podman-3.3.1-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11177-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z podman-3.3.1-2.1 on GA media These are all security issues fixed in the podman-3.3.1-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11177 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-10856/ SUSE CVE CVE-2018-10856 page https://www.suse.com/security/cve/CVE-2019-10152/ SUSE CVE CVE-2019-10152 page https://www.suse.com/security/cve/CVE-2019-10214/ SUSE CVE CVE-2019-10214 page https://www.suse.com/security/cve/CVE-2020-14370/ SUSE CVE CVE-2020-14370 page https://www.suse.com/security/cve/CVE-2020-1726/ SUSE CVE CVE-2020-1726 page https://www.suse.com/security/cve/CVE-2021-20199/ SUSE CVE CVE-2021-20199 page openSUSE Tumbleweed podman-3.3.1-2.1 podman-cni-config-3.3.1-2.1 podman-docker-3.3.1-2.1 podman-remote-3.3.1-2.1 podman-3.3.1-2.1 as a component of openSUSE Tumbleweed podman-cni-config-3.3.1-2.1 as a component of openSUSE Tumbleweed podman-docker-3.3.1-2.1 as a component of openSUSE Tumbleweed podman-remote-3.3.1-2.1 as a component of openSUSE Tumbleweed It has been discovered that podman before version 0.6.1 does not drop capabilities when executing a container as a non-root user. This results in unnecessary privileges being granted to the container. CVE-2018-10856 openSUSE Tumbleweed:podman-3.3.1-2.1 openSUSE Tumbleweed:podman-cni-config-3.3.1-2.1 openSUSE Tumbleweed:podman-docker-3.3.1-2.1 openSUSE Tumbleweed:podman-remote-3.3.1-2.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-10856.html CVE-2018-10856 https://bugzilla.suse.com/1097970 SUSE Bug 1097970 A path traversal vulnerability has been discovered in podman before version 1.4.0 in the way it handles symlinks inside containers. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container. CVE-2019-10152 openSUSE Tumbleweed:podman-3.3.1-2.1 openSUSE Tumbleweed:podman-cni-config-3.3.1-2.1 openSUSE Tumbleweed:podman-docker-3.3.1-2.1 openSUSE Tumbleweed:podman-remote-3.3.1-2.1 important 2.6 AV:L/AC:H/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10152.html CVE-2019-10152 https://bugzilla.suse.com/1136974 SUSE Bug 1136974 The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens. CVE-2019-10214 openSUSE Tumbleweed:podman-3.3.1-2.1 openSUSE Tumbleweed:podman-cni-config-3.3.1-2.1 openSUSE Tumbleweed:podman-docker-3.3.1-2.1 openSUSE Tumbleweed:podman-remote-3.3.1-2.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10214.html CVE-2019-10214 https://bugzilla.suse.com/1144065 SUSE Bug 1144065 An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables. CVE-2020-14370 openSUSE Tumbleweed:podman-3.3.1-2.1 openSUSE Tumbleweed:podman-cni-config-3.3.1-2.1 openSUSE Tumbleweed:podman-docker-3.3.1-2.1 openSUSE Tumbleweed:podman-remote-3.3.1-2.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14370.html CVE-2020-14370 https://bugzilla.suse.com/1176804 SUSE Bug 1176804 A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume.This issue was introduced in version 1.6.0. CVE-2020-1726 openSUSE Tumbleweed:podman-3.3.1-2.1 openSUSE Tumbleweed:podman-cni-config-3.3.1-2.1 openSUSE Tumbleweed:podman-docker-3.3.1-2.1 openSUSE Tumbleweed:podman-remote-3.3.1-2.1 moderate 5.8 AV:N/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-1726.html CVE-2020-1726 https://bugzilla.suse.com/1164090 SUSE Bug 1164090 Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards. CVE-2021-20199 openSUSE Tumbleweed:podman-3.3.1-2.1 openSUSE Tumbleweed:podman-cni-config-3.3.1-2.1 openSUSE Tumbleweed:podman-docker-3.3.1-2.1 openSUSE Tumbleweed:podman-remote-3.3.1-2.1 low 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-20199.html CVE-2021-20199 https://bugzilla.suse.com/1181640 SUSE Bug 1181640