DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2021-20188", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-20188", "description": "A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "published": "2021-02-11T18:15:00", "modified": "2021-02-17T20:12:00", "epss": [{"cve": "CVE-2021-20188", "epss": 0.00044, "percentile": 0.10285, "modified": "2023-05-27"}], "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 6.9}, "severity": "MEDIUM", "exploitabilityScore": 3.4, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20188", "reporter": "secalert@redhat.com", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1915734"], "cvelist": ["CVE-2021-20188"], "immutableFields": [], "lastseen": "2023-05-27T14:17:13", "viewCount": 185, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:0705", "ALSA-2021:0706"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-20188"]}, {"type": "github", "idList": ["GHSA-9H63-7QF6-MV6R"]}, {"type": "nessus", "idList": ["CENTOS8_RHSA-2021-0705.NASL", "CENTOS8_RHSA-2021-0706.NASL", "ORACLELINUX_ELSA-2021-0705.NASL", "ORACLELINUX_ELSA-2021-0706.NASL", "REDHAT-RHSA-2020-3053.NASL", "REDHAT-RHSA-2021-0681.NASL", "REDHAT-RHSA-2021-0705.NASL", "REDHAT-RHSA-2021-0706.NASL", "REDHAT-RHSA-2021-0710.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-0705", "ELSA-2021-0706"]}, {"type": "osv", "idList": ["OSV:GHSA-9H63-7QF6-MV6R"]}, {"type": "redhat", "idList": ["RHSA-2020:3053", "RHSA-2021:0681", "RHSA-2021:0705", "RHSA-2021:0706", "RHSA-2021:0710"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-20188"]}, {"type": "rocky", "idList": ["RLSA-2020:3053", "RLSA-2021:0705", "RLSA-2021:0706"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-20188"]}, {"type": "veracode", "idList": ["VERACODE:29543"]}]}, "score": {"value": 2.2, "vector": "NONE"}, "twitter": {"counter": 5, "modified": "2021-02-18T14:40:58", "tweets": [{"link": "https://twitter.com/vigilance_en/status/1366465530366984194", "text": "Vigil@nce /hashtag/Vulnerability?src=hashtag_click of Podman: file reading via Container Files. https://t.co/nXAf1YzTOs?amp=1 Identifiers: /hashtag/CVE?src=hashtag_click-2021-20188. /hashtag/watch?src=hashtag_click"}, {"link": "https://twitter.com/omokazuki/status/1361032461514326022", "text": "SIOS\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30d6\u30ed\u30b0\u3092\u66f4\u65b0\u3057\u307e\u3057\u305f\u3002\n\npodman\u306e\u8106\u5f31\u6027\u60c5\u5831(Important: CVE-2021-20188)\n\n/hashtag/sios_tech?src=hashtag_click /hashtag/security?src=hashtag_click /hashtag/vulnerability?src=hashtag_click /hashtag/\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3?src=hashtag_click /hashtag/\u8106\u5f31\u6027?src=hashtag_click /hashtag/linux?src=hashtag_click /hashtag/podman?src=hashtag_click /hashtag/container?src=hashtag_click /hashtag/\u30b3\u30f3\u30c6\u30ca?src=hashtag_click"}, {"link": "https://twitter.com/omokazuki/status/1361032461514326022", "text": "SIOS\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30d6\u30ed\u30b0\u3092\u66f4\u65b0\u3057\u307e\u3057\u305f\u3002\n\npodman\u306e\u8106\u5f31\u6027\u60c5\u5831(Important: CVE-2021-20188)\n\n/hashtag/sios_tech?src=hashtag_click /hashtag/security?src=hashtag_click /hashtag/vulnerability?src=hashtag_click /hashtag/\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3?src=hashtag_click /hashtag/\u8106\u5f31\u6027?src=hashtag_click /hashtag/linux?src=hashtag_click /hashtag/podman?src=hashtag_click /hashtag/container?src=hashtag_click /hashtag/\u30b3\u30f3\u30c6\u30ca?src=hashtag_click"}, {"link": "https://twitter.com/threatintelctr/status/1362139422796447754", "text": " NEW: CVE-2021-20188 A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user ins... (click for more) Severity: HIGH https://t.co/RytJT0sUFp?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1362161301536059392", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-20188 (enterprise_linux, openshift_container_platform, podman)) has been published on https://t.co/RDvLXSIXW2?amp=1"}]}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:0705"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-20188"]}, {"type": "github", "idList": ["GHSA-9H63-7QF6-MV6R"]}, {"type": "nessus", "idList": ["CENTOS8_RHSA-2021-0705.NASL", "CENTOS8_RHSA-2021-0706.NASL", "ORACLELINUX_ELSA-2021-0705.NASL", "ORACLELINUX_ELSA-2021-0706.NASL", "REDHAT-RHSA-2021-0681.NASL", "REDHAT-RHSA-2021-0705.NASL", "REDHAT-RHSA-2021-0706.NASL", "REDHAT-RHSA-2021-0710.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-0705", "ELSA-2021-0706"]}, {"type": "redhat", "idList": ["RHSA-2021:0681", "RHSA-2021:0705"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-20188"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-20188"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "podman project podman", "version": 1}, {"name": "redhat openshift container platform", "version": 3}, {"name": "redhat enterprise linux", "version": 7}, {"name": "redhat enterprise linux", "version": 8}]}, "epss": [{"cve": "CVE-2021-20188", "epss": 0.00044, "percentile": 0.10248, "modified": "2023-05-07"}], "vulnersScore": 2.2}, "_state": {"dependencies": 1685209315, "score": 1685197916, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "56ba2037f903cab83a474e1a7ef0321d"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:redhat:openshift_container_platform:3.11", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/o:redhat:enterprise_linux:8.0"], "cpe23": ["cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*"], "cwe": ["CWE-863"], "affectedSoftware": [{"cpeName": "podman_project:podman", "version": "1.7.0", "operator": "lt", "name": "podman project podman"}, {"cpeName": "redhat:enterprise_linux", "version": "7.0", "operator": "eq", "name": "redhat enterprise linux"}, {"cpeName": "redhat:openshift_container_platform", "version": "3.11", "operator": "eq", "name": "redhat openshift container platform"}, {"cpeName": "redhat:enterprise_linux", "version": "8.0", "operator": "eq", "name": "redhat enterprise linux"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:podman_project:podman:1.7.0:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.0", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915734", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1915734", "refsource": "MISC", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"]}], "product_info": [{"vendor": "Podman_project", "product": "Podman"}, {"vendor": "Redhat", "product": "Enterprise_linux"}, {"vendor": "Redhat", "product": "Openshift_container_platform"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863", "lang": "en", "type": "CWE"}]}], "exploits": [], "assigned": "1976-01-01T00:00:00"}

{"redhat": [{"lastseen": "2023-05-27T14:34:27", "description": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T10:10:22", "type": "redhat", "title": "(RHSA-2021:0710) Important: container-tools:2.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-03-03T10:20:30", "id": "RHSA-2021:0710", "href": "https://access.redhat.com/errata/RHSA-2021:0710", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:34:27", "description": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T18:20:39", "type": "redhat", "title": "(RHSA-2021:0705) Important: container-tools:1.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-03-02T18:27:30", "id": "RHSA-2021:0705", "href": "https://access.redhat.com/errata/RHSA-2021:0705", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:34:27", "description": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T18:48:35", "type": "redhat", "title": "(RHSA-2021:0706) Important: container-tools:2.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-03-02T18:55:50", "id": "RHSA-2021:0706", "href": "https://access.redhat.com/errata/RHSA-2021:0706", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:34:27", "description": "The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.\n\nSecurity Fix(es):\n\n* podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-01T14:13:43", "type": "redhat", "title": "(RHSA-2021:0681) Important: podman security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-03-01T14:50:03", "id": "RHSA-2021:0681", "href": "https://access.redhat.com/errata/RHSA-2021:0681", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-04T12:27:59", "description": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* QEMU: slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-21T15:01:40", "type": "redhat", "title": "(RHSA-2020:3053) Moderate: container-tools:rhel8 security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1983", "CVE-2021-20188"], "modified": "2021-02-11T09:44:09", "id": "RHSA-2020:3053", "href": "https://access.redhat.com/errata/RHSA-2020:3053", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-19T15:06:17", "description": "The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-0705 advisory.\n\n - A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-05T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : container-tools:1.0 (ELSA-2021-0705)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20188"], "modified": "2021-09-22T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:buildah", "p-cpe:/a:oracle:linux:container-selinux", "p-cpe:/a:oracle:linux:containernetworking-plugins", "p-cpe:/a:oracle:linux:containers-common", "p-cpe:/a:oracle:linux:runc", "p-cpe:/a:oracle:linux:skopeo", "p-cpe:/a:oracle:linux:slirp4netns", "p-cpe:/a:oracle:linux:crit", "p-cpe:/a:oracle:linux:criu", "p-cpe:/a:oracle:linux:fuse-overlayfs", "p-cpe:/a:oracle:linux:oci-systemd-hook", "p-cpe:/a:oracle:linux:oci-umount", "p-cpe:/a:oracle:linux:podman", "p-cpe:/a:oracle:linux:podman-docker", "p-cpe:/a:oracle:linux:python3-criu"], "id": "ORACLELINUX_ELSA-2021-0705.NASL", "href": "https://www.tenable.com/plugins/nessus/147166", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-0705.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147166);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/22\");\n\n script_cve_id(\"CVE-2021-20188\");\n\n script_name(english:\"Oracle Linux 8 : container-tools:1.0 (ELSA-2021-0705)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2021-0705 advisory.\n\n - A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged\n container are not correctly checked. This flaw can be abused by a low-privileged user inside the container\n to access any other file in the container, even if owned by the root user inside the container. It does\n not allow to directly escape the container, though being a privileged container means that a lot of\n security features are disabled when running the container. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system availability. (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-0705.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20188\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:buildah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:containers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:crit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:oci-systemd-hook\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:oci-umount\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:podman-docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python3-criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:skopeo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:slirp4netns\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nmodule_ver = get_kb_item('Host/RedHat/appstream/container-tools');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:1.0');\nif ('1.0' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module container-tools:' + module_ver);\n\nappstreams = {\n 'container-tools:1.0': [\n {'reference':'buildah-1.5-8.gite94b4f9.0.1.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-1.5-8.gite94b4f9.0.1.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'container-selinux-2.124.0-1.gitf958d0c.module+el8.3.0+9668+293abd4d', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.7.4-4.git9ebe139.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containernetworking-plugins-0.7.4-4.git9ebe139.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.32-6.git1715c90.0.1.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'containers-common-0.1.32-6.git1715c90.0.1.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'crit-3.12-9.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.3-5.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.3-5.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'podman-1.0.0-8.git921f98f.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.0.0-8.git921f98f.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.0.0-8.git921f98f.module+el8.3.0+9668+293abd4d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-56.rc5.dev.git2abd837.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'rc_precedence':TRUE},\n {'reference':'runc-1.0.0-56.rc5.dev.git2abd837.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'rc_precedence':TRUE},\n {'reference':'skopeo-0.1.32-6.git1715c90.0.1.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-0.1.32-6.git1715c90.0.1.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.1-5.dev.gitc4e1bc5.module+el8.3.0+9668+293abd4d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slirp4netns-0.1-5.dev.gitc4e1bc5.module+el8.3.0+9668+293abd4d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n};\n\nflag = 0;\nappstreams_found = 0;\nforeach module (keys(appstreams)) {\n appstream = NULL;\n appstream_name = NULL;\n appstream_version = NULL;\n appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach package_array ( appstreams[module] ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rc_precedence'])) rc_precedence = package_array['rc_precedence'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, rc_precedence:rc_precedence)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:1.0');\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / container-selinux / containernetworking-plugins / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:08", "description": "The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2021:0706 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-03T00:00:00", "type": "nessus", "title": "CentOS 8 : container-tools:2.0 (CESA-2021:0706)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20188"], "modified": "2023-02-08T00:00:00", "cpe": ["cpe:/o:centos:centos:8", "p-cpe:/a:centos:centos:buildah", "p-cpe:/a:centos:centos:buildah-tests", "p-cpe:/a:centos:centos:cockpit-podman", "p-cpe:/a:centos:centos:conmon", "p-cpe:/a:centos:centos:container-selinux", "p-cpe:/a:centos:centos:containernetworking-plugins", "p-cpe:/a:centos:centos:containers-common", "p-cpe:/a:centos:centos:crit", "p-cpe:/a:centos:centos:criu", "p-cpe:/a:centos:centos:fuse-overlayfs", "p-cpe:/a:centos:centos:python-podman-api", "p-cpe:/a:centos:centos:python3-criu", "p-cpe:/a:centos:centos:runc", "p-cpe:/a:centos:centos:skopeo", "p-cpe:/a:centos:centos:skopeo-tests", "p-cpe:/a:centos:centos:slirp4netns", "p-cpe:/a:centos:centos:toolbox", "p-cpe:/a:centos:centos:udica"], "id": "CENTOS8_RHSA-2021-0706.NASL", "href": "https://www.tenable.com/plugins/nessus/146963", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2021:0706. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146963);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/08\");\n\n script_cve_id(\"CVE-2021-20188\");\n script_xref(name:\"RHSA\", value:\"2021:0706\");\n\n script_name(english:\"CentOS 8 : container-tools:2.0 (CESA-2021:0706)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nCESA-2021:0706 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0706\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20188\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:buildah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:buildah-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cockpit-podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:conmon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:containers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:crit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-podman-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python3-criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:skopeo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:skopeo-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:slirp4netns\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:toolbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:udica\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/CentOS/release');\nif (isnull(os_release) || 'CentOS' >!< os_release) audit(AUDIT_OS_NOT, 'CentOS');\nvar os_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif ('CentOS Stream' >< os_release) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS Stream ' + os_ver);\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\nvar module_ver = get_kb_item('Host/RedHat/appstream/container-tools');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:2.0');\nif ('2.0' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module container-tools:' + module_ver);\n\nvar appstreams = {\n 'container-tools:2.0': [\n {'reference':'buildah-1.11.6-8.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-1.11.6-8.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.11.6-8.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.11.6-8.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cockpit-podman-11-1.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'cockpit-podman-11-1.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'conmon-2.0.15-1.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'conmon-2.0.15-1.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'container-selinux-2.130.0-1.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'container-selinux-2.130.0-1.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containernetworking-plugins-0.8.3-4.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containernetworking-plugins-0.8.3-4.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.41-4.module_el8.3.0+566+4759265c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'containers-common-0.1.41-4.module_el8.3.0+566+4759265c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'crit-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.7.8-1.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.7.8-1.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-podman-api-1.2.0-0.2.gitd0a45fe.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-podman-api-1.2.0-0.2.gitd0a45fe.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-64.rc10.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-64.rc10.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-0.1.41-4.module_el8.3.0+566+4759265c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-0.1.41-4.module_el8.3.0+566+4759265c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-0.1.41-4.module_el8.3.0+566+4759265c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-0.1.41-4.module_el8.3.0+566+4759265c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.4.2-3.git21fdece.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slirp4netns-0.4.2-3.git21fdece.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'toolbox-0.0.7-1.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'toolbox-0.0.7-1.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'udica-0.2.1-2.module_el8.3.0+479+69e2ae26', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'udica-0.2.1-2.module_el8.3.0+479+69e2ae26', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n};\n\nvar flag = 0;\nappstreams_found = 0;\nforeach module (keys(appstreams)) {\n var appstream = NULL;\n var appstream_name = NULL;\n var appstream_version = NULL;\n var appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach package_array ( appstreams[module] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && _release) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:2.0');\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / buildah-tests / cockpit-podman / conmon / container-selinux / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:15:11", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0710 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-03T00:00:00", "type": "nessus", "title": "RHEL 8 : container-tools:2.0 (RHSA-2021:0710)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20188"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:8.2", "cpe:/o:redhat:rhel_e4s:8.2", "cpe:/o:redhat:rhel_eus:8.2", "cpe:/o:redhat:rhel_tus:8.2", "p-cpe:/a:redhat:enterprise_linux:buildah", "p-cpe:/a:redhat:enterprise_linux:buildah-tests", "p-cpe:/a:redhat:enterprise_linux:cockpit-podman", "p-cpe:/a:redhat:enterprise_linux:conmon", "p-cpe:/a:redhat:enterprise_linux:container-selinux", "p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins", "p-cpe:/a:redhat:enterprise_linux:containers-common", "p-cpe:/a:redhat:enterprise_linux:crit", "p-cpe:/a:redhat:enterprise_linux:criu", "p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs", "p-cpe:/a:redhat:enterprise_linux:podman", "p-cpe:/a:redhat:enterprise_linux:podman-docker", "p-cpe:/a:redhat:enterprise_linux:podman-remote", "p-cpe:/a:redhat:enterprise_linux:podman-tests", "p-cpe:/a:redhat:enterprise_linux:python-podman-api", "p-cpe:/a:redhat:enterprise_linux:python3-criu", "p-cpe:/a:redhat:enterprise_linux:runc", "p-cpe:/a:redhat:enterprise_linux:skopeo", "p-cpe:/a:redhat:enterprise_linux:skopeo-tests", "p-cpe:/a:redhat:enterprise_linux:slirp4netns", "p-cpe:/a:redhat:enterprise_linux:toolbox", "p-cpe:/a:redhat:enterprise_linux:udica"], "id": "REDHAT-RHSA-2021-0710.NASL", "href": "https://www.tenable.com/plugins/nessus/147009", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0710. