RHSA-2024:9454 Podman/Buildah Security Advisory: Arbitrary Mount & Symlink Traversal CVEs

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability ID: RHSA-2024:9454 2. Release Date: November 12, 2024 3. Update Date: November 12, 2024 4. Type/Severity: Security Advisory, Important 5. Subject: Podman Security Update 6. Description: - Podman is a tool for managing pods, container images, and containers. - Podman is part of the libpod library, used by applications that manage container pods. - Podman is a concept in Kubernetes. 7. Security Fixes: - go/parser: golang: Calling Parse functions containing deeply nested literals can cause panic/stack exhaustion (CVE-2024-34155) - encoding/gob: golang: Calling Decoder.Decode on a message containing deeply nested structures can cause panic due to stack exhaustion (CVE-2024-34156) - go/build/constraint: golang: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause panic due to stack exhaustion (CVE-2024-34158) - Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library (CVE-2024-9341) - Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction (CVE-2024-9407) - buildah: Buildah allows arbitrary directory mount (CVE-2024-9675) - Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) (CVE-2024-9676) 8. Affected Products: - Red Hat Enterprise Linux for x86_64 9 x86_64 - Red Hat Enterprise Linux for IBM z Systems 9 s390x - Red Hat Enterprise Linux for Power, little endian 9 ppc64le - Red Hat Enterprise Linux for ARM 64 9 aarch64 9. Fixes: - BZ-2310527 - CVE-2024-34155 go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion - BZ-2310528 - CVE-2024-34156 encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion - BZ-2310529 - CVE-2024-34158 go/build/constraint: golang: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion - BZ-2315691 - CVE-2024-9341 Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library - BZ-2315887 - CVE-2024-9407 Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction - BZ-2317458 - CVE-2024-9675 buildah: Buildah allows arbitrary directory mount - BZ-2317467 - CVE-2024-9676 Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) - RHEL-61249 - podman gating: test CNI - RHEL-60263 - [podman] can't upgrade podman-4.9.4-10.el9_4 to podman-5.2.2-3.el9_5 10. CVEs: - CVE-2024-9341 - CVE-2024-9407 - CVE-2024-9675 - CVE-2024-9676 - CVE-2024-34155 - CVE-2024-34156 - CVE-2024-34158 This information provides a detailed description of the Podman security update, including known vulnerabilities, affected products, remediation measures, and associated CVE numbers.

Goal Reached Thanks to every supporter — we hit 100%!

RHSA-2024:9454 Podman/Buildah Security Advisory: Arbitrary Mount & Symlink Traversal CVEs

More from this source