Moderate: runc security update

2024-04-3000:00:00

errata.almalinux.org

runc

security update

stack exhaustion

timing side channel

golang

cve-2022-30630

cve-2022-30631

cve-2022-30632

cve-2023-45287

container runtime

open container format

cvss score

almalinux release notes

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.9%

JSON

The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides container runtime.

Security Fix(es):

golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

OSVersionArchitecturePackageVersionFilename
almalinux9x86_64runc< 1.1.12-2.el9runc-1.1.12-2.el9.x86_64.rpm
almalinux9ppc64lerunc< 1.1.12-2.el9runc-1.1.12-2.el9.ppc64le.rpm
almalinux9aarch64runc< 1.1.12-2.el9runc-1.1.12-2.el9.aarch64.rpm
almalinux9s390xrunc< 1.1.12-2.el9runc-1.1.12-2.el9.s390x.rpm

OS	Version	Architecture	Package	Version	Filename
almalinux	9	x86_64	runc	< 1.1.12-2.el9	runc-1.1.12-2.el9.x86_64.rpm
almalinux	9	ppc64le	runc	< 1.1.12-2.el9	runc-1.1.12-2.el9.ppc64le.rpm
almalinux	9	aarch64	runc	< 1.1.12-2.el9	runc-1.1.12-2.el9.aarch64.rpm
almalinux	9	s390x	runc	< 1.1.12-2.el9	runc-1.1.12-2.el9.s390x.rpm