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147009);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2021-20188\");\n script_xref(name:\"RHSA\", value:\"2021:0710\");\n\n script_name(english:\"RHEL 8 : container-tools:2.0 (RHSA-2021:0710)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0710 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-20188\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0710\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1915734\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20188\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:buildah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:buildah-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cockpit-podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:conmon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:crit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-remote\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-podman-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:skopeo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:skopeo-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:slirp4netns\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:toolbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:udica\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.2')) audit(AUDIT_OS_NOT, 'Red Hat 8.2', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar appstreams = {\n 'container-tools:2.0': [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.2/x86_64/appstream/debug',\n 'content/aus/rhel8/8.2/x86_64/appstream/os',\n 'content/aus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.2/x86_64/baseos/debug',\n 'content/aus/rhel8/8.2/x86_64/baseos/os',\n 'content/aus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.2/x86_64/appstream/os',\n 'content/e4s/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.2/x86_64/baseos/os',\n 'content/e4s/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap/os',\n 'content/e4s/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/appstream/debug',\n 'content/eus/rhel8/8.2/aarch64/appstream/os',\n 'content/eus/rhel8/8.2/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/baseos/debug',\n 'content/eus/rhel8/8.2/aarch64/baseos/os',\n 'content/eus/rhel8/8.2/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.2/aarch64/highavailability/os',\n 'content/eus/rhel8/8.2/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.2/aarch64/supplementary/os',\n 'content/eus/rhel8/8.2/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.2/ppc64le/appstream/os',\n 'content/eus/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.2/ppc64le/baseos/os',\n 'content/eus/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap/os',\n 'content/eus/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/appstream/debug',\n 'content/eus/rhel8/8.2/s390x/appstream/os',\n 'content/eus/rhel8/8.2/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/baseos/debug',\n 'content/eus/rhel8/8.2/s390x/baseos/os',\n 'content/eus/rhel8/8.2/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/highavailability/debug',\n 'content/eus/rhel8/8.2/s390x/highavailability/os',\n 'content/eus/rhel8/8.2/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/sap/debug',\n 'content/eus/rhel8/8.2/s390x/sap/os',\n 'content/eus/rhel8/8.2/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/supplementary/debug',\n 'content/eus/rhel8/8.2/s390x/supplementary/os',\n 'content/eus/rhel8/8.2/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/appstream/debug',\n 'content/eus/rhel8/8.2/x86_64/appstream/os',\n 'content/eus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/baseos/debug',\n 'content/eus/rhel8/8.2/x86_64/baseos/os',\n 'content/eus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.2/x86_64/highavailability/os',\n 'content/eus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap/debug',\n 'content/eus/rhel8/8.2/x86_64/sap/os',\n 'content/eus/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.2/x86_64/supplementary/os',\n 'content/eus/rhel8/8.2/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/appstream/debug',\n 'content/tus/rhel8/8.2/x86_64/appstream/os',\n 'content/tus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/baseos/debug',\n 'content/tus/rhel8/8.2/x86_64/baseos/os',\n 'content/tus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.2/x86_64/highavailability/os',\n 'content/tus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/nfv/debug',\n 'content/tus/rhel8/8.2/x86_64/nfv/os',\n 'content/tus/rhel8/8.2/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/rt/debug',\n 'content/tus/rhel8/8.2/x86_64/rt/os',\n 'content/tus/rhel8/8.2/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'buildah-1.11.6-7.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.11.6-7.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cockpit-podman-11-1.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'conmon-2.0.6-1.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'container-selinux-2.124.0-1.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.8.3-4.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.40-9.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.7.2-5.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.6.4-19.module+el8.2.0+10175+e12b0910', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.6.4-19.module+el8.2.0+10175+e12b0910', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-remote-1.6.4-19.module+el8.2.0+10175+e12b0910', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-tests-1.6.4-19.module+el8.2.0+10175+e12b0910', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-64.rc10.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-0.1.40-9.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-0.1.40-9.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.4.2-3.git21fdece.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'toolbox-0.0.7-1.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'udica-0.2.1-2.module+el8.2.0+9938+46853747', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n ]\n};\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:appstreams, appstreams:TRUE);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar module_ver = get_kb_item('Host/RedHat/appstream/container-tools');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:2.0');\nif ('2.0' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module container-tools:' + module_ver);\n\nvar flag = 0;\nvar appstreams_found = 0;\nforeach var module (keys(appstreams)) {\n var appstream = NULL;\n var appstream_name = NULL;\n var appstream_version = NULL;\n var appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach var module_array ( appstreams[module] ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(module_array['repo_relative_urls'])) repo_relative_urls = module_array['repo_relative_urls'];\n foreach var package_array ( module_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:2.0');\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Extended Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / buildah-tests / cockpit-podman / conmon / container-selinux / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:13:12", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0681 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-01T00:00:00", "type": "nessus", "title": "RHEL 7 : podman (RHSA-2021:0681)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20188"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:podman", "p-cpe:/a:redhat:enterprise_linux:podman-docker"], "id": "REDHAT-RHSA-2021-0681.NASL", "href": "https://www.tenable.com/plugins/nessus/146932", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0681. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146932);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2021-20188\");\n script_xref(name:\"RHSA\", value:\"2021:0681\");\n\n script_name(english:\"RHEL 7 : podman (RHSA-2021:0681)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0681 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-20188\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1915734\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected podman and / or podman-docker packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20188\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-docker\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/extras/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/extras/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/extras/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/extras/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/extras/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/extras/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/extras/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/extras/os',\n 'content/dist/rhel/client/7/7Client/x86_64/extras/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/extras/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/extras/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/extras/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/extras/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/extras/os',\n 'content/dist/rhel/server/7/7Server/x86_64/extras/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/extras/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/extras/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/extras/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/extras/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/extras/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/extras/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'podman-1.6.4-29.el7_9', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.6.4-29.el7_9', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.6.4-29.el7_9', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.6.4-29.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'podman / podman-docker');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:14:45", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0705 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-02T00:00:00", "type": "nessus", "title": "RHEL 8 : container-tools:1.0 (RHSA-2021:0705)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20188"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.4", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.4", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.4", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.4", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:buildah", "p-cpe:/a:redhat:enterprise_linux:container-selinux", "p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins", "p-cpe:/a:redhat:enterprise_linux:containers-common", "p-cpe:/a:redhat:enterprise_linux:crit", "p-cpe:/a:redhat:enterprise_linux:criu", "p-cpe:/a:redhat:enterprise_linux:podman", "p-cpe:/a:redhat:enterprise_linux:podman-docker", "p-cpe:/a:redhat:enterprise_linux:python3-criu", "p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs", "p-cpe:/a:redhat:enterprise_linux:oci-systemd-hook", "p-cpe:/a:redhat:enterprise_linux:oci-umount", "p-cpe:/a:redhat:enterprise_linux:runc", "p-cpe:/a:redhat:enterprise_linux:skopeo", "p-cpe:/a:redhat:enterprise_linux:slirp4netns"], "id": "REDHAT-RHSA-2021-0705.NASL", "href": "https://www.tenable.com/plugins/nessus/146956", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0705. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146956);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2021-20188\");\n script_xref(name:\"RHSA\", value:\"2021:0705\");\n\n script_name(english:\"RHEL 8 : container-tools:1.0 (RHSA-2021:0705)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0705 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-20188\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0705\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1915734\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20188\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:buildah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:crit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:oci-systemd-hook\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:oci-umount\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:skopeo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:slirp4netns\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar appstreams = {\n 'container-tools:1.0': [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.4/x86_64/appstream/debug',\n 'content/aus/rhel8/8.4/x86_64/appstream/os',\n 'content/aus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.4/x86_64/baseos/debug',\n 'content/aus/rhel8/8.4/x86_64/baseos/os',\n 'content/aus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/appstream/debug',\n 'content/e4s/rhel8/8.4/aarch64/appstream/os',\n 'content/e4s/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/baseos/debug',\n 'content/e4s/rhel8/8.4/aarch64/baseos/os',\n 'content/e4s/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/appstream/debug',\n 'content/e4s/rhel8/8.4/s390x/appstream/os',\n 'content/e4s/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/baseos/debug',\n 'content/e4s/rhel8/8.4/s390x/baseos/os',\n 'content/e4s/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.4/x86_64/appstream/os',\n 'content/e4s/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.4/x86_64/baseos/os',\n 'content/e4s/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/nfv/debug',\n 'content/e4s/rhel8/8.4/x86_64/nfv/os',\n 'content/e4s/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap/os',\n 'content/e4s/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/appstream/debug',\n 'content/eus/rhel8/8.4/aarch64/appstream/os',\n 'content/eus/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/baseos/debug',\n 'content/eus/rhel8/8.4/aarch64/baseos/os',\n 'content/eus/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.4/aarch64/highavailability/os',\n 'content/eus/rhel8/8.4/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.4/aarch64/supplementary/os',\n 'content/eus/rhel8/8.4/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.4/ppc64le/appstream/os',\n 'content/eus/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.4/ppc64le/baseos/os',\n 'content/eus/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap/os',\n 'content/eus/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/appstream/debug',\n 'content/eus/rhel8/8.4/s390x/appstream/os',\n 'content/eus/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/baseos/debug',\n 'content/eus/rhel8/8.4/s390x/baseos/os',\n 'content/eus/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/highavailability/debug',\n 'content/eus/rhel8/8.4/s390x/highavailability/os',\n 'content/eus/rhel8/8.4/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/sap/debug',\n 'content/eus/rhel8/8.4/s390x/sap/os',\n 'content/eus/rhel8/8.4/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/supplementary/debug',\n 'content/eus/rhel8/8.4/s390x/supplementary/os',\n 'content/eus/rhel8/8.4/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/appstream/debug',\n 'content/eus/rhel8/8.4/x86_64/appstream/os',\n 'content/eus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/baseos/debug',\n 'content/eus/rhel8/8.4/x86_64/baseos/os',\n 'content/eus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.4/x86_64/highavailability/os',\n 'content/eus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap/debug',\n 'content/eus/rhel8/8.4/x86_64/sap/os',\n 'content/eus/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.4/x86_64/supplementary/os',\n 'content/eus/rhel8/8.4/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/appstream/debug',\n 'content/tus/rhel8/8.4/x86_64/appstream/os',\n 'content/tus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/baseos/debug',\n 'content/tus/rhel8/8.4/x86_64/baseos/os',\n 'content/tus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.4/x86_64/highavailability/os',\n 'content/tus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/nfv/debug',\n 'content/tus/rhel8/8.4/x86_64/nfv/os',\n 'content/tus/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/rt/debug',\n 'content/tus/rhel8/8.4/x86_64/rt/os',\n 'content/tus/rhel8/8.4/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'buildah-1.5-8.gite94b4f9.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'container-selinux-2.124.0-1.gitf958d0c.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.7.4-4.git9ebe139.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.32-6.git1715c90.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.3-5.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'podman-1.0.0-8.git921f98f.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.0.0-8.git921f98f.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-56.rc5.dev.git2abd837.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-0.1.32-6.git1715c90.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.1-5.dev.gitc4e1bc5.module+el8.3.0+10171+12421f43', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/appstream/debug',\n 'content/eus/rhel8/8.6/s390x/appstream/os',\n 'content/eus/rhel8/8.6/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/baseos/debug',\n 'content/eus/rhel8/8.6/s390x/baseos/os',\n 'content/eus/rhel8/8.6/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/highavailability/debug',\n 'content/eus/rhel8/8.6/s390x/highavailability/os',\n 'content/eus/rhel8/8.6/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/sap/debug',\n 'content/eus/rhel8/8.6/s390x/sap/os',\n 'content/eus/rhel8/8.6/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/supplementary/debug',\n 'content/eus/rhel8/8.6/s390x/supplementary/os',\n 'content/eus/rhel8/8.6/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'buildah-1.5-8.gite94b4f9.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'container-selinux-2.124.0-1.gitf958d0c.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.7.4-4.git9ebe139.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.32-6.git1715c90.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.3-5.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'podman-1.0.0-8.git921f98f.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.0.0-8.git921f98f.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-56.rc5.dev.git2abd837.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-0.1.32-6.git1715c90.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.1-5.dev.gitc4e1bc5.module+el8.3.0+10171+12421f43', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'buildah-1.5-8.gite94b4f9.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'container-selinux-2.124.0-1.gitf958d0c.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.7.4-4.git9ebe139.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.32-6.git1715c90.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.3-5.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'podman-1.0.0-8.git921f98f.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.0.0-8.git921f98f.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-56.rc5.dev.git2abd837.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-0.1.32-6.git1715c90.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.1-5.dev.gitc4e1bc5.module+el8.3.0+10171+12421f43', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n ]\n};\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:appstreams, appstreams:TRUE);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar module_ver = get_kb_item('Host/RedHat/appstream/container-tools');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:1.0');\nif ('1.0' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module container-tools:' + module_ver);\n\nvar flag = 0;\nvar appstreams_found = 0;\nforeach var module (keys(appstreams)) {\n var appstream = NULL;\n var appstream_name = NULL;\n var appstream_version = NULL;\n var appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach var module_array ( appstreams[module] ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(module_array['repo_relative_urls'])) repo_relative_urls = module_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var package_array ( module_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp']) && !enterprise_linux_flag) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:1.0');\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / container-selinux / containernetworking-plugins / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:43", "description": "The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-0706 advisory.\n\n - A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-05T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : container-tools:2.0 (ELSA-2021-0706)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20188"], "modified": "2021-09-22T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:buildah", "p-cpe:/a:oracle:linux:buildah-tests", "p-cpe:/a:oracle:linux:cockpit-podman", "p-cpe:/a:oracle:linux:conmon", "p-cpe:/a:oracle:linux:container-selinux", "p-cpe:/a:oracle:linux:containernetworking-plugins", "p-cpe:/a:oracle:linux:containers-common", "p-cpe:/a:oracle:linux:crit", "p-cpe:/a:oracle:linux:criu", "p-cpe:/a:oracle:linux:fuse-overlayfs", "p-cpe:/a:oracle:linux:podman", "p-cpe:/a:oracle:linux:podman-docker", "p-cpe:/a:oracle:linux:podman-remote", "p-cpe:/a:oracle:linux:podman-tests", "p-cpe:/a:oracle:linux:python-podman-api", "p-cpe:/a:oracle:linux:python3-criu", "p-cpe:/a:oracle:linux:runc", "p-cpe:/a:oracle:linux:skopeo", "p-cpe:/a:oracle:linux:skopeo-tests", "p-cpe:/a:oracle:linux:slirp4netns", "p-cpe:/a:oracle:linux:udica"], "id": "ORACLELINUX_ELSA-2021-0706.NASL", "href": "https://www.tenable.com/plugins/nessus/147170", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-0706.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147170);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/22\");\n\n script_cve_id(\"CVE-2021-20188\");\n\n script_name(english:\"Oracle Linux 8 : container-tools:2.0 (ELSA-2021-0706)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2021-0706 advisory.\n\n - A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged\n container are not correctly checked. This flaw can be abused by a low-privileged user inside the container\n to access any other file in the container, even if owned by the root user inside the container. It does\n not allow to directly escape the container, though being a privileged container means that a lot of\n security features are disabled when running the container. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system availability. (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-0706.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20188\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:buildah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:buildah-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cockpit-podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:conmon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:containers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:crit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:podman-docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:podman-remote\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:podman-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-podman-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python3-criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:skopeo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:skopeo-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:slirp4netns\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:udica\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nmodule_ver = get_kb_item('Host/RedHat/appstream/container-tools');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:2.0');\nif ('2.0' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module container-tools:' + module_ver);\n\nappstreams = {\n 'container-tools:2.0': [\n {'reference':'buildah-1.11.6-8.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-1.11.6-8.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.11.6-8.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.11.6-8.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cockpit-podman-11-1.module+el8.3.0+9670+b9fad87d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'conmon-2.0.15-1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'conmon-2.0.15-1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'container-selinux-2.130.0-1.module+el8.3.0+9670+b9fad87d', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.8.3-4.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containernetworking-plugins-0.8.3-4.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.41-4.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'containers-common-0.1.41-4.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'crit-3.12-9.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.7.8-1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.7.8-1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.6.4-26.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.6.4-26.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.6.4-26.0.1.module+el8.3.0+9670+b9fad87d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-remote-1.6.4-26.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-remote-1.6.4-26.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-tests-1.6.4-26.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-tests-1.6.4-26.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.3.0+9670+b9fad87d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-64.rc10.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'rc_precedence':TRUE},\n {'reference':'runc-1.0.0-64.rc10.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'rc_precedence':TRUE},\n {'reference':'skopeo-0.1.41-4.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-0.1.41-4.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-0.1.41-4.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-0.1.41-4.0.1.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.4.2-3.git21fdece.module+el8.3.0+9670+b9fad87d', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slirp4netns-0.4.2-3.git21fdece.module+el8.3.0+9670+b9fad87d', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'udica-0.2.1-2.module+el8.3.0+9670+b9fad87d', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n};\n\nflag = 0;\nappstreams_found = 0;\nforeach module (keys(appstreams)) {\n appstream = NULL;\n appstream_name = NULL;\n appstream_version = NULL;\n appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach package_array ( appstreams[module] ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rc_precedence'])) rc_precedence = package_array['rc_precedence'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, rc_precedence:rc_precedence)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:2.0');\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / buildah-tests / cockpit-podman / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:14:25", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0706 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-02T00:00:00", "type": "nessus", "title": "RHEL 8 : container-tools:2.0 (RHSA-2021:0706)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20188"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.4", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.4", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.4", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.4", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:buildah", "p-cpe:/a:redhat:enterprise_linux:buildah-tests", "p-cpe:/a:redhat:enterprise_linux:cockpit-podman", "p-cpe:/a:redhat:enterprise_linux:conmon", "p-cpe:/a:redhat:enterprise_linux:container-selinux", "p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins", "p-cpe:/a:redhat:enterprise_linux:containers-common", "p-cpe:/a:redhat:enterprise_linux:crit", "p-cpe:/a:redhat:enterprise_linux:criu", "p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs", "p-cpe:/a:redhat:enterprise_linux:podman", "p-cpe:/a:redhat:enterprise_linux:podman-docker", "p-cpe:/a:redhat:enterprise_linux:podman-remote", "p-cpe:/a:redhat:enterprise_linux:podman-tests", "p-cpe:/a:redhat:enterprise_linux:python-podman-api", "p-cpe:/a:redhat:enterprise_linux:python3-criu", "p-cpe:/a:redhat:enterprise_linux:runc", "p-cpe:/a:redhat:enterprise_linux:skopeo", "p-cpe:/a:redhat:enterprise_linux:skopeo-tests", "p-cpe:/a:redhat:enterprise_linux:slirp4netns", "p-cpe:/a:redhat:enterprise_linux:toolbox", "p-cpe:/a:redhat:enterprise_linux:udica"], "id": "REDHAT-RHSA-2021-0706.NASL", "href": "https://www.tenable.com/plugins/nessus/146950", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0706. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146950);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2021-20188\");\n script_xref(name:\"RHSA\", value:\"2021:0706\");\n\n script_name(english:\"RHEL 8 : container-tools:2.0 (RHSA-2021:0706)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0706 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-20188\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0706\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1915734\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20188\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:buildah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:buildah-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cockpit-podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:conmon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:crit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-remote\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-podman-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:skopeo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:skopeo-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:slirp4netns\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:toolbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:udica\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar appstreams = {\n 'container-tools:2.0': [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.4/x86_64/appstream/debug',\n 'content/aus/rhel8/8.4/x86_64/appstream/os',\n 'content/aus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.4/x86_64/baseos/debug',\n 'content/aus/rhel8/8.4/x86_64/baseos/os',\n 'content/aus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/appstream/debug',\n 'content/e4s/rhel8/8.4/aarch64/appstream/os',\n 'content/e4s/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/baseos/debug',\n 'content/e4s/rhel8/8.4/aarch64/baseos/os',\n 'content/e4s/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/appstream/debug',\n 'content/e4s/rhel8/8.4/s390x/appstream/os',\n 'content/e4s/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/baseos/debug',\n 'content/e4s/rhel8/8.4/s390x/baseos/os',\n 'content/e4s/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.4/x86_64/appstream/os',\n 'content/e4s/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.4/x86_64/baseos/os',\n 'content/e4s/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/nfv/debug',\n 'content/e4s/rhel8/8.4/x86_64/nfv/os',\n 'content/e4s/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap/os',\n 'content/e4s/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/appstream/debug',\n 'content/eus/rhel8/8.4/aarch64/appstream/os',\n 'content/eus/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/baseos/debug',\n 'content/eus/rhel8/8.4/aarch64/baseos/os',\n 'content/eus/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.4/aarch64/highavailability/os',\n 'content/eus/rhel8/8.4/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.4/aarch64/supplementary/os',\n 'content/eus/rhel8/8.4/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.4/ppc64le/appstream/os',\n 'content/eus/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.4/ppc64le/baseos/os',\n 'content/eus/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap/os',\n 'content/eus/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/appstream/debug',\n 'content/eus/rhel8/8.4/s390x/appstream/os',\n 'content/eus/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/baseos/debug',\n 'content/eus/rhel8/8.4/s390x/baseos/os',\n 'content/eus/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/highavailability/debug',\n 'content/eus/rhel8/8.4/s390x/highavailability/os',\n 'content/eus/rhel8/8.4/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/sap/debug',\n 'content/eus/rhel8/8.4/s390x/sap/os',\n 'content/eus/rhel8/8.4/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/supplementary/debug',\n 'content/eus/rhel8/8.4/s390x/supplementary/os',\n 'content/eus/rhel8/8.4/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/appstream/debug',\n 'content/eus/rhel8/8.4/x86_64/appstream/os',\n 'content/eus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/baseos/debug',\n 'content/eus/rhel8/8.4/x86_64/baseos/os',\n 'content/eus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.4/x86_64/highavailability/os',\n 'content/eus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap/debug',\n 'content/eus/rhel8/8.4/x86_64/sap/os',\n 'content/eus/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.4/x86_64/supplementary/os',\n 'content/eus/rhel8/8.4/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/appstream/debug',\n 'content/tus/rhel8/8.4/x86_64/appstream/os',\n 'content/tus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/baseos/debug',\n 'content/tus/rhel8/8.4/x86_64/baseos/os',\n 'content/tus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.4/x86_64/highavailability/os',\n 'content/tus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/nfv/debug',\n 'content/tus/rhel8/8.4/x86_64/nfv/os',\n 'content/tus/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/rt/debug',\n 'content/tus/rhel8/8.4/x86_64/rt/os',\n 'content/tus/rhel8/8.4/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'buildah-1.11.6-8.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.11.6-8.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cockpit-podman-11-1.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'conmon-2.0.15-1.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'container-selinux-2.130.0-1.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.8.3-4.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.41-4.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.7.8-1.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.6.4-26.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.6.4-26.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-remote-1.6.4-26.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-tests-1.6.4-26.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-64.rc10.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-0.1.41-4.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-0.1.41-4.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.4.2-3.git21fdece.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'toolbox-0.0.7-1.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'udica-0.2.1-2.module+el8.3.0+10188+4c10031c', 'sp':'4', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/appstream/debug',\n 'content/eus/rhel8/8.6/s390x/appstream/os',\n 'content/eus/rhel8/8.6/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/baseos/debug',\n 'content/eus/rhel8/8.6/s390x/baseos/os',\n 'content/eus/rhel8/8.6/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/highavailability/debug',\n 'content/eus/rhel8/8.6/s390x/highavailability/os',\n 'content/eus/rhel8/8.6/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/sap/debug',\n 'content/eus/rhel8/8.6/s390x/sap/os',\n 'content/eus/rhel8/8.6/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/supplementary/debug',\n 'content/eus/rhel8/8.6/s390x/supplementary/os',\n 'content/eus/rhel8/8.6/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'buildah-1.11.6-8.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.11.6-8.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cockpit-podman-11-1.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'conmon-2.0.15-1.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'container-selinux-2.130.0-1.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.8.3-4.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.41-4.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.7.8-1.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.6.4-26.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.6.4-26.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-remote-1.6.4-26.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-tests-1.6.4-26.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-64.rc10.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-0.1.41-4.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-0.1.41-4.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.4.2-3.git21fdece.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'toolbox-0.0.7-1.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'udica-0.2.1-2.module+el8.3.0+10188+4c10031c', 'sp':'6', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'buildah-1.11.6-8.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.11.6-8.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cockpit-podman-11-1.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'conmon-2.0.15-1.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'container-selinux-2.130.0-1.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.8.3-4.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.41-4.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.7.8-1.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.6.4-26.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.6.4-26.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-remote-1.6.4-26.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-tests-1.6.4-26.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-64.rc10.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-0.1.41-4.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-0.1.41-4.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.4.2-3.git21fdece.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'toolbox-0.0.7-1.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'udica-0.2.1-2.module+el8.3.0+10188+4c10031c', 'release':'8', 'el_string':'el8.3.0', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n ]\n};\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:appstreams, appstreams:TRUE);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar module_ver = get_kb_item('Host/RedHat/appstream/container-tools');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:2.0');\nif ('2.0' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module container-tools:' + module_ver);\n\nvar flag = 0;\nvar appstreams_found = 0;\nforeach var module (keys(appstreams)) {\n var appstream = NULL;\n var appstream_name = NULL;\n var appstream_version = NULL;\n var appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach var module_array ( appstreams[module] ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(module_array['repo_relative_urls'])) repo_relative_urls = module_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var package_array ( module_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp']) && !enterprise_linux_flag) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:2.0');\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / buildah-tests / cockpit-podman / conmon / container-selinux / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:25", "description": "The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2021:0705 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-03T00:00:00", "type": "nessus", "title": "CentOS 8 : container-tools:1.0 (CESA-2021:0705)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20188"], "modified": "2023-02-08T00:00:00", "cpe": ["cpe:/o:centos:centos:8", "p-cpe:/a:centos:centos:buildah", "p-cpe:/a:centos:centos:container-selinux", "p-cpe:/a:centos:centos:containernetworking-plugins", "p-cpe:/a:centos:centos:containers-common", "p-cpe:/a:centos:centos:crit", "p-cpe:/a:centos:centos:criu", "p-cpe:/a:centos:centos:fuse-overlayfs", "p-cpe:/a:centos:centos:oci-systemd-hook", "p-cpe:/a:centos:centos:oci-umount", "p-cpe:/a:centos:centos:podman", "p-cpe:/a:centos:centos:podman-docker", "p-cpe:/a:centos:centos:python3-criu", "p-cpe:/a:centos:centos:runc", "p-cpe:/a:centos:centos:skopeo", "p-cpe:/a:centos:centos:slirp4netns"], "id": "CENTOS8_RHSA-2021-0705.NASL", "href": "https://www.tenable.com/plugins/nessus/146964", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2021:0705. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146964);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/08\");\n\n script_cve_id(\"CVE-2021-20188\");\n script_xref(name:\"RHSA\", value:\"2021:0705\");\n\n script_name(english:\"CentOS 8 : container-tools:1.0 (CESA-2021:0705)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nCESA-2021:0705 advisory.\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0705\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20188\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:buildah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:containers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:crit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:oci-systemd-hook\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:oci-umount\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:podman-docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python3-criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:skopeo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:slirp4netns\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/CentOS/release');\nif (isnull(os_release) || 'CentOS' >!< os_release) audit(AUDIT_OS_NOT, 'CentOS');\nvar os_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif ('CentOS Stream' >< os_release) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS Stream ' + os_ver);\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\nvar module_ver = get_kb_item('Host/RedHat/appstream/container-tools');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:1.0');\nif ('1.0' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module container-tools:' + module_ver);\n\nvar appstreams = {\n 'container-tools:1.0': [\n {'reference':'buildah-1.5-8.gite94b4f9.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-1.5-8.gite94b4f9.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'container-selinux-2.124.0-1.gitf958d0c.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'container-selinux-2.124.0-1.gitf958d0c.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containernetworking-plugins-0.7.4-4.git9ebe139.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containernetworking-plugins-0.7.4-4.git9ebe139.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.32-6.git1715c90.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'containers-common-0.1.32-6.git1715c90.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'crit-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.3-5.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.3-5.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.0.0-8.git921f98f.module_el8.3.0+712+3299ffc8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.0.0-8.git921f98f.module_el8.3.0+712+3299ffc8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.0.0-8.git921f98f.module_el8.3.0+712+3299ffc8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.0.0-8.git921f98f.module_el8.3.0+712+3299ffc8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.12-9.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-56.rc5.dev.git2abd837.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-56.rc5.dev.git2abd837.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-0.1.32-6.git1715c90.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-0.1.32-6.git1715c90.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.1-5.dev.gitc4e1bc5.module_el8.3.0+569+1bada2e4', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slirp4netns-0.1-5.dev.gitc4e1bc5.module_el8.3.0+569+1bada2e4', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n};\n\nvar flag = 0;\nappstreams_found = 0;\nforeach module (keys(appstreams)) {\n var appstream = NULL;\n var appstream_name = NULL;\n var appstream_version = NULL;\n var appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach package_array ( appstreams[module] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && _release) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:1.0');\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / container-selinux / containernetworking-plugins / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-27T14:21:44", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3053 advisory.\n\n - QEMU: slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983)\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-07-21T00:00:00", "type": "nessus", "title": "RHEL 8 : container-tools:rhel8 (RHSA-2020:3053)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1983", "CVE-2021-20188"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.4", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.4", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.4", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.4", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:buildah", "p-cpe:/a:redhat:enterprise_linux:buildah-tests", "p-cpe:/a:redhat:enterprise_linux:cockpit-podman", "p-cpe:/a:redhat:enterprise_linux:conmon", "p-cpe:/a:redhat:enterprise_linux:container-selinux", "p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins", "p-cpe:/a:redhat:enterprise_linux:containers-common", "p-cpe:/a:redhat:enterprise_linux:crit", "p-cpe:/a:redhat:enterprise_linux:criu", "p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs", "p-cpe:/a:redhat:enterprise_linux:libslirp", "p-cpe:/a:redhat:enterprise_linux:libslirp-devel", "p-cpe:/a:redhat:enterprise_linux:podman", "p-cpe:/a:redhat:enterprise_linux:podman-docker", "p-cpe:/a:redhat:enterprise_linux:podman-remote", "p-cpe:/a:redhat:enterprise_linux:podman-tests", "p-cpe:/a:redhat:enterprise_linux:python-podman-api", "p-cpe:/a:redhat:enterprise_linux:python3-criu", "p-cpe:/a:redhat:enterprise_linux:runc", "p-cpe:/a:redhat:enterprise_linux:skopeo", "p-cpe:/a:redhat:enterprise_linux:skopeo-tests", "p-cpe:/a:redhat:enterprise_linux:slirp4netns", "p-cpe:/a:redhat:enterprise_linux:toolbox", "p-cpe:/a:redhat:enterprise_linux:udica"], "id": "REDHAT-RHSA-2020-3053.NASL", "href": "https://www.tenable.com/plugins/nessus/138804", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3053. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138804);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\"CVE-2020-1983\", \"CVE-2021-20188\");\n script_xref(name:\"RHSA\", value:\"2020:3053\");\n\n script_name(english:\"RHEL 8 : container-tools:rhel8 (RHSA-2020:3053)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:3053 advisory.\n\n - QEMU: slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983)\n\n - podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-1983\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-20188\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3053\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1829825\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1915734\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1983\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-20188\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(416, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:buildah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:buildah-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cockpit-podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:conmon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:crit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libslirp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libslirp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-remote\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-podman-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-criu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:skopeo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:skopeo-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:slirp4netns\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:toolbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:udica\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar appstreams = {\n 'container-tools:rhel8': [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.4/x86_64/appstream/debug',\n 'content/aus/rhel8/8.4/x86_64/appstream/os',\n 'content/aus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.4/x86_64/baseos/debug',\n 'content/aus/rhel8/8.4/x86_64/baseos/os',\n 'content/aus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/appstream/debug',\n 'content/e4s/rhel8/8.4/aarch64/appstream/os',\n 'content/e4s/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/baseos/debug',\n 'content/e4s/rhel8/8.4/aarch64/baseos/os',\n 'content/e4s/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/appstream/debug',\n 'content/e4s/rhel8/8.4/s390x/appstream/os',\n 'content/e4s/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/baseos/debug',\n 'content/e4s/rhel8/8.4/s390x/baseos/os',\n 'content/e4s/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.4/x86_64/appstream/os',\n 'content/e4s/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.4/x86_64/baseos/os',\n 'content/e4s/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/nfv/debug',\n 'content/e4s/rhel8/8.4/x86_64/nfv/os',\n 'content/e4s/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap/os',\n 'content/e4s/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/appstream/debug',\n 'content/eus/rhel8/8.4/aarch64/appstream/os',\n 'content/eus/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/baseos/debug',\n 'content/eus/rhel8/8.4/aarch64/baseos/os',\n 'content/eus/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.4/aarch64/highavailability/os',\n 'content/eus/rhel8/8.4/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.4/aarch64/supplementary/os',\n 'content/eus/rhel8/8.4/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.4/ppc64le/appstream/os',\n 'content/eus/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.4/ppc64le/baseos/os',\n 'content/eus/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap/os',\n 'content/eus/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/appstream/debug',\n 'content/eus/rhel8/8.4/s390x/appstream/os',\n 'content/eus/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/baseos/debug',\n 'content/eus/rhel8/8.4/s390x/baseos/os',\n 'content/eus/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/highavailability/debug',\n 'content/eus/rhel8/8.4/s390x/highavailability/os',\n 'content/eus/rhel8/8.4/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/sap/debug',\n 'content/eus/rhel8/8.4/s390x/sap/os',\n 'content/eus/rhel8/8.4/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/supplementary/debug',\n 'content/eus/rhel8/8.4/s390x/supplementary/os',\n 'content/eus/rhel8/8.4/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/appstream/debug',\n 'content/eus/rhel8/8.4/x86_64/appstream/os',\n 'content/eus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/baseos/debug',\n 'content/eus/rhel8/8.4/x86_64/baseos/os',\n 'content/eus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.4/x86_64/highavailability/os',\n 'content/eus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap/debug',\n 'content/eus/rhel8/8.4/x86_64/sap/os',\n 'content/eus/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.4/x86_64/supplementary/os',\n 'content/eus/rhel8/8.4/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/appstream/debug',\n 'content/tus/rhel8/8.4/x86_64/appstream/os',\n 'content/tus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/baseos/debug',\n 'content/tus/rhel8/8.4/x86_64/baseos/os',\n 'content/tus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.4/x86_64/highavailability/os',\n 'content/tus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/nfv/debug',\n 'content/tus/rhel8/8.4/x86_64/nfv/os',\n 'content/tus/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/rt/debug',\n 'content/tus/rhel8/8.4/x86_64/rt/os',\n 'content/tus/rhel8/8.4/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'buildah-1.14.9-1.module+el8.2.1+6689+748e6520', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.14.9-1.module+el8.2.1+6689+748e6520', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cockpit-podman-17-1.module+el8.2.1+6636+bf4db4ab', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'conmon-2.0.17-1.module+el8.2.1+6771+3533eb4c', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'container-selinux-2.135.0-1.module+el8.2.1+6849+893e4f4a', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.8.6-1.module+el8.2.1+6626+598993b4', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-1.0.0-1.module+el8.2.1+6676+604e1b26', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.14-2.module+el8.2.1+6750+e53a300c', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.14-2.module+el8.2.1+6750+e53a300c', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-1.0.0-2.module+el8.2.1+6465+1a51e8b6', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libslirp-4.3.0-3.module+el8.2.1+6816+bedf4f91', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libslirp-devel-4.3.0-3.module+el8.2.1+6816+bedf4f91', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.9.3-2.module+el8.2.1+6867+366c07d6', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.9.3-2.module+el8.2.1+6867+366c07d6', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-remote-1.9.3-2.module+el8.2.1+6867+366c07d6', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-tests-1.9.3-2.module+el8.2.1+6867+366c07d6', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.2.1+6465+1a51e8b6', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.14-2.module+el8.2.1+6750+e53a300c', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-66.rc10.module+el8.2.1+6465+1a51e8b6', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-1.0.0-1.module+el8.2.1+6676+604e1b26', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-1.0.0-1.module+el8.2.1+6676+604e1b26', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-1.0.1-1.module+el8.2.1+6595+03641d72', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'toolbox-0.0.7-1.module+el8.2.1+6465+1a51e8b6', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'udica-0.2.1-2.module+el8.2.1+6465+1a51e8b6', 'sp':'4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/appstream/debug',\n 'content/eus/rhel8/8.6/s390x/appstream/os',\n 'content/eus/rhel8/8.6/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/baseos/debug',\n 'content/eus/rhel8/8.6/s390x/baseos/os',\n 'content/eus/rhel8/8.6/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/highavailability/debug',\n 'content/eus/rhel8/8.6/s390x/highavailability/os',\n 'content/eus/rhel8/8.6/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/sap/debug',\n 'content/eus/rhel8/8.6/s390x/sap/os',\n 'content/eus/rhel8/8.6/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/supplementary/debug',\n 'content/eus/rhel8/8.6/s390x/supplementary/os',\n 'content/eus/rhel8/8.6/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'buildah-1.14.9-1.module+el8.2.1+6689+748e6520', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.14.9-1.module+el8.2.1+6689+748e6520', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cockpit-podman-17-1.module+el8.2.1+6636+bf4db4ab', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'conmon-2.0.17-1.module+el8.2.1+6771+3533eb4c', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'container-selinux-2.135.0-1.module+el8.2.1+6849+893e4f4a', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.8.6-1.module+el8.2.1+6626+598993b4', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-1.0.0-1.module+el8.2.1+6676+604e1b26', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.14-2.module+el8.2.1+6750+e53a300c', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.14-2.module+el8.2.1+6750+e53a300c', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-1.0.0-2.module+el8.2.1+6465+1a51e8b6', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libslirp-4.3.0-3.module+el8.2.1+6816+bedf4f91', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libslirp-devel-4.3.0-3.module+el8.2.1+6816+bedf4f91', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.9.3-2.module+el8.2.1+6867+366c07d6', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.9.3-2.module+el8.2.1+6867+366c07d6', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-remote-1.9.3-2.module+el8.2.1+6867+366c07d6', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-tests-1.9.3-2.module+el8.2.1+6867+366c07d6', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.2.1+6465+1a51e8b6', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.14-2.module+el8.2.1+6750+e53a300c', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-66.rc10.module+el8.2.1+6465+1a51e8b6', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-1.0.0-1.module+el8.2.1+6676+604e1b26', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-1.0.0-1.module+el8.2.1+6676+604e1b26', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-1.0.1-1.module+el8.2.1+6595+03641d72', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'toolbox-0.0.7-1.module+el8.2.1+6465+1a51e8b6', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'udica-0.2.1-2.module+el8.2.1+6465+1a51e8b6', 'sp':'6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'buildah-1.14.9-1.module+el8.2.1+6689+748e6520', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-tests-1.14.9-1.module+el8.2.1+6689+748e6520', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cockpit-podman-17-1.module+el8.2.1+6636+bf4db4ab', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},\n {'reference':'conmon-2.0.17-1.module+el8.2.1+6771+3533eb4c', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'container-selinux-2.135.0-1.module+el8.2.1+6849+893e4f4a', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.8.6-1.module+el8.2.1+6626+598993b4', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-1.0.0-1.module+el8.2.1+6676+604e1b26', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'crit-3.14-2.module+el8.2.1+6750+e53a300c', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'criu-3.14-2.module+el8.2.1+6750+e53a300c', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-1.0.0-2.module+el8.2.1+6465+1a51e8b6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libslirp-4.3.0-3.module+el8.2.1+6816+bedf4f91', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libslirp-devel-4.3.0-3.module+el8.2.1+6816+bedf4f91', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.9.3-2.module+el8.2.1+6867+366c07d6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.9.3-2.module+el8.2.1+6867+366c07d6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-remote-1.9.3-2.module+el8.2.1+6867+366c07d6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-tests-1.9.3-2.module+el8.2.1+6867+366c07d6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.2.1+6465+1a51e8b6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-criu-3.14-2.module+el8.2.1+6750+e53a300c', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-66.rc10.module+el8.2.1+6465+1a51e8b6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-1.0.0-1.module+el8.2.1+6676+604e1b26', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-tests-1.0.0-1.module+el8.2.1+6676+604e1b26', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-1.0.1-1.module+el8.2.1+6595+03641d72', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'toolbox-0.0.7-1.module+el8.2.1+6465+1a51e8b6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'udica-0.2.1-2.module+el8.2.1+6465+1a51e8b6', 'release':'8', 'el_string':'el8.2.1', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n ]\n};\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:appstreams, appstreams:TRUE);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar module_ver = get_kb_item('Host/RedHat/appstream/container-tools');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:rhel8');\nif ('rhel8' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module container-tools:' + module_ver);\n\nvar flag = 0;\nvar appstreams_found = 0;\nforeach var module (keys(appstreams)) {\n var appstream = NULL;\n var appstream_name = NULL;\n var appstream_version = NULL;\n var appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach var module_array ( appstreams[module] ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(module_array['repo_relative_urls'])) repo_relative_urls = module_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var package_array ( module_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp']) && !enterprise_linux_flag) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:rhel8');\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / buildah-tests / cockpit-podman / conmon / container-selinux / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhatcve": [{"lastseen": "2023-05-27T14:33:54", "description": "A flaw was found in podman. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-10T15:42:00", "type": "redhatcve", "title": "CVE-2021-20188", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2023-04-06T07:59:49", "id": "RH:CVE-2021-20188", "href": "https://access.redhat.com/security/cve/cve-2021-20188", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2023-05-27T15:14:05", "description": "A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-11T18:15:00", "type": "debiancve", "title": "CVE-2021-20188", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-02-11T18:15:00", "id": "DEBIANCVE:CVE-2021-20188", "href": "https://security-tracker.debian.org/tracker/CVE-2021-20188", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "almalinux": [{"lastseen": "2023-08-02T11:17:03", "description": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T18:20:39", "type": "almalinux", "title": "Important: container-tools:1.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-03-02T18:20:39", "id": "ALSA-2021:0705", "href": "https://errata.almalinux.org/8/ALSA-2021-0705.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-02T11:17:03", "description": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T18:48:35", "type": "almalinux", "title": "Important: container-tools:2.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-03-02T18:48:35", "id": "ALSA-2021:0706", "href": "https://errata.almalinux.org/8/ALSA-2021-0706.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "github": [{"lastseen": "2023-05-27T15:15:55", "description": "A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-18T18:33:12", "type": "github", "title": "Improper Authorization in github.com/containers/libpod", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2023-01-09T05:05:09", "id": "GHSA-9H63-7QF6-MV6R", "href": "https://github.com/advisories/GHSA-9h63-7qf6-mv6r", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "rocky": [{"lastseen": "2023-07-24T17:29:39", "description": "An update is available for fuse-overlayfs, container-selinux, udica, toolbox, podman, conmon, skopeo, python-podman-api, slirp4netns, containernetworking-plugins, buildah, criu, cockpit-podman.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list\nThe container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T18:48:35", "type": "rocky", "title": "container-tools:2.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-03-02T18:48:35", "id": "RLSA-2021:0706", "href": "https://errata.rockylinux.org/RLSA-2021:0706", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-24T17:29:39", "description": "An update is available for fuse-overlayfs, container-selinux, oci-umount, runc, podman, skopeo, slirp4netns, oci-systemd-hook, containernetworking-plugins, buildah, criu.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list\nThe container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* podman: container users permissions are not respected in privileged containers (CVE-2021-20188)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T18:20:39", "type": "rocky", "title": "container-tools:1.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-03-02T18:20:39", "id": "RLSA-2021:0705", "href": "https://errata.rockylinux.org/RLSA-2021:0705", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-24T17:30:17", "description": "An update is available for python-podman-api, udica, toolbox, runc.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list\nThe container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* QEMU: slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.2 Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-21T15:01:40", "type": "rocky", "title": "container-tools:rhel8 security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1983", "CVE-2021-20188"], "modified": "2020-07-21T15:01:40", "id": "RLSA-2020:3053", "href": "https://errata.rockylinux.org/RLSA-2020:3053", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2022-07-26T13:50:21", "description": "podman is vulnerable to privilege escalation. File permissions for non-root users running in a privileged container are not properly validated and the vulnerability can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. \n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T20:57:36", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2022-04-19T18:44:49", "id": "VERACODE:29543", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29543/summary", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-05-12T01:15:35", "description": "A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-18T18:33:12", "type": "osv", "title": "Improper Authorization in github.com/containers/libpod", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-05-07T22:01:02", "id": "OSV:GHSA-9H63-7QF6-MV6R", "href": "https://osv.dev/vulnerability/GHSA-9h63-7qf6-mv6r", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2023-07-28T01:06:27", "description": "A flaw was found in podman before 1.7.0. File permissions for non-root\nusers running in a privileged container are not correctly checked. This\nflaw can be abused by a low-privileged user inside the container to access\nany other file in the container, even if owned by the root user inside the\ncontainer. It does not allow to directly escape the container, though being\na privileged container means that a lot of security features are disabled\nwhen running the container. The highest threat from this vulnerability is\nto data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-11T00:00:00", "type": "ubuntucve", "title": "CVE-2021-20188", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-02-11T00:00:00", "id": "UB:CVE-2021-20188", "href": "https://ubuntu.com/security/CVE-2021-20188", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-08-16T00:55:27", "description": "A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-11T18:15:00", "type": "prion", "title": "CVE-2021-20188", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20188"], "modified": "2021-02-17T20:12:00", "id": "PRION:CVE-2021-20188", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-20188", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2021-07-28T14:24:40", "description": "buildah\n[1.11.6-8.0.1]\n- Reduce unnecessary writable mounts in NaiveDiffDriver [Orabug: 31025483]\n- Fixes troubles with oracle registry login [Orabug: 29937283]\n[1.11.6-8]\n- exclude i686 arch\n- Related: #1821193\n[1.11.6-7]\n- fix 'CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process'\n- Resolves: #1819393\n[1.11.6-6]\n- fix 'COPY command takes long time with buildah'\n- Resolves: #1806118\n[1.11.6-5]\n- fix CVE-2020-1702\n- Resolves: #1801930\n- adding the first phase of FIPS fix\n- Related: #1784952\n[1.11.6-4]\n- compile in FIPS mode\n- Related: RHELPLAN-25139\n[1.11.6-3]\n- be sure to use golang >= 1.12.12-4\n- Related: RHELPLAN-25139\n[1.11.6-2]\n- fix chroot: unmount with MNT_DETACH instead of UnmountMountpoints()\n- bug reference 1772179\n- Related: RHELPLAN-25139\n[1.11.6-1]\n- update to buildah 1.11.6\n- Related: RHELPLAN-25139\n[1.11.5-1]\n- update to buildah 1.11.5\n- Related: RHELPLAN-25139\n[1.11.4-2]\n- fix %gobuild macro to not to ignore BUILDTAGS\n- Related: RHELPLAN-25139\n[1.11.4-1]\n- update to 1.11.4\n- Related: RHELPLAN-25139\n[1.9.0-5]\n- Use autosetup macro again.\n[1.9.0-4]\n- Fix CVE-2019-10214 (#1734653).\n[1.9.0-3]\n- Resolves: #1721247 - enable fips mode\n[1.9.0-2]\n- Resolves: #1720654 - tests subpackage depends on golang explicitly\n[1.9.0-1]\n- Resolves: #1720654 - rebase to v1.9.0\n[1.8.3-1]\n- Resolves: #1720654 - rebase to v1.8.3\n[1.8-0.git021d607]\n- package system tests\n[1.5-3.gite94b4f9]\n- re-enable debuginfo\n[1.5-2.gite94b4f9]\n- go toolset not in scl anymore\n[1.5-1.gite94b4f9]\n- rebase\n[1.4-3.git608fa84]\n- fedora-like go compiler macro in buildrequires is enough\n[1.4-2.git608fa84]\n- rebase\n[1.3-3.git4888163]\n- Resolves: #1615611 - rebuild with gobuild tag 'no_openssl'\n[1.3-2.git4888163]\n- Resolves: #1614009 - built with updated scl-ized go-toolset dep\n- build with %gobuild\n[1.3-1]\n- Bump to v1.3\n- Vendor in lates containers/image\n- build-using-dockerfile: let -t include transports again\n- Block use of /proc/acpi and /proc/keys from inside containers\n- Fix handling of --registries-conf\n- Fix becoming a maintainer link\n- add optional CI test fo darwin\n- Don't pass a nil error to errors.Wrapf()\n- image filter test: use kubernetes/pause as a 'since'\n- Add --cidfile option to from\n- vendor: update containers/storage\n- Contributors need to find the CONTRIBUTOR.md file easier\n- Add a --loglevel option to build-with-dockerfile\n- Create Development plan\n- cmd: Code improvement\n- allow buildah cross compile for a darwin target\n- Add unused function param lint check\n- docs: Follow man-pages(7) suggestions for SYNOPSIS\n- Start using github.com/seccomp/containers-golang\n- umount: add all option to umount all mounted containers\n- runConfigureNetwork(): remove an unused parameter\n- Update github.com/opencontainers/selinux\n- Fix buildah bud --layers\n- Force ownership of /etc/hosts and /etc/resolv.conf to 0:0\n- main: if unprivileged, reexec in a user namespace\n- Vendor in latest imagebuilder\n- Reduce the complexity of the buildah.Run function\n- mount: output it before replacing lastError\n- Vendor in latest selinux-go code\n- Implement basic recognition of the '--isolation' option\n- Run(): try to resolve non-absolute paths using /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/opc/.local/bin:/home/opc/bin\n- Run(): don't include any default environment variables\n- build without seccomp\n- vendor in latest runtime-tools\n- bind/mount_unsupported.go: remove import errors\n- Update github.com/opencontainers/runc\n- Add Capabilities lists to BuilderInfo\n- Tweaks for commit tests\n- commit: recognize committing to second storage locations\n- Fix ARGS parsing for run commands\n- Add info on registries.conf to from manpage\n- Switch from using docker to podman for testing in .papr\n- buildah: set the HTTP User-Agent\n- ONBUILD tutorial\n- Add information about the configuration files to the install docs\n- Makefile: add uninstall\n- Add tilde info for push to troubleshooting\n- mount: support multiple inputs\n- Use the right formatting when adding entries to /etc/hosts\n- Vendor in latest go-selinux bindings\n- Allow --userns-uid-map/--userns-gid-map to be global options\n- bind: factor out UnmountMountpoints\n- Run(): simplify runCopyStdio()\n- Run(): handle POLLNVAL results\n- Run(): tweak terminal mode handling\n- Run(): rename 'copyStdio' to 'copyPipes'\n- Run(): don't set a Pdeathsig for the runtime\n- Run(): add options for adding and removing capabilities\n- Run(): don't use a callback when a slice will do\n- setupSeccomp(): refactor\n- Change RunOptions.Stdin/Stdout/Stderr to just be Reader/Writers\n- Escape use of '_' in .md docs\n- Break out getProcIDMappings()\n- Break out SetupIntermediateMountNamespace()\n- Add Multi From Demo\n- Use the c/image conversion code instead of converting configs manually\n- Don't throw away the manifest MIME type and guess again\n- Consolidate loading manifest and config in initConfig\n- Pass a types.Image to Builder.initConfig\n- Require an image ID in importBuilderDataFromImage\n- Use c/image/manifest.GuessMIMEType instead of a custom heuristic\n- Do not ignore any parsing errors in initConfig\n- Explicitly handle 'from scratch' images in Builder.initConfig\n- Fix parsing of OCI images\n- Simplify dead but dangerous-looking error handling\n- Don't ignore v2s1 history if docker_version is not set\n- Add --rm and --force-rm to buildah bud\n- Add --all,-a flag to buildah images\n- Separate stdio buffering from writing\n- Remove tty check from images --format\n- Add environment variable BUILDAH_RUNTIME\n- Add --layers and --no-cache to buildah bud\n- Touch up images man\n- version.md: fix DESCRIPTION\n- tests: add containers test\n- tests: add images test\n- images: fix usage\n- fix make clean error\n- Change 'registries' to 'container registries' in man\n- add commit test\n- Add(): learn to record hashes of what we add\n- Minor update to buildah config documentation for entrypoint\n- Bump to v1.2-dev\n- Add registries.conf link to a few man pages\n[1.2-3]\n- do not depend on btrfs-progs for rhel8\n[1.2-2]\n- buildah does not require ostree\n[1.2-1]\n- Vendor in latest containers/image\n- build-using-dockerfile: let -t include transports again\n- Block use of /proc/acpi and /proc/keys from inside containers\n- Fix handling of --registries-conf\n- Fix becoming a maintainer link\n- add optional CI test fo darwin\n- Don't pass a nil error to errors.Wrapf()\n- image filter test: use kubernetes/pause as a 'since'\n- Add --cidfile option to from\n- vendor: update containers/storage\n- Contributors need to find the CONTRIBUTOR.md file easier\n- Add a --loglevel option to build-with-dockerfile\n- Create Development plan\n- cmd: Code improvement\n- allow buildah cross compile for a darwin target\n- Add unused function param lint check\n- docs: Follow man-pages(7) suggestions for SYNOPSIS\n- Start using github.com/seccomp/containers-golang\n- umount: add all option to umount all mounted containers\n- runConfigureNetwork(): remove an unused parameter\n- Update github.com/opencontainers/selinux\n- Fix buildah bud --layers\n- Force ownership of /etc/hosts and /etc/resolv.conf to 0:0\n- main: if unprivileged, reexec in a user namespace\n- Vendor in latest imagebuilder\n- Reduce the complexity of the buildah.Run function\n- mount: output it before replacing lastError\n- Vendor in latest selinux-go code\n- Implement basic recognition of the '--isolation' option\n- Run(): try to resolve non-absolute paths using /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/opc/.local/bin:/home/opc/bin\n- Run(): don't include any default environment variables\n- build without seccomp\n- vendor in latest runtime-tools\n- bind/mount_unsupported.go: remove import errors\n- Update github.com/opencontainers/runc\n- Add Capabilities lists to BuilderInfo\n- Tweaks for commit tests\n- commit: recognize committing to second storage locations\n- Fix ARGS parsing for run commands\n- Add info on registries.conf to from manpage\n- Switch from using docker to podman for testing in .papr\n- buildah: set the HTTP User-Agent\n- ONBUILD tutorial\n- Add information about the configuration files to the install docs\n- Makefile: add uninstall\n- Add tilde info for push to troubleshooting\n- mount: support multiple inputs\n- Use the right formatting when adding entries to /etc/hosts\n- Vendor in latest go-selinux bindings\n- Allow --userns-uid-map/--userns-gid-map to be global options\n- bind: factor out UnmountMountpoints\n- Run(): simplify runCopyStdio()\n- Run(): handle POLLNVAL results\n- Run(): tweak terminal mode handling\n- Run(): rename 'copyStdio' to 'copyPipes'\n- Run(): don't set a Pdeathsig for the runtime\n- Run(): add options for adding and removing capabilities\n- Run(): don't use a callback when a slice will do\n- setupSeccomp(): refactor\n- Change RunOptions.Stdin/Stdout/Stderr to just be Reader/Writers\n- Escape use of '_' in .md docs\n- Break out getProcIDMappings()\n- Break out SetupIntermediateMountNamespace()\n- Add Multi From Demo\n- Use the c/image conversion code instead of converting configs manually\n- Don't throw away the manifest MIME type and guess again\n- Consolidate loading manifest and config in initConfig\n- Pass a types.Image to Builder.initConfig\n- Require an image ID in importBuilderDataFromImage\n- Use c/image/manifest.GuessMIMEType instead of a custom heuristic\n- Do not ignore any parsing errors in initConfig\n- Explicitly handle 'from scratch' images in Builder.initConfig\n- Fix parsing of OCI images\n- Simplify dead but dangerous-looking error handling\n- Don't ignore v2s1 history if docker_version is not set\n- Add --rm and --force-rm to buildah bud\n- Add --all,-a flag to buildah images\n- Separate stdio buffering from writing\n- Remove tty check from images --format\n- Add environment variable BUILDAH_RUNTIME\n- Add --layers and --no-cache to buildah bud\n- Touch up images man\n- version.md: fix DESCRIPTION\n- tests: add containers test\n- tests: add images test\n- images: fix usage\n- fix make clean error\n- Change 'registries' to 'container registries' in man\n- add commit test\n- Add(): learn to record hashes of what we add\n- Minor update to buildah config documentation for entrypoint\n- Add registries.conf link to a few man pages\n[1.1-1]\n- Drop capabilities if running container processes as non root\n- Print Warning message if cmd will not be used based on entrypoint\n- Update 01-intro.md\n- Shouldn't add insecure registries to list of search registries\n- Report errors on bad transports specification when pushing images\n- Move parsing code out of common for namespaces and into pkg/parse.go\n- Add disable-content-trust noop flag to bud\n- Change freenode chan to buildah\n- runCopyStdio(): don't close stdin unless we saw POLLHUP\n- Add registry errors for pull\n- runCollectOutput(): just read until the pipes are closed on us\n- Run(): provide redirection for stdio\n- rmi, rm: add test\n- add mount test\n- Add parameter judgment for commands that do not require parameters\n- Add context dir to bud command in baseline test\n- run.bats: check that we can run with symlinks in the bundle path\n- Give better messages to users when image can not be found\n- use absolute path for bundlePath\n- Add environment variable to buildah --format\n- rm: add validation to args and all option\n- Accept json array input for config entrypoint\n- Run(): process RunOptions.Mounts, and its flags\n- Run(): only collect error output from stdio pipes if we created some\n- Add OnBuild support for Dockerfiles\n- Quick fix on demo readme\n- run: fix validate flags\n- buildah bud should require a context directory or URL\n- Touchup tutorial for run changes\n- Validate common bud and from flags\n- images: Error if the specified imagename does not exist\n- inspect: Increase err judgments to avoid panic\n- add test to inspect\n- buildah bud picks up ENV from base image\n- Extend the amount of time travis_wait should wait\n- Add a make target for Installing CNI plugins\n- Add tests for namespace control flags\n- copy.bats: check ownerships in the container\n- Fix SELinux test errors when SELinux is enabled\n- Add example CNI configurations\n- Run: set supplemental group IDs\n- Run: use a temporary mount namespace\n- Use CNI to configure container networks\n- add/secrets/commit: Use mappings when setting permissions on added content\n- Add CLI options for specifying namespace and cgroup setup\n- Always set mappings when using user namespaces\n- Run(): break out creation of stdio pipe descriptors\n- Read UID/GID mapping information from containers and images\n- Additional bud CI tests\n- Run integration tests under travis_wait in Travis\n- build-using-dockerfile: add --annotation\n- Implement --squash for build-using-dockerfile and commit\n- Vendor in latest container/storage for devicemapper support\n- add test to inspect\n- Vendor github.com/onsi/ginkgo and github.com/onsi/gomega\n- Test with Go 1.10, too\n- Add console syntax highlighting to troubleshooting page\n- bud.bats: print '' before checking its contents\n- Manage 'Run' containers more closely\n- Break Builder.Run()'s 'run runc' bits out\n- util.ResolveName(): handle completion for tagged/digested image names\n- Handle /etc/hosts and /etc/resolv.conf properly in container\n- Documentation fixes\n- Make it easier to parse our temporary directory as an image name\n- Makefile: list new pkg/ subdirectoris as dependencies for buildah\n- containerImageSource: return more-correct errors\n- API cleanup: PullPolicy and TerminalPolicy should be types\n- Make 'run --terminal' and 'run -t' aliases for 'run --tty'\n- Vendor github.com/containernetworking/cni v0.6.0\n- Update github.com/containers/storage\n- Update github.com/projectatomic/libpod\n- Add support for buildah bud --label\n- buildah push/from can push and pull images with no reference\n- Vendor in latest containers/image\n- Update gometalinter to fix install.tools error\n- Update troubleshooting with new run workaround\n- Added a bud demo and tidied up\n- Attempt to download file from url, if fails assume Dockerfile\n- Add buildah bud CI tests for ENV variables\n- Re-enable rpm .spec version check and new commit test\n- Update buildah scratch demo to support el7\n- Added Docker compatibility demo\n- Update to F28 and new run format in baseline test\n- Touchup man page short options across man pages\n- Added demo dir and a demo. chged distrorlease\n- builder-inspect: fix format option\n- Add cpu-shares short flag (-c) and cpu-shares CI tests\n- Minor fixes to formatting in rpm spec changelog\n- Fix rpm .spec changelog formatting\n- CI tests and minor fix for cache related noop flags\n- buildah-from: add effective value to mount propagation\n[1.0-1]\n- Remove buildah run cmd and entrypoint execution\n- Add Files section with registries.conf to pertinent man pages\n- Force 'localhost' as a default registry\n- Add --compress, --rm, --squash flags as a noop for bud\n- Add FIPS mode secret to buildah run and bud\n- Add config --comment/--domainname/--history-comment/--hostname\n- Add support for --iidfile to bud and commit\n- Add /bin/sh -c to entrypoint in config\n- buildah images and podman images are listing different sizes\n- Remove tarball as an option from buildah push --help\n- Update entrypoint behaviour to match docker\n- Display imageId after commit\n- config: add support for StopSignal\n- Allow referencing stages as index and names\n- Add multi-stage builds support\n- Vendor in latest imagebuilder, to get mixed case AS support\n- Allow umount to have multi-containers\n- Update buildah push doc\n- buildah bud walks symlinks\n- Imagename is required for commit atm, update manpage\n[0.16-3.git532e267]\n- Resolves: #1573681\n- built commit 532e267\n[0.16.0-2.git6f7d05b]\n- built commit 6f7d05b\n[0.16-1]\n- Add support for shell\n- Vendor in latest containers/image\n- \t docker-archive generates docker legacy compatible images\n-\t Do not create subdirectories for layers with no configs\n- \t Ensure the layer IDs in legacy docker/tarfile metadata are unique\n-\t docker-archive: repeated layers are symlinked in the tar file\n-\t sysregistries: remove all trailing slashes\n-\t Improve docker/* error messages\n-\t Fix failure to make auth directory\n-\t Create a new slice in Schema1.UpdateLayerInfos\n-\t Drop unused storageImageDestination.{image,systemContext}\n-\t Load a *storage.Image only once in storageImageSource\n-\t Support gzip for docker-archive files\n-\t Remove .tar extension from blob and config file names\n-\t ostree, src: support copy of compressed layers\n-\t ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size\n-\t image: fix docker schema v1 -> OCI conversion\n-\t Add /etc/containers/certs.d as default certs directory\n- Change image time to locale, add troubleshooting.md, add logo to other mds\n- Allow --cmd parameter to have commands as values\n- Document the mounts.conf file\n- Fix man pages to format correctly\n- buildah from now supports pulling images using the following transports:\n- docker-archive, oci-archive, and dir.\n- If the user overrides the storage driver, the options should be dropped\n- Show Config/Manifest as JSON string in inspect when format is not set\n- Adds feature to pull compressed docker-archive files\n[0.15-1]\n- Fix handling of buildah run command options\n[0.14-1]\n- If commonOpts do not exist, we should return rather then segfault\n- Display full error string instead of just status\n- Implement --volume and --shm-size for bud and from\n- Fix secrets patch for buildah bud\n- Fixes the naming issue of blobs and config for the dir transport by removing the .tar extension\n[0.13-1.git99066e0]\n- use correct version\n[0.12-4.git99066e0]\n- enable debuginfo\n[0.12-3.git99066e0]\n- BR: libseccomp-devel\n[0.12-2.git99066e0]\n- Resolves: #1548535\n- built commit 99066e0\n[0.12-1]\n- Added handing for simpler error message for Unknown Dockerfile instructions.\n- Change default certs directory to /etc/containers/certs.dir\n- Vendor in latest containers/image\n- Vendor in latest containers/storage\n- build-using-dockerfile: set the 'author' field for MAINTAINER\n- Return exit code 1 when buildah-rmi fails\n- Trim the image reference to just its name before calling getImageName\n- Touch up rmi -f usage statement\n- Add --format and --filter to buildah containers\n- Add --prune,-p option to rmi command\n- Add authfile param to commit\n- Fix --runtime-flag for buildah run and bud\n- format should override quiet for images\n- Allow all auth params to work with bud\n- Do not overwrite directory permissions on --chown\n- Unescape HTML characters output into the terminal\n- Fix: setting the container name to the image\n- Prompt for un/pwd if not supplied with --creds\n- Make bud be really quiet\n- Return a better error message when failed to resolve an image\n- Update auth tests and fix bud man page\n[0.11-3.git49095a8]\n- Resolves: #1542236 - add ostree and bump runc dep\n[0.11-2.git49095a8]\n- rebased to 49095a83f8622cf69532352d183337635562e261\n[0.11-1]\n- Add --all to remove containers\n- Add --all functionality to rmi\n- Show ctrid when doing rm -all\n- Ignore sequential duplicate layers when reading v2s1\n- Lots of minor bug fixes\n- Vendor in latest containers/image and containers/storage\n[0.10-2]\n- Fix checkin\n[0.10-1]\n- Display Config and Manifest as strings\n- Bump containers/image\n- Use configured registries to resolve image names\n- Update to work with newer image library\n- Add --chown option to add/copy commands\n[0.9-2.git04ea079]\n- build for all arches\n[0.9-1]\n- Allow push to use the image id\n- Make sure builtin volumes have the correct label\n[0.8-1]\n- Buildah bud was failing on SELinux machines, this fixes this\n- Block access to certain kernel file systems inside of the container\n[0.7-1]\n- Ignore errors when trying to read containers buildah.json for loading SELinux reservations\n- Use credentials from kpod login for buildah\n- Adds support for converting manifest types when using the dir transport\n- Rework how we do UID resolution in images\n- Bump github.com/vbatts/tar-split\n- Set option.terminal appropriately in run\n[0.5-5.gitf7dc659]\n- revert building for s390x, it is intended for rhel 7.5\n[0.5-4]\n- Add requires for container-selinux\n[0.5-3.gitf7dc659]\n- build for s390x, https://bugzilla.redhat.com/show_bug.cgi?id=1482234\n[0.5-2]\n- Bump github.com/vbatts/tar-split\n- Fixes CVE That could allow a container image to cause a DOS\n[0.5-1]\n- Add secrets patch to buildah\n- Add proper SELinux labeling to buildah run\n- Add tls-verify to bud command\n- Make filtering by date use the image's date\n- images: don't list unnamed images twice\n- Fix timeout issue\n- Add further tty verbiage to buildah run\n- Make inspect try an image on failure if type not specified\n- Add support for \n- Tons of bug fixes and code cleanup\n[0.4-2.git01db066]\n- bump to latest version\n- set GIT_COMMIT at build-time\n[0.4-1.git9cbccf88c]\n- Add default transport to push if not provided\n- Avoid trying to print a nil ImageReference\n- Add authentication to commit and push\n- Add information on buildah from man page on transports\n- Remove --transport flag\n- Run: do not complain about missing volume locations\n- Add credentials to buildah from\n- Remove export command\n- Run(): create the right working directory\n- Improve 'from' behavior with unnamed references\n- Avoid parsing image metadata for dates and layers\n- Read the image's creation date from public API\n- Bump containers/storage and containers/image\n- Don't panic if an image's ID can't be parsed\n- Turn on --enable-gc when running gometalinter\n- rmi: handle truncated image IDs\n[0.4-1.git9cbccf8]\n- bump to v0.4\n[0.3-4.gitb9b2a8a]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild\n[0.3-3.gitb9b2a8a]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[0.3-2.gitb9b2a8a7e]\n- Bump for inclusion of OCI 1.0 Runtime and Image Spec\n[0.2.0-1.gitac2aad6]\n- buildah run: Add support for -- ending options parsing\n- buildah Add/Copy support for glob syntax\n- buildah commit: Add flag to remove containers on commit\n- buildah push: Improve man page and help information\n- buildah run: add a way to disable PTY allocation\n- Buildah docs: clarify --runtime-flag of run command\n- Update to match newer storage and image-spec APIs\n- Update containers/storage and containers/image versions\n- buildah export: add support\n- buildah images: update commands\n- buildah images: Add JSON output option\n- buildah rmi: update commands\n- buildah containers: Add JSON output option\n- buildah version: add command\n- buildah run: Handle run without an explicit command correctly\n- Ensure volume points get created, and with perms\n- buildah containers: Add a -a/--all option\n[0.1.0-2.git597d2ab9]\n- Release Candidate 1\n- All features have now been implemented.\n[0.0.1-1.git7a0a5333]\n- First package for Fedora\ncockpit-podman\nconmon\ncontainernetworking-plugins\n[0.8.3-4.0.1]\n- Disable debuginfo\n[0.8.3-4]\n- compile with no_openssl\n- Related: RHELPLAN-25139\n[0.8.3-3]\n- compile in FIPS mode\n- Related: RHELPLAN-25139\n[0.8.3-2]\n- be sure to use golang >= 1.12.12-4\n- Related: RHELPLAN-25139\n[0.8.3-1]\n- update to 0.8.3\n- Related: RHELPLAN-25139\n[0.8.1-2]\n- backport https://github.com/coreos/go-iptables/pull/62\n from Michael Cambria\n- Resolves: #1627561\n[0.8.1-1]\n- Resolves: #1720319 - bump to v0.8.1\n[0.7.5-1]\n- Resolves: #1616063\n- bump to v0.7.5\n[0.7.4-3.git9ebe139]\n- re-enable debuginfo\n[0.7.4-2.git9ebe139]\n- rebase, removed patch that is already upstream\n[0.7.3-7.git19f2f28]\n- go tools not in scl anymore\n[0.7.3-6.git19f2f28]\n- correct tag specification format in %gobuild macro\n[0.7.3-5.git19f2f28]\n- Resolves: #1616062 - patch to revert coreos/go-iptables bump\n[0.7.3-4.git19f2f28]\n- Resolves:#1603012\n- fix versioning, upstream got it wrong at 7.2\n[0.7.2-3.git19f2f28]\n- disable i686 temporarily for appstream builds\n- update golang deps and gobuild definition\n[0.7.2-2.git19f2f28]\n- rebase\n[0.7.0-103.gitdd8ff8a]\n- enable scl with the toolset\n[0.7.0-102.gitdd8ff8a]\n- remove devel and unittest subpackages\n- use new go-toolset deps\n[0.7.0-101]\n- rebase\n- patches already upstream, removed\n[0.6.0-6]\n- Imported from Fedora\n- Renamed CNI -> plugins\n[0.6.0-4]\n- Own the libexec cni directory\n[0.6.0-3]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild\n[0.6.0-2]\n- skip settling IPv4 addresses\n[0.6.0-1]\n- rebased to 7480240de9749f9a0a5c8614b17f1f03e0c06ab9\n[0.5.2-7]\n- do not install to /opt (against Fedora Guidelines)\n[0.5.2-6]\n- Enable devel subpackage\n[0.5.2-5]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild\n[0.5.2-4]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[0.5.2-3]\n- excludearch: ppc64 as it's not in goarches anymore\n- re-enable s390x\n[0.5.2-2]\n- upstream moved to github.com/containernetworking/plugins\n- built commit dcf7368\n- provides: containernetworking-plugins\n- use vendored deps because they're a lot less of a PITA\n- excludearch: s390x for now (rhbz#1466865)\n[0.5.2-1]\n- Update to 0.5.2\n- Softlink to default /opt/cni/bin directories\n[0.5.1-1]\n- Initial package\ncontainer-selinux\ncriu\nfuse-overlayfs\npodman\n[1.6.4-26.0.1]\n- Reduce unnecessary writable mounts in NaiveDiffDriver [Orabug: 31025483]\n- delivering fix for [Orabug: 29874238] by Nikita Gerasimov \n[1.6.4-26]\n- update to the latest content of https://github.com/containers/podman/tree/v1.6.4-rhel\n (https://github.com/containers/podman/commit/bcbbbc4)\n- Related: #1920382\n[1.6.4-25]\n- fix CVE-2021-20188\n- update to the latest content of https://github.com/containers/podman/tree/v1.6.4-rhel\n (https://github.com/containers/podman/commit/2c7b579)\n- Related: #1920382\npython-podman-api\n[1.2.0-0.2.gitd0a45fe]\n- revert update to 1.6.0 due to new python3-pbr dependency which\n is not in RHEL\n- Related: RHELPLAN-25139\n[1.2.0-0.1.gitd0a45fe]\n- Initial package\nrunc\nskopeo\n[1:0.1.41-4.0.1]\n- Reduce unnecessary writable mounts in NaiveDiffDriver [Orabug: 31025483]\n- Add oracle registry into the conf file [Orabug: 29845934 31306708]\n- Fix oracle registry login issues [Orabug: 29937192]\n[1:0.1.41-4]\n- add docker.io into the default registry list\n- Resolves: #1886443\n[1:0.1.41-3]\n- patch broken gating tests: improper 'jq' usage, and use 'registry:2.6'\n (instead of :2) to work around broken image pushed by docker\n[1:0.1.41-2]\n- exclude i686 arch\n- Related: #1821193\n[1:0.1.41-1]\n- update to 0.1.41\n- Related: #1821193\n[1:0.1.40-8]\n- modify registries.conf default configuration to be more secure by default\n- Resolves: #1810056\n[1:0.1.40-7]\n- Fix CVE-2020-1702.\n- Resolves: #1801928\n[1:0.1.40-6]\n- change the search order of registries and remove quay.io (#1784267)\n[1:0.1.40-5]\n- compile in FIPS mode\n- Related: RHELPLAN-25139\n[1:0.1.40-4]\n- be sure to use golang >= 1.12.12-4\n- Related: RHELPLAN-25139\n[1:0.1.40-3]\n- fix file list\n- Related: RHELPLAN-25139\n[1:0.1.40-2]\n- comment out mountopt option in order to fix gating tests\n see bug 1769769\n- Related: RHELPLAN-25139\n[1:0.1.40-1]\n- update to 0.1.40\n- Related: RHELPLAN-25139\n[1:0.1.37-5]\n- Fix CVE-2019-10214 (#1734651).\n[1:0.1.37-4]\n- fix permissions of rhel/secrets\n Resolves: #1691543\n[1:0.1.37-3]\n- Resolves: #1719994 - add registry.access.redhat.com to registries.conf\n[1:0.1.37-2]\n- Resolves: #1721247 - enable fips mode\n[1:0.1.37-1]\n- Resolves: #1720654 - rebase to v0.1.37\n[1:0.1.36-1.git6307635]\n- built upstream tag v0.1.36, including system tests\n[1:0.1.32-4.git1715c90]\n- Fixes @openshift/machine-config-operator#669\n- install /etc/containers/oci/hooks.d and /etc/containers/certs.d\n[1:0.1.32-3.git1715c90]\n- rebase\n[1:0.1.32-2.git1715c90]\n- re-enable debuginfo\n[1:0.1.31-12.gitb0b750d]\n- go tools not in scl anymore\n[1:0.1.31-11.gitb0b750d]\n- Resolves: #1615609\n- built upstream tag v0.1.31\n[1:0.1.31-10.git0144aa8]\n- Resolves: #1616069 - correct order of registries\n[1:0.1.31-9.git0144aa8]\n- Resolves: #1615609 - rebuild with gobuild tag 'no_openssl'\n[1:0.1.31-8.git0144aa8]\n- Resolves: #1614934 - containers-common soft dep on slirp4netns and\nfuse-overlayfs\n[1:0.1.31-7.git0144aa8]\n- build with %gobuild\n- use scl-ized go-toolset as dep\n- disable i686 builds temporarily because of go-toolset issues\n[1:0.1.31-6.git0144aa8]\n- add statx to seccomp.json to containers-config\n- add seccomp.json to containers-config\n[1:0.1.31-4.git0144aa8]\n- Resolves: #1597629 - handle dependency issue for skopeo-containers\n- rename skopeo-containers to containers-common as in Fedora\n[1:0.1.31-3.git0144aa8]\n- Resolves: #1583762 - btrfs dep removal needs exclude_graphdriver_btrfs\nbuildtag\n[1:0.1.31-2.git0144aa8]\n- correct bz in previous changelog\n[1:0.1.31-1.git0144aa8]\n- Resolves: #1580938 - resolve FTBFS\n- Resolves: #1583762 - remove dependency on btrfs-progs-devel\n- bump to v0.1.31 (from master)\n- built commit ca3bff6\n- use go-toolset deps for rhel8\n[0.1.29-5.git7add6fc]\n- Fix small typo in registries.conf\n[0.1.29-4.git]\n- Add policy.json.5\n[0.1.29-3.git]\n- Add registries.conf\n[0.1.29-2.git]\n- Add registries.conf man page\n[0.1.29-1.git]\n- bump to 0.1.29-1\n- Updated containers/image\n docker-archive generates docker legacy compatible images\n Do not create subdirectories for layers with no configs\n Ensure the layer IDs in legacy docker/tarfile metadata are unique\n docker-archive: repeated layers are symlinked in the tar file\n sysregistries: remove all trailing slashes\n Improve docker/* error messages\n Fix failure to make auth directory\n Create a new slice in Schema1.UpdateLayerInfos\n Drop unused storageImageDestination.{image,systemContext}\n Load a *storage.Image only once in storageImageSource\n Support gzip for docker-archive files\n Remove .tar extension from blob and config file names\n ostree, src: support copy of compressed layers\n ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size\n image: fix docker schema v1 -> OCI conversion\n Add /etc/containers/certs.d as default certs directory\n[0.1.28-2.git0270e56]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild\n[0.1.28-1.git]\n- Vendor in fixed libraries in containers/image and containers/storage\n[0.1.27-1.git]\n- Fix Conflicts to Obsoletes\n- Add better docs to man pages.\n- Use credentials from authfile for skopeo commands\n- Support storage='' in /etc/containers/storage.conf\n- Add global --override-arch and --override-os options\n[0.1.25-2.git2e8377a7]\n- Add manifest type conversion to skopeo copy\n- User can select from 3 manifest types: oci, v2s1, or v2s2\n- e.g skopeo copy --format v2s1 --compress-blobs docker-archive:alp.tar dir:my-directory\n[0.1.25-2.git7fd6f66b]\n- Force storage.conf to default to overlay\n[0.1.25-1.git7fd6f66b]\n- Fix CVE in tar-split\n- copy: add shared blob directory support for OCI sources/destinations\n- Aligning Docker version between containers/image and skopeo\n- Update image-tools, and remove the duplicate Sirupsen/logrus vendor\n- makefile: use -buildmode=pie\n[0.1.24-8.git28d4e08a]\n- Add /usr/share/containers/mounts.conf\n[0.1.24-7.git28d4e08a]\n- Bug fixes\n- Update to release\n[0.1.24-6.dev.git28d4e08]\n- skopeo-containers conflicts with docker-rhsubscription <= 2:1.13.1-31\n[0.1.24-5.dev.git28d4e08]\n- Add rhel subscription secrets data to skopeo-containers\n[0.1.24-4.dev.git28d4e08]\n- Update container/storage.conf and containers-storage.conf man page\n- Default override to true so it is consistent with RHEL.\n[0.1.24-3.dev.git28d4e08]\n- built commit 28d4e08\n[0.1.24-2.dev.git875dd2e]\n- built commit 875dd2e\n- Resolves: gh#416\n[0.1.24-1.dev.gita41cd0]\n- bump to 0.1.24-dev\n- correct a prior bogus date\n- fix macro in comment warning\n[0.1.23-6.dev.git1bbd87]\n- Change name of storage.conf.5 man page to containers-storage.conf.5, since\nit conflicts with inn package\n- Also remove default to 'overalay' in the configuration, since we should\n- allow containers storage to pick the best default for the platform.\n[0.1.23-5.git1bbd87f]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild\n[0.1.23-4.git1bbd87f]\n- Rebuild with binutils fix for ppc64le (#1475636)\n[0.1.23-3.git1bbd87f]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[0.1.23-2.dev.git1bbd87]\n- Fix storage.conf man page to be storage.conf.5.gz so that it works.\n[0.1.23-1.dev.git1bbd87]\n- Support for OCI V1.0 Images\n- Update to image-spec v1.0.0 and revendor\n- Fixes for authentication\n[0.1.22-2.dev.git5d24b67]\n- Epoch: 1 for CentOS as CentOS Extras' build already has epoch set to 1\n[0.1.22-1.dev.git5d24b67]\n- Give more useful help when explaining usage\n- Also specify container-storage as a valid transport\n- Remove docker reference wherever possible\n- vendor in ostree fixes\n[0.1.21-1.dev.git0b73154]\n- Add support for storage.conf and storage-config.5.md from github container storage package\n- Bump to the latest version of skopeo\n- vendor.conf: add ostree-go\n- it is used by containers/image for pulling images to the OSTree storage.\n- fail early when image os does not match host os\n- Improve documentation on what to do with containers/image failures in test-skopeo\n- We now have the docker-archive: transport\n- Integration tests with built registries also exist\n- Support /etc/docker/certs.d\n- update image-spec to v1.0.0-rc6\n[0.1.20-1.dev.git0224d8c]\n- BZ #1380078 - New release\n[0.1.19-2.dev.git0224d8c]\n- No golang support for ppc64. Adding exclude arch. BZ #1445490\n[0.1.19-1.dev.git0224d8c]\n- bump to v0.1.19-dev\n- built commit 0224d8c\n[0.1.17-3.dev.git2b3af4a]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild\n[0.1.17-2.dev.git2b3af4a]\n- Rebuild for gpgme 1.18\n[0.1.17-1.dev.git2b3af4a]\n- bump to 0.1.17-dev\n[0.1.14-6.git550a480]\n- Fix BZ#1391932\n[0.1.14-5.git550a480]\n- Conflicts with atomic in skopeo-containers\n[0.1.14-4.git550a480]\n- built skopeo-containers\n[0.1.14-3.gitd830391]\n- built mtrmac/integrate-all-the-things commit d830391\n[0.1.14-2.git362bfc5]\n- built commit 362bfc5\n[0.1.14-1.gitffe92ed]\n- build origin/master commit ffe92ed\n[0.1.13-6]\n- https://fedoraproject.org/wiki/Changes/golang1.7\n[0.1.13-5]\n- include go-srpm-macros and compiler(go-compiler) in fedora conditionals\n- define %gobuild if not already\n- add patch to build with older version of golang\n[0.1.13-4]\n- update to v0.1.12\n[0.1.12-3]\n- fix go build source path\n[0.1.12-2]\n- update to v0.1.12\n[0.1.11-1]\n- update to v0.1.11\n[0.1.10-1]\n- update to v0.1.10\n- change runcom -> projectatomic\n[0.1.9-1]\n- update to v0.1.9\n[0.1.8-1]\n- update to v0.1.8\n[0.1.4-2]\n- https://fedoraproject.org/wiki/Changes/golang1.6\n[0.1.4]\n- First package for Fedora\nslirp4netns\nudica", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-05T00:00:00", "type": "oraclelinux", "title": "container-tools:2.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10214", "CVE-2020-10696", "CVE-2020-1702", "CVE-2021-20188"], "modified": "2021-03-05T00:00:00", "id": "ELSA-2021-0706", "href": "http://linux.oracle.com/errata/ELSA-2021-0706.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T06:24:23", "description": "buildah\n[1.5-8.gite94b4f9.0.1]\n- Fixes troubles with oracle registry login [Orabug: 29937283]\n[1.5-8.gite94b4f9]\n- bump release to preserve upgrade path\n- Related: #1821193\n[1.5-4.gite94b4f9]\n- fix 'CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process'\n- Resolves: #1818127\n[1.5-3.gite94b4f9]\n- re-enable debuginfo\n[1.5-2.gite94b4f9]\n- go toolset not in scl anymore\n[1.5-1.gite94b4f9]\n- rebase\n[1.4-3.git608fa84]\n- fedora-like go compiler macro in buildrequires is enough\n[1.4-2.git608fa84]\n- rebase\n[1.3-3.git4888163]\n- Resolves: #1615611 - rebuild with gobuild tag 'no_openssl'\n[1.3-2.git4888163]\n- Resolves: #1614009 - built with updated scl-ized go-toolset dep\n- build with %gobuild\n[1.3-1]\n- Bump to v1.3\n- Vendor in lates containers/image\n- build-using-dockerfile: let -t include transports again\n- Block use of /proc/acpi and /proc/keys from inside containers\n- Fix handling of --registries-conf\n- Fix becoming a maintainer link\n- add optional CI test fo darwin\n- Don't pass a nil error to errors.Wrapf()\n- image filter test: use kubernetes/pause as a 'since'\n- Add --cidfile option to from\n- vendor: update containers/storage\n- Contributors need to find the CONTRIBUTOR.md file easier\n- Add a --loglevel option to build-with-dockerfile\n- Create Development plan\n- cmd: Code improvement\n- allow buildah cross compile for a darwin target\n- Add unused function param lint check\n- docs: Follow man-pages(7) suggestions for SYNOPSIS\n- Start using github.com/seccomp/containers-golang\n- umount: add all option to umount all mounted containers\n- runConfigureNetwork(): remove an unused parameter\n- Update github.com/opencontainers/selinux\n- Fix buildah bud --layers\n- Force ownership of /etc/hosts and /etc/resolv.conf to 0:0\n- main: if unprivileged, reexec in a user namespace\n- Vendor in latest imagebuilder\n- Reduce the complexity of the buildah.Run function\n- mount: output it before replacing lastError\n- Vendor in latest selinux-go code\n- Implement basic recognition of the '--isolation' option\n- Run(): try to resolve non-absolute paths using /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/opc/.local/bin:/home/opc/bin\n- Run(): don't include any default environment variables\n- build without seccomp\n- vendor in latest runtime-tools\n- bind/mount_unsupported.go: remove import errors\n- Update github.com/opencontainers/runc\n- Add Capabilities lists to BuilderInfo\n- Tweaks for commit tests\n- commit: recognize committing to second storage locations\n- Fix ARGS parsing for run commands\n- Add info on registries.conf to from manpage\n- Switch from using docker to podman for testing in .papr\n- buildah: set the HTTP User-Agent\n- ONBUILD tutorial\n- Add information about the configuration files to the install docs\n- Makefile: add uninstall\n- Add tilde info for push to troubleshooting\n- mount: support multiple inputs\n- Use the right formatting when adding entries to /etc/hosts\n- Vendor in latest go-selinux bindings\n- Allow --userns-uid-map/--userns-gid-map to be global options\n- bind: factor out UnmountMountpoints\n- Run(): simplify runCopyStdio()\n- Run(): handle POLLNVAL results\n- Run(): tweak terminal mode handling\n- Run(): rename 'copyStdio' to 'copyPipes'\n- Run(): don't set a Pdeathsig for the runtime\n- Run(): add options for adding and removing capabilities\n- Run(): don't use a callback when a slice will do\n- setupSeccomp(): refactor\n- Change RunOptions.Stdin/Stdout/Stderr to just be Reader/Writers\n- Escape use of '_' in .md docs\n- Break out getProcIDMappings()\n- Break out SetupIntermediateMountNamespace()\n- Add Multi From Demo\n- Use the c/image conversion code instead of converting configs manually\n- Don't throw away the manifest MIME type and guess again\n- Consolidate loading manifest and config in initConfig\n- Pass a types.Image to Builder.initConfig\n- Require an image ID in importBuilderDataFromImage\n- Use c/image/manifest.GuessMIMEType instead of a custom heuristic\n- Do not ignore any parsing errors in initConfig\n- Explicitly handle 'from scratch' images in Builder.initConfig\n- Fix parsing of OCI images\n- Simplify dead but dangerous-looking error handling\n- Don't ignore v2s1 history if docker_version is not set\n- Add --rm and --force-rm to buildah bud\n- Add --all,-a flag to buildah images\n- Separate stdio buffering from writing\n- Remove tty check from images --format\n- Add environment variable BUILDAH_RUNTIME\n- Add --layers and --no-cache to buildah bud\n- Touch up images man\n- version.md: fix DESCRIPTION\n- tests: add containers test\n- tests: add images test\n- images: fix usage\n- fix make clean error\n- Change 'registries' to 'container registries' in man\n- add commit test\n- Add(): learn to record hashes of what we add\n- Minor update to buildah config documentation for entrypoint\n- Bump to v1.2-dev\n- Add registries.conf link to a few man pages\n[1.2-3]\n- do not depend on btrfs-progs for rhel8\n[1.2-2]\n- buildah does not require ostree\n[1.2-1]\n- Vendor in latest containers/image\n- build-using-dockerfile: let -t include transports again\n- Block use of /proc/acpi and /proc/keys from inside containers\n- Fix handling of --registries-conf\n- Fix becoming a maintainer link\n- add optional CI test fo darwin\n- Don't pass a nil error to errors.Wrapf()\n- image filter test: use kubernetes/pause as a 'since'\n- Add --cidfile option to from\n- vendor: update containers/storage\n- Contributors need to find the CONTRIBUTOR.md file easier\n- Add a --loglevel option to build-with-dockerfile\n- Create Development plan\n- cmd: Code improvement\n- allow buildah cross compile for a darwin target\n- Add unused function param lint check\n- docs: Follow man-pages(7) suggestions for SYNOPSIS\n- Start using github.com/seccomp/containers-golang\n- umount: add all option to umount all mounted containers\n- runConfigureNetwork(): remove an unused parameter\n- Update github.com/opencontainers/selinux\n- Fix buildah bud --layers\n- Force ownership of /etc/hosts and /etc/resolv.conf to 0:0\n- main: if unprivileged, reexec in a user namespace\n- Vendor in latest imagebuilder\n- Reduce the complexity of the buildah.Run function\n- mount: output it before replacing lastError\n- Vendor in latest selinux-go code\n- Implement basic recognition of the '--isolation' option\n- Run(): try to resolve non-absolute paths using /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/opc/.local/bin:/home/opc/bin\n- Run(): don't include any default environment variables\n- build without seccomp\n- vendor in latest runtime-tools\n- bind/mount_unsupported.go: remove import errors\n- Update github.com/opencontainers/runc\n- Add Capabilities lists to BuilderInfo\n- Tweaks for commit tests\n- commit: recognize committing to second storage locations\n- Fix ARGS parsing for run commands\n- Add info on registries.conf to from manpage\n- Switch from using docker to podman for testing in .papr\n- buildah: set the HTTP User-Agent\n- ONBUILD tutorial\n- Add information about the configuration files to the install docs\n- Makefile: add uninstall\n- Add tilde info for push to troubleshooting\n- mount: support multiple inputs\n- Use the right formatting when adding entries to /etc/hosts\n- Vendor in latest go-selinux bindings\n- Allow --userns-uid-map/--userns-gid-map to be global options\n- bind: factor out UnmountMountpoints\n- Run(): simplify runCopyStdio()\n- Run(): handle POLLNVAL results\n- Run(): tweak terminal mode handling\n- Run(): rename 'copyStdio' to 'copyPipes'\n- Run(): don't set a Pdeathsig for the runtime\n- Run(): add options for adding and removing capabilities\n- Run(): don't use a callback when a slice will do\n- setupSeccomp(): refactor\n- Change RunOptions.Stdin/Stdout/Stderr to just be Reader/Writers\n- Escape use of '_' in .md docs\n- Break out getProcIDMappings()\n- Break out SetupIntermediateMountNamespace()\n- Add Multi From Demo\n- Use the c/image conversion code instead of converting configs manually\n- Don't throw away the manifest MIME type and guess again\n- Consolidate loading manifest and config in initConfig\n- Pass a types.Image to Builder.initConfig\n- Require an image ID in importBuilderDataFromImage\n- Use c/image/manifest.GuessMIMEType instead of a custom heuristic\n- Do not ignore any parsing errors in initConfig\n- Explicitly handle 'from scratch' images in Builder.initConfig\n- Fix parsing of OCI images\n- Simplify dead but dangerous-looking error handling\n- Don't ignore v2s1 history if docker_version is not set\n- Add --rm and --force-rm to buildah bud\n- Add --all,-a flag to buildah images\n- Separate stdio buffering from writing\n- Remove tty check from images --format\n- Add environment variable BUILDAH_RUNTIME\n- Add --layers and --no-cache to buildah bud\n- Touch up images man\n- version.md: fix DESCRIPTION\n- tests: add containers test\n- tests: add images test\n- images: fix usage\n- fix make clean error\n- Change 'registries' to 'container registries' in man\n- add commit test\n- Add(): learn to record hashes of what we add\n- Minor update to buildah config documentation for entrypoint\n- Add registries.conf link to a few man pages\n[1.1-1]\n- Drop capabilities if running container processes as non root\n- Print Warning message if cmd will not be used based on entrypoint\n- Update 01-intro.md\n- Shouldn't add insecure registries to list of search registries\n- Report errors on bad transports specification when pushing images\n- Move parsing code out of common for namespaces and into pkg/parse.go\n- Add disable-content-trust noop flag to bud\n- Change freenode chan to buildah\n- runCopyStdio(): don't close stdin unless we saw POLLHUP\n- Add registry errors for pull\n- runCollectOutput(): just read until the pipes are closed on us\n- Run(): provide redirection for stdio\n- rmi, rm: add test\n- add mount test\n- Add parameter judgment for commands that do not require parameters\n- Add context dir to bud command in baseline test\n- run.bats: check that we can run with symlinks in the bundle path\n- Give better messages to users when image can not be found\n- use absolute path for bundlePath\n- Add environment variable to buildah --format\n- rm: add validation to args and all option\n- Accept json array input for config entrypoint\n- Run(): process RunOptions.Mounts, and its flags\n- Run(): only collect error output from stdio pipes if we created some\n- Add OnBuild support for Dockerfiles\n- Quick fix on demo readme\n- run: fix validate flags\n- buildah bud should require a context directory or URL\n- Touchup tutorial for run changes\n- Validate common bud and from flags\n- images: Error if the specified imagename does not exist\n- inspect: Increase err judgments to avoid panic\n- add test to inspect\n- buildah bud picks up ENV from base image\n- Extend the amount of time travis_wait should wait\n- Add a make target for Installing CNI plugins\n- Add tests for namespace control flags\n- copy.bats: check ownerships in the container\n- Fix SELinux test errors when SELinux is enabled\n- Add example CNI configurations\n- Run: set supplemental group IDs\n- Run: use a temporary mount namespace\n- Use CNI to configure container networks\n- add/secrets/commit: Use mappings when setting permissions on added content\n- Add CLI options for specifying namespace and cgroup setup\n- Always set mappings when using user namespaces\n- Run(): break out creation of stdio pipe descriptors\n- Read UID/GID mapping information from containers and images\n- Additional bud CI tests\n- Run integration tests under travis_wait in Travis\n- build-using-dockerfile: add --annotation\n- Implement --squash for build-using-dockerfile and commit\n- Vendor in latest container/storage for devicemapper support\n- add test to inspect\n- Vendor github.com/onsi/ginkgo and github.com/onsi/gomega\n- Test with Go 1.10, too\n- Add console syntax highlighting to troubleshooting page\n- bud.bats: print '' before checking its contents\n- Manage 'Run' containers more closely\n- Break Builder.Run()'s 'run runc' bits out\n- util.ResolveName(): handle completion for tagged/digested image names\n- Handle /etc/hosts and /etc/resolv.conf properly in container\n- Documentation fixes\n- Make it easier to parse our temporary directory as an image name\n- Makefile: list new pkg/ subdirectoris as dependencies for buildah\n- containerImageSource: return more-correct errors\n- API cleanup: PullPolicy and TerminalPolicy should be types\n- Make 'run --terminal' and 'run -t' aliases for 'run --tty'\n- Vendor github.com/containernetworking/cni v0.6.0\n- Update github.com/containers/storage\n- Update github.com/projectatomic/libpod\n- Add support for buildah bud --label\n- buildah push/from can push and pull images with no reference\n- Vendor in latest containers/image\n- Update gometalinter to fix install.tools error\n- Update troubleshooting with new run workaround\n- Added a bud demo and tidied up\n- Attempt to download file from url, if fails assume Dockerfile\n- Add buildah bud CI tests for ENV variables\n- Re-enable rpm .spec version check and new commit test\n- Update buildah scratch demo to support el7\n- Added Docker compatibility demo\n- Update to F28 and new run format in baseline test\n- Touchup man page short options across man pages\n- Added demo dir and a demo. chged distrorlease\n- builder-inspect: fix format option\n- Add cpu-shares short flag (-c) and cpu-shares CI tests\n- Minor fixes to formatting in rpm spec changelog\n- Fix rpm .spec changelog formatting\n- CI tests and minor fix for cache related noop flags\n- buildah-from: add effective value to mount propagation\n[1.0-1]\n- Remove buildah run cmd and entrypoint execution\n- Add Files section with registries.conf to pertinent man pages\n- Force 'localhost' as a default registry\n- Add --compress, --rm, --squash flags as a noop for bud\n- Add FIPS mode secret to buildah run and bud\n- Add config --comment/--domainname/--history-comment/--hostname\n- Add support for --iidfile to bud and commit\n- Add /bin/sh -c to entrypoint in config\n- buildah images and podman images are listing different sizes\n- Remove tarball as an option from buildah push --help\n- Update entrypoint behaviour to match docker\n- Display imageId after commit\n- config: add support for StopSignal\n- Allow referencing stages as index and names\n- Add multi-stage builds support\n- Vendor in latest imagebuilder, to get mixed case AS support\n- Allow umount to have multi-containers\n- Update buildah push doc\n- buildah bud walks symlinks\n- Imagename is required for commit atm, update manpage\n[0.16-3.git532e267]\n- Resolves: #1573681\n- built commit 532e267\n[0.16.0-2.git6f7d05b]\n- built commit 6f7d05b\n[0.16-1]\n- Add support for shell\n- Vendor in latest containers/image\n- \t docker-archive generates docker legacy compatible images\n-\t Do not create subdirectories for layers with no configs\n- \t Ensure the layer IDs in legacy docker/tarfile metadata are unique\n-\t docker-archive: repeated layers are symlinked in the tar file\n-\t sysregistries: remove all trailing slashes\n-\t Improve docker/* error messages\n-\t Fix failure to make auth directory\n-\t Create a new slice in Schema1.UpdateLayerInfos\n-\t Drop unused storageImageDestination.{image,systemContext}\n-\t Load a *storage.Image only once in storageImageSource\n-\t Support gzip for docker-archive files\n-\t Remove .tar extension from blob and config file names\n-\t ostree, src: support copy of compressed layers\n-\t ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size\n-\t image: fix docker schema v1 -> OCI conversion\n-\t Add /etc/containers/certs.d as default certs directory\n- Change image time to locale, add troubleshooting.md, add logo to other mds\n- Allow --cmd parameter to have commands as values\n- Document the mounts.conf file\n- Fix man pages to format correctly\n- buildah from now supports pulling images using the following transports:\n- docker-archive, oci-archive, and dir.\n- If the user overrides the storage driver, the options should be dropped\n- Show Config/Manifest as JSON string in inspect when format is not set\n- Adds feature to pull compressed docker-archive files\n[0.15-1]\n- Fix handling of buildah run command options\n[0.14-1]\n- If commonOpts do not exist, we should return rather then segfault\n- Display full error string instead of just status\n- Implement --volume and --shm-size for bud and from\n- Fix secrets patch for buildah bud\n- Fixes the naming issue of blobs and config for the dir transport by removing the .tar extension\n[0.13-1.git99066e0]\n- use correct version\n[0.12-4.git99066e0]\n- enable debuginfo\n[0.12-3.git99066e0]\n- BR: libseccomp-devel\n[0.12-2.git99066e0]\n- Resolves: #1548535\n- built commit 99066e0\n[0.12-1]\n- Added handing for simpler error message for Unknown Dockerfile instructions.\n- Change default certs directory to /etc/containers/certs.dir\n- Vendor in latest containers/image\n- Vendor in latest containers/storage\n- build-using-dockerfile: set the 'author' field for MAINTAINER\n- Return exit code 1 when buildah-rmi fails\n- Trim the image reference to just its name before calling getImageName\n- Touch up rmi -f usage statement\n- Add --format and --filter to buildah containers\n- Add --prune,-p option to rmi command\n- Add authfile param to commit\n- Fix --runtime-flag for buildah run and bud\n- format should override quiet for images\n- Allow all auth params to work with bud\n- Do not overwrite directory permissions on --chown\n- Unescape HTML characters output into the terminal\n- Fix: setting the container name to the image\n- Prompt for un/pwd if not supplied with --creds\n- Make bud be really quiet\n- Return a better error message when failed to resolve an image\n- Update auth tests and fix bud man page\n[0.11-3.git49095a8]\n- Resolves: #1542236 - add ostree and bump runc dep\n[0.11-2.git49095a8]\n- rebased to 49095a83f8622cf69532352d183337635562e261\n[0.11-1]\n- Add --all to remove containers\n- Add --all functionality to rmi\n- Show ctrid when doing rm -all\n- Ignore sequential duplicate layers when reading v2s1\n- Lots of minor bug fixes\n- Vendor in latest containers/image and containers/storage\n[0.10-2]\n- Fix checkin\n[0.10-1]\n- Display Config and Manifest as strings\n- Bump containers/image\n- Use configured registries to resolve image names\n- Update to work with newer image library\n- Add --chown option to add/copy commands\n[0.9-2.git04ea079]\n- build for all arches\n[0.9-1]\n- Allow push to use the image id\n- Make sure builtin volumes have the correct label\n[0.8-1]\n- Buildah bud was failing on SELinux machines, this fixes this\n- Block access to certain kernel file systems inside of the container\n[0.7-1]\n- Ignore errors when trying to read containers buildah.json for loading SELinux reservations\n- Use credentials from kpod login for buildah\n- Adds support for converting manifest types when using the dir transport\n- Rework how we do UID resolution in images\n- Bump github.com/vbatts/tar-split\n- Set option.terminal appropriately in run\n[0.5-5.gitf7dc659]\n- revert building for s390x, it is intended for rhel 7.5\n[0.5-4]\n- Add requires for container-selinux\n[0.5-3.gitf7dc659]\n- build for s390x, https://bugzilla.redhat.com/show_bug.cgi?id=1482234\n[0.5-2]\n- Bump github.com/vbatts/tar-split\n- Fixes CVE That could allow a container image to cause a DOS\n[0.5-1]\n- Add secrets patch to buildah\n- Add proper SELinux labeling to buildah run\n- Add tls-verify to bud command\n- Make filtering by date use the image's date\n- images: don't list unnamed images twice\n- Fix timeout issue\n- Add further tty verbiage to buildah run\n- Make inspect try an image on failure if type not specified\n- Add support for \n- Tons of bug fixes and code cleanup\n[0.4-2.git01db066]\n- bump to latest version\n- set GIT_COMMIT at build-time\n[0.4-1.git9cbccf88c]\n- Add default transport to push if not provided\n- Avoid trying to print a nil ImageReference\n- Add authentication to commit and push\n- Add information on buildah from man page on transports\n- Remove --transport flag\n- Run: do not complain about missing volume locations\n- Add credentials to buildah from\n- Remove export command\n- Run(): create the right working directory\n- Improve 'from' behavior with unnamed references\n- Avoid parsing image metadata for dates and layers\n- Read the image's creation date from public API\n- Bump containers/storage and containers/image\n- Don't panic if an image's ID can't be parsed\n- Turn on --enable-gc when running gometalinter\n- rmi: handle truncated image IDs\n[0.4-1.git9cbccf8]\n- bump to v0.4\n[0.3-4.gitb9b2a8a]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild\n[0.3-3.gitb9b2a8a]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[0.3-2.gitb9b2a8a7e]\n- Bump for inclusion of OCI 1.0 Runtime and Image Spec\n[0.2.0-1.gitac2aad6]\n- buildah run: Add support for -- ending options parsing\n- buildah Add/Copy support for glob syntax\n- buildah commit: Add flag to remove containers on commit\n- buildah push: Improve man page and help information\n- buildah run: add a way to disable PTY allocation\n- Buildah docs: clarify --runtime-flag of run command\n- Update to match newer storage and image-spec APIs\n- Update containers/storage and containers/image versions\n- buildah export: add support\n- buildah images: update commands\n- buildah images: Add JSON output option\n- buildah rmi: update commands\n- buildah containers: Add JSON output option\n- buildah version: add command\n- buildah run: Handle run without an explicit command correctly\n- Ensure volume points get created, and with perms\n- buildah containers: Add a -a/--all option\n[0.1.0-2.git597d2ab9]\n- Release Candidate 1\n- All features have now been implemented.\n[0.0.1-1.git7a0a5333]\n- First package for Fedora\ncontainernetworking-plugins\n[0.7.4-4.git9ebe139]\n- bump release to preserve upgrade path\n- Related: #1821193\n[0.7.4-3.git9ebe139]\n- re-enable debuginfo\n[0.7.4-2.git9ebe139]\n- rebase, removed patch that is already upstream\n[0.7.3-7.git19f2f28]\n- go tools not in scl anymore\n[0.7.3-6.git19f2f28]\n- correct tag specification format in %gobuild macro\n[0.7.3-5.git19f2f28]\n- Resolves: #1616062 - patch to revert coreos/go-iptables bump\n[0.7.3-4.git19f2f28]\n- Resolves:#1603012\n- fix versioning, upstream got it wrong at 7.2\n[0.7.2-3.git19f2f28]\n- disable i686 temporarily for appstream builds\n- update golang deps and gobuild definition\n[0.7.2-2.git19f2f28]\n- rebase\n[0.7.0-103.gitdd8ff8a]\n- enable scl with the toolset\n[0.7.0-102.gitdd8ff8a]\n- remove devel and unittest subpackages\n- use new go-toolset deps\n[0.7.0-101]\n- rebase\n- patches already upstream, removed\n[0.6.0-6]\n- Imported from Fedora\n- Renamed CNI -> plugins\n[0.6.0-4]\n- Own the libexec cni directory\n[0.6.0-3]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild\n[0.6.0-2]\n- skip settling IPv4 addresses\n[0.6.0-1]\n- rebased to 7480240de9749f9a0a5c8614b17f1f03e0c06ab9\n[0.5.2-7]\n- do not install to /opt (against Fedora Guidelines)\n[0.5.2-6]\n- Enable devel subpackage\n[0.5.2-5]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild\n[0.5.2-4]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[0.5.2-3]\n- excludearch: ppc64 as it's not in goarches anymore\n- re-enable s390x\n[0.5.2-2]\n- upstream moved to github.com/containernetworking/plugins\n- built commit dcf7368\n- provides: containernetworking-plugins\n- use vendored deps because they're a lot less of a PITA\n- excludearch: s390x for now (rhbz#1466865)\n[0.5.2-1]\n- Update to 0.5.2\n- Softlink to default /opt/cni/bin directories\n[0.5.1-1]\n- Initial package\ncontainer-selinux\n[2:2.124.0-1.gitf958d0c]\n- update to 2.124.0\n- Resolves: #1816541\n[2:2.94-2.git1e99f1d]\n- rebuild because of CVE-2019-9512 and CVE-2019-9514\n- Resolves: #1766316, #1766215\n[2:2.94-1.git1e99f1d]\n- Resolves: #1690286 - bump to v2.94\n- Resolves: #1693806, #1689255\n[2:2.89-1.git2521d0d]\n- bump to v2.89\n[2:2.75-1.git99e2cfd]\n- bump to v2.75\n- built commit 99e2cfd\n[2:2.74-1]\n- Resolves: #1641655 - bump to v2.74\n- built commit a62c2db\n[2:2.73-3]\n- tweak macro for fedora - applies to rhel8 as well\n[2:2.73-2]\n- moved changelog entries:\n- Define spc_t as a container_domain, so that container_runtime will transition\nto spc_t even when setup with nosuid.\n- Allow container_runtimes to setattr on callers fifo_files\n- Fix restorecon to not error on missing directory\n[2.69-3]\n- Make sure we pull in the latest selinux-policy\n[2.69-2]\n- Add map support to container-selinux for RHEL 7.5\n- Dontudit attempts to write to kernel_sysctl_t\n[2.68-1]\n- Add label for /var/lib/origin\n- Add customizable_file_t to customizable_types\n[2.67-1]\n- Add policy for container_logreader_t\n[2.66-1]\n- Allow dnsmasq to dbus chat with spc_t\n[2.64-1]\n- Allow containers to create all socket classes\n[2.62-1]\n- Label overlay directories under /var/lib/containers/ correctly\n[2.61-1]\n- Allow spc_t to load kernel modules from inside of container\n[2.60-1]\n- Allow containers to list cgroup directories\n- Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t.\n[2.58-2]\n- Run restorecon /usr/bin/podman in postinstall\n[2.58-1]\n- Add labels to allow podman to be run from a systemd unit file\n[2.57-1]\n- Set the version of SELinux policy required to the latest to fix build issues.\n[2.56-1]\n- Allow container_runtime_t to transition to spc_t over unlabeled files\n[2.55-1]\nAllow iptables to read container state\n Dontaudit attempts from containers to write to /proc/self\n Allow spc_t to change attributes on container_runtime_t fifo files\n[2.52-1]\n- Add better support for writing custom selinux policy for customer container domains.\n[2.51-1]\n- Allow shell_exec_t as a container_runtime_t entrypoint\n[2.50-1]\n- Allow bin_t as a container_runtime_t entrypoint\n[2.49-1]\n- Add support for MLS running container runtimes\n- Add missing allow rules for running systemd in a container\n[2.48-1]\n- Update policy to match master branch\n- Remove typebounds and replace with nnp_transition and nosuid_transition calls\n[2.41-1]\n- Add support to nnp_transition for container domains\n- Eliminates need for typebounds.\n[2.40-1]\n- Allow container_runtime_t to use user ttys\n- Fixes bounds check for container_t\n[2.39-1]\n- Allow container runtimes to use interited terminals. This helps\nsatisfy the bounds check of container_t versus container_runtime_t.\n[2.38-1]\n- Allow container runtimes to mmap container_file_t devices\n- Add labeling for rhel push plugin\n[2.37-1]\n- Allow containers to use inherited ttys\n- Allow ostree to handle labels under /var/lib/containers/ostree\n[2.36-1]\n- Allow containers to relabelto/from all file types to container_file_t\n[2.35-1]\n- Allow container to map chr_files labeled container_file_t\n[2.34-1]\n- Dontaudit container processes getattr on kernel file systems\n[2.33-1]\n- Allow containers to read /etc/resolv.conf and /etc/hosts if volume\n- mounted into container.\n[2.32-1]\n- Make sure users creating content in /var/lib with right labels\n[2.31-1]\n- Allow the container runtime to dbus chat with dnsmasq\n- add dontaudit rules for container trying to write to /proc\n[2.29-1]\n- Add support for lxcd\n- Add support for labeling of tmpfs storage created within a container.\n[2.28-1]\n- Allow a container to umount a container_file_t filesystem\n[2.27-1]\n- Allow container runtimes to work with the netfilter sockets\n- Allow container_file_t to be an entrypoint for VM's\n- Allow spc_t domains to transition to svirt_t\n[2.24-1]\n- Make sure container_runtime_t has all access of container_t\n[2.23-1]\n- Allow container runtimes to create sockets in tmp dirs\n[2.22-1]\n- Add additonal support for crio labeling.\n[2.21-3]\n- Fixup spec file conditionals\n[2:2.21-2]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[2.21-1]\n- Allow containers to execmod on container_share_t files.\n[2.20-2]\n- Relabel runc and crio executables\n[2.20-1]\n- Allow container processes to getsession\n[2:2.19-2.1]\n- update release tag to isolate from 7.3\n[2:2.19-1]\n- Fix mcs transition problem on stdin/stdout/stderr\n- Add labels for CRI-O\n- Allow containers to use tunnel sockets\n[2:2.15-1.1]\n- Resolves: #1451289\n- rebase to v2.15\n- built @origin/RHEL-1.12 commit 583ca40\n[2:2.10-2.1]\n- Make sure we have a late enough version of policycoreutils\n[2:2.10-1]\n- Update to the latest container-selinux patch from upstream\n- Label files under /usr/libexec/lxc as container_runtime_exec_t\n- Give container_t access to XFRM sockets\n- Allow spc_t to dbus chat with init system\n- Allow containers to read cgroup configuration mounted into a container\n[2:2.9-4]\n- Resolves: #1425574\n- built commit 79a6d70\n[2:2.9-3]\n- Resolves: #1420591\n- built @origin/RHEL-1.12 commit 8f876c4\n[2:2.9-2]\n- built @origin/RHEL-1.12 commit 33cb78b\n[2:2.8-2]\n-\n[2:2.7-1]\n- built origin/RHEL-1.12 commit 21dd37b\n[2:2.4-2]\n- correct version-release in changelog entries\n[2:2.4-1]\n- Add typebounds statement for container_t from container_runtime_t\n- We should only label runc not runc*\n[2:2.3-1]\n- Fix labeling on /usr/bin/runc.*\n- Add sandbox_net_domain access to container.te\n- Remove containers ability to look at /etc content\n[2:2.2-4]\n- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7\n[2:2.2-3]\n- properly disable docker module in %post\n[2:2.2-2]\n- depend on selinux-policy-targeted\n- relabel docker-latest* files as well\n[2:2.2-1]\n- bump to v2.2\n- additional labeling for ocid\n[2:2.0-2]\n- install policy at level 200\n- From: Dan Walsh \n[2:2.0-1]\n- Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a\nstandalone package)\n- include projectatomic/RHEL-1.12 branch commit for building on centos/rhel\n[2:1.12.4-29]\n- new package (separated from docker)\ncriu\nfuse-overlayfs\n[0.3-5]\n- revert fuse-overlayfs to commit 6d269aa\n- Resolves: #1720707\n[0.3-4.dev.gitd760789]\n- rebase\n[0.3-2]\n- rebase\n- Resolves:#1666510\n[0.1-7.dev.git50c7a50]\n- Resolves: #1640232\n- built commit 50c7a50\n[0.1-6.dev.git1c72a1a]\n- Resolves: #1614856 - add manpage\n- built commit 1c72a1a\n- add BR: go-md2man\n[0.1-5.dev.gitd40ac75]\n- built commit d40ac75\n- remove fedora bz ids\n- Exclude ix86 and ppc64\n[0.1-4.dev.git79c70fd]\n- Resolves: #1609598 - initial upload to Fedora\n- bundled gnulib\n[0.1-3.dev.git79c70fd]\n- correct license field\n[0.1-2.dev.git79c70fd]\n- fix license\n[0.1-1.dev.git13575b6]\n- First package for Fedora\noci-systemd-hook\noci-umount\npodman\n[1.0.0-8.git921f98f]\n- fix 'podman can not create user inside of container' regression introduced by\n patch for CVE-2021-20188\n- Related: #1918285\n[1.0.0-7.git921f98f]\n- fix CVE-2021-20188\n- Resolves: #1918285\n[1.0.0-6.git921f98f]\n- fix 'podman run errors out/segfaults in container-tools-1.0-8.3.0'\n- Resolves: #1882267\n[1.0.0-5.git921f98f]\n- bump release to preserve upgrade path\n- Resolves: #1821193\n[1.0.0-4.git921f98f]\n- fix 'CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process'\n- Resolves: #1818122\n[1.0.0-3.git921f98f]\n- rebuild because of CVE-2019-9512 and CVE-2019-9514\n- Resolves: #1766294, #1766322\n[1.0.0-2.git921f98f]\n- rebase\n[1.0.0-1.git82e8011]\n- rebase to v1, yay!\n- rebase conmon to 9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2\n- Resolves:#1623282\n- python interface removed, moved to https://github.com/containers/python-podman/\n[0.12.1.2-4.git9551f6b]\n- re-enable debuginfo\n[0.12.1.2-3.git9551f6b]\n- python libraries added\n- resolves: #1657180\n[0.12.1.2-2.git9551f6b]\n- rebase\n[0.11.1.1-3.git594495d]\n- go tools not in scl anymore\n[0.11.1.1-2.git594495d]\n- fedora-like buildrequires go toolset\n[0.11.1.1-1.git594495d]\n- Resolves: #1636230 - build with FIPS enabled golang toolchain\n- bump to v0.11.1.1\n- built commit 594495d\n[0.11.1-3.gita4adfe5]\n- podman-docker provides docker\n- Resolves: #1650355\n[0.11.1-2.gita4adfe5]\n- Require platform-python-setuptools instead of python3-setuptools\n- Resolves: rhbz#1650144\n[0.11.1-1.gita4adfe5]\n- bump to v0.11.1\n- built libpod commit a4adfe5\n- built conmon from cri-o commit 464dba6\n[0.10.1.3-5.gitdb08685]\n- Resolves: #1625384 - keep BR: device-mapper-devel but don't build with it\n- not having device-mapper-devel seems to have brew not recognize %{_unitdir}\n[0.10.1.3-4.gitdb08685]\n- Resolves: #1625384 - correctly add buildtags to remove devmapper\n[0.10.1.3-3.gitdb08685]\n- Resolves: #1625384 - build without device-mapper-devel (no podman support) and lvm2\n[0.10.1.3-2.gitdb08685]\n- Resolves: #1625384 - depend on lvm2\n[0.10.1.3-1.gitdb08685]\n- Resolves: #1640298 - update vendored buildah to allow building when there are\nrunning containers\n- bump to v0.10.1.3\n- built podman commit db08685\n[0.10.1.2-1.git2b4f8d1]\n- Resolves: #1625378\n- bump to v0.10.1.2\n- built podman commit 2b4f8d1\n[0.10.1.1-1.git4bea3e9]\n- bump to v0.10.1.1\n- built podman commit 4bea3e9\n[0.10.1-1.gite4a1553]\n- bump podman to v0.10.1\n- built podman commit e4a1553\n- built conmon from cri-o commit a30f93c\n[0.9.3.1-4.git1cd906d]\n- rebased cri-o to 1.11.6\n[0.9.3.1-3.git1cd906d]\n- rebase\n[0.9.2-2.git37a2afe]\n- rebase to podman 0.9.2\n- rebase to cri-o 0.11.4\n[0.9.1.1-2.git123de30]\n- rebase\n[0.8.4-1.git9f9b8cf]\n- bump to v0.8.4\n- built commit 9f9b8cf\n- upstream username changed from projectatomic to containers\n- use containernetworking-plugins >= 0.7.3-5\n[0.8.2.1-2.git7a526bb]\n- Resolves: #1615607 - rebuild with gobuild tag 'no_openssl'\n[0.8.2.1-1.git7a526bb]\n- Upstream 0.8.2.1 release\n- Add support for podman-docker\nResolves: rhbz#1615104\n[0.8.2-1.dev.git8b2d38e]\n- Resolves: #1614710 - podman search name includes registry\n- bump to v0.8.2-dev\n- built libpod commit 8b2d38e\n- built conmon from cri-o commit acc0ee7\n[0.8.1-2.git6b4ab2a]\n- Add recommends for slirp4netns and container-selinux\n[0.8.1-2.git6b4ab2a]\n- bump to v0.8.1\n- use %go{build,generate} instead of go build and go generate\n- update go deps to use scl-ized builds\n- No need for Makefile patch for python installs\n[0.8.1-1.git6b4ab2a]\n- Bump to v0.8.1\n[0.7.4-2.git079121]\n- podman should not require atomic-registries\n[0.7.4-1.dev.git9a18681]\n- bump to v0.7.4-dev\n- built commit 9a18681\n[0.7.3-2.git079121]\n- Turn on ostree support\n- Upstream 0.7.3\n[0.7.2-2.git4ca4c5f]\n- Upstream 0.7.2 release\n[0.7.1-3.git84cfdb2]\n- rebuilt\n[0.7.1-2.git84cfdb2]\n- rebase to 84cfdb2\n[0.7.1-1.git802d4f2]\n- Upstream 0.7.1 release\n[0.6.4-2.gitd5beb2f]\n- disable devel and unittest subpackages\n- include conditionals for rhel-8.0\n[0.6.4-1.gitd5beb2f]\n- do not compress debuginfo with dwz to support delve debugger\n[0.6.1-3.git3e0ff12]\n- do not compress debuginfo with dwz to support delve debugger\n[0.6.1-2.git3e0ff12]\n- bash completion shouldn't have shebang\n[0.6.1-1.git3e0ff12]\n- Resolves: #1584429 - drop capabilities when running a container as non-root\n- bump to v0.6.1\n- built podman commit 3e0ff12\n- built conmon from cri-o commit 1c0c3b0\n- drop containernetworking-plugins subpackage, it's now split out into a standalone\npackage\n[0.4.1-4.gitb51d327]\n- Resolves: #1572538 - build host-device and portmap plugins\n[0.4.1-3.gitb51d327]\n- correct dep on containernetworking-plugins\n[0.4.1-2.gitb51d327]\n- add containernetworking-plugins v0.7.0 as a subpackage (podman dep)\n- release tag for the containernetworking-plugins is actually gotten from\npodman release tag.\n[0.4.1-1.gitb51d327]\n- bump to v0.4.1\n- built commit b51d327\n[0.3.3-1.dev.gitbc358eb]\n- built podman commit bc358eb\n- built conmon from cri-o commit 712f3b8\n[0.3.2-1.gitf79a39a]\n- Release 0.3.2-1\n[0.3.1-2.git98b95ff]\n- Correct RPM version\n[0.3.1-1-gitc187538]\n- Release 0.3.1-1\n[0.2.2-2.git525e3b1]\n- Build on ARMv7 too (Fedora supports containers on that arch too)\n[0.2.2-1.git525e3b1]\n- Release 0.2.2\n[0.2.1-1.git3d0100b]\n- Release 0.2.1\n[0.2-3.git3d0100b]\n- Add dep for atomic-registries\n[0.2-2.git3d0100b]\n- Add more 64bit arches\n- Add containernetworking-cni dependancy\n- Add iptables dependancy\n[0-2.1.git3d0100]\n- Release 0.2\n[0-0.3.git367213a]\n- Resolves: #1541554 - first official build\n- built commit 367213a\n[0-0.2.git0387f69]\n- built commit 0387f69\n[0-0.1.gitc1b2278]\n- First package for Fedora\nrunc\n[1.0.0-56.rc5.dev.git2abd837]\n- rebuild because of CVE-2019-9512 and CVE-2019-9514\n- Resolves: #1766328, #1766300\n[1.0.0-55.rc5.dev.git2abd837]\n- Resolves: #1665770 - rootfs: umount all procfs and sysfs with --no-pivot\n- Resolves: CVE-2019-5736\n[1.0.0-54.rc5.dev.git2abd837]\n- re-enable debuginfo\n[1.0.0-53.rc5.dev.git2abd837]\n- go toolset not in scl anymore\n[1.0.0-52.rc5.dev.git2abd837]\n- rebase\n[2:1.0.0-51.dev.gitfdd8055]\n- Fix handling of tmpcopyup\n[2:1.0.0-49.rc5.dev.gitb4e2ecb]\n- %gobuild uses no_openssl\n- remove unused devel and unit-test subpackages\n[2:1.0.0-48.rc5.dev.gitad0f525]\n- build with %gobuild\n- exlude i686 temporarily because of go-toolset issues\n[1.0.0-47.dev.gitb4e2ecb]\n- Rebuild with fixed binutils\n[2:1.0.0-46.dev.gitb4e2ecb]\n- Add patch https://github.com/opencontainers/runc/pull/1807 to allow\n- runc and podman to work with sd_notify\n[2:1.0.0-40.rc5.dev.gitad0f525]\n- Remove sysclt handling, not needed in RHEL8\n- Make sure package built with seccomp flags\n- Remove rectty\n- Add completions\n[2:1.0.0-36.rc5.dev.gitad0f525]\n- Better handling of user namespace\n[2:1.0.0-31.rc5.git0cbfd83]\n- Fix issues between SELinux and UserNamespace\n[1.0.0-27.rc5.dev.git4bb1fe4]\n- rebuilt, placed missing changelog entry back\n[2:1.0.0-26.rc5.git4bb1fe4]\n- release v1.0.0~rc5\n[1.0.0-26.rc4.git9f9c962]\n- Bump to the latest from upstream\n[1.0.0-25.rc4.gite6516b3]\n- built commit e6516b3\n[1.0.0-24.rc4.dev.gitc6e4a1e.1]\n- rebase to c6e4a1ebeb1a72b529c6f1b6ee2b1ae5b868b14f\n- https://github.com/opencontainers/runc/pull/1651\n[1.0.0-23.rc4.git1d3ab6d]\n- Resolves: #1524654\n[1.0.0-22.rc4.git1d3ab6d]\n- Many Stability fixes\n- Many fixes for rootless containers\n- Many fixes for static builds\n[1.0.0-21.rc4.dev.gitaea4f21]\n- enable debuginfo and include -buildmode=pie for go build\n[1.0.0-20.rc4.dev.gitaea4f21]\n- use Makefile\n[1.0.0-19.rc4.dev.gitaea4f21]\n- disable debuginfo temporarily\n[1.0.0-18.rc4.dev.gitaea4f21]\n- enable debuginfo\n[1.0.0-17.rc4.gitaea4f21]\n- Add container-selinux prerequires to make sure runc is labeled correctly\n[1.0.0-16.rc4.dev.gitaea4f21]\n- correct the release tag 'rc4dev' -> 'rc4.dev' cause I'm OCD\n[1.0.0-15.rc4dev.gitaea4f21]\n- Use the same checkout as Fedora for lates CRI-O\n[1.0.0-14.rc4dev.git84a082b]\n- rebase to 84a082bfef6f932de921437815355186db37aeb1\n[1.0.0-13.rc3.gitd40db12]\n- Resolves: #1479489\n- built commit d40db12\n[1.0.0-12.1.gitf8ce01d]\n- disable s390x temporarily because of indefinite wait times on brew\n[1.0.0-11.1.gitf8ce01d]\n- correct previous bogus date :\n[1.0.0-10.1.gitf8ce01d]\n- Resolves: #1441737 - run sysctl_apply for sysctl knob\n[1.0.0-9.1.gitf8ce01d]\n- Resolves: #1447078 - change default root path\n- add commit e800860 from runc @projectatomic/change-root-path\n[1.0.0-8.1.gitf8ce01d]\n- Resolves: #1441737 - enable kernel sysctl knob /proc/sys/fs/may_detach_mounts\n[1.0.0-7.1.gitf8ce01d]\n- Resolves: #1429675\n- built @opencontainers/master commit f8ce01d\n[1.0.0-4.1.gitee992e5]\n- built @projectatomic/master commit ee992e5\n[1.0.0-3.rc2]\n- Resolves: #1426674\n- built projectatomic/runc_rhel_7 commit 5d93f81\n[1.0.0-2.rc2]\n- Resolves: #1419702 - rebase to latest upstream master\n- built commit b263a43\n[1.0.0-1.rc2]\n- Resolves: #1412239 - *CVE-2016-9962* - set init processes as non-dumpable,\nrunc patch from Michael Crosby \n[0.1.1-6]\n- Resolves: #1373980 - rebuild for 7.3.0\n[0.1.1-5]\n- build with golang >= 1.6.2\n[0.1.1-4]\n- release tags were inconsistent in the previous build\n[0.1.1-1]\n- Resolves: #1341267 - rebase runc to v0.1.1\n[0.1.0-3]\n- add selinux build tag\n- add BR: libseccomp-devel\n[0.1.0-2]\n- Resolves: #1328970 - add seccomp buildtag\n[0.1.0-1]\n- Resolves: rhbz#1328616 - rebase to v0.1.0\n[0.0.8-1.git4155b68]\n- Resolves: rhbz#1277245 - bump to 0.0.8\n- Resolves: rhbz#1302363 - criu is a runtime dep\n- Resolves: rhbz#1302348 - libseccomp-golang is bundled in Godeps\n- manpages included\n[1:0.0.5-0.1.git97bc9a7]\n- Update to 0.0.5, introduce Epoch for Fedora due to 0.2 version instead of 0.0.2\n[0.2-0.2.git90e6d37]\n- First package for Fedora\n resolves: #1255179\nskopeo\n[1:0.1.32-6.git1715c90.0.1]\n- Update registry conf file [Orabug: 31306708]\n- Add oracle registry into the conf file [Orabug: 29845934]\n- Fix oracle registry login issues [Orabug: 29937192]\n[1:0.1.32-6.git1715c90]\n- bump release to preserve upgrade path\n- Related: #1821193\n[1:0.1.32-4.git1715c90]\n- rebuild because of CVE-2019-9512 and CVE-2019-9514\n- Resolves: #1772130, #1772135\n[1:0.1.32-3.git1715c90]\n- rebase\n[1:0.1.32-2.git1715c90]\n- re-enable debuginfo\n[1:0.1.31-12.gitb0b750d]\n- go tools not in scl anymore\n[1:0.1.31-11.gitb0b750d]\n- Resolves: #1615609\n- built upstream tag v0.1.31\n[1:0.1.31-10.git0144aa8]\n- Resolves: #1616069 - correct order of registries\n[1:0.1.31-9.git0144aa8]\n- Resolves: #1615609 - rebuild with gobuild