102381","description":"podman image failed with ERRO[0000] Unmounting \/home\/maor\/.local\/share\/containers\/storage\/overlay\/XX\/merged: invalid argument"},{"ticket":"2113941","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2113941","description":"podman did not set selinux labels to symbolic links"},{"ticket":"2117699","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2117699","description":"podman 4.2 version bump"},{"ticket":"2117928","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2117928","description":"Error: runc: exec failed: unable to start container process: open \/dev\/pts\/0: operation not permitted: OCI permission denied"},{"ticket":"2118231","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2118231","description":"mount through procfd: operation not permitted: OCI permission denied"},{"ticket":"2119072","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2119072","description":"podman gating test issues in RHEL8.7"},{"ticket":"2120651","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2120651","description":"Add beta keys to default-policy.json"},{"ticket":"2121453","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2121453","description":"CVE-2022-2990 buildah: possible information disclosure and modification"}],"cves":[{"name":"CVE-2021-41190","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2021-41190.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:N\/I:L\/A:N","cvss3BaseScore":"5.0","cwe":"CWE-843"},{"name":"CVE-2022-1708","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-1708.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:N\/I:N\/A:H","cvss3BaseScore":"6.8","cwe":"CWE-400->CWE-770"},{"name":"CVE-2022-27191","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-27191.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H","cvss3BaseScore":"7.5","cwe":"CWE-327"},{"name":"CVE-2022-29162","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-29162.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:L","cvss3BaseScore":"5.6","cwe":"CWE-276"},{"name":"CVE-2022-2990","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-2990.json","cvss3ScoringVector":"CVSS:3.1\/AV:L\/AC:H\/PR:L\/UI:N\/S:U\/C:L\/I:L\/A:N","cvss3BaseScore":"3.6","cwe":"CWE-842"}],"references":[],"publishedAt":"2022-11-13T07:55:49.626183Z","rpms":{},"rebootSuggested":false,"buildReferences":[]}