摘要:
podman security update
安全等级: High
公告ID: KylinSec-SA-2025-1606
发布日期: 2025年3月18日
关联CVE: CVE-2024-9341 CVE-2024-6104 CVE-2022-32189 CVE-2024-24791 CVE-2022-41715 CVE-2019-9514 CVE-2022-2880 CVE-2024-9676 CVE-2024-9675 CVE-2024-37298 CVE-2024-9355 CVE-2024-9407 CVE-2022-1962
Podman manages the entire container ecosystem which includes pods, containers, container images, and container volumes using the libpod library.
Security Fix(es):
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.(CVE-2019-9514)
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.(CVE-2022-1962)
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.(CVE-2022-2880)
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.(CVE-2022-32189)
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.(CVE-2022-41715)
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.(CVE-2024-24791)
gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.(CVE-2024-37298)
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.(CVE-2024-6104)
A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.(CVE-2024-9341)
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.(CVE-2024-9355)
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.(CVE-2024-9407)
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.(CVE-2024-9675)
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.(CVE-2024-9676)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2024-9341 | V6 | podman | Fixed |
| CVE-2024-6104 | V6 | podman | Fixed |
| CVE-2022-32189 | V6 | golang | Fixed |
| CVE-2024-24791 | V6 | golang | Fixed |
| CVE-2022-41715 | V6 | golang | Fixed |
| CVE-2019-9514 | V6 | podman | Fixed |
| CVE-2022-2880 | V6 | golang | Fixed |
| CVE-2024-9676 | V6 | podman | Fixed |
| CVE-2024-9675 | V6 | podman | Fixed |
| CVE-2024-37298 | V6 | podman | Fixed |
| CVE-2024-9355 | V6 | podman | Fixed |
| CVE-2024-9407 | V6 | podman | Fixed |
| CVE-2022-1962 | V6 | golang | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| podman-docker | noarch | 4.9.4-14.ks6 |
| podman-help | noarch | 4.9.4-14.ks6 |
| podman | x86_64 | 4.9.4-14.ks6 |
| podman-gvproxy | x86_64 | 4.9.4-14.ks6 |
| podman-plugins | x86_64 | 4.9.4-14.ks6 |
| podman-remote | x86_64 | 4.9.4-14.ks6 |
| podman-tests | x86_64 | 4.9.4-14.ks6 |
| podmansh | x86_64 | 4.9.4-14.ks6 |
| podman | aarch64 | 4.9.4-14.ks6 |
| podman-gvproxy | aarch64 | 4.9.4-14.ks6 |
| podman-plugins | aarch64 | 4.9.4-14.ks6 |
| podman-remote | aarch64 | 4.9.4-14.ks6 |
| podman-tests | aarch64 | 4.9.4-14.ks6 |
| podmansh | aarch64 | 4.9.4-14.ks6 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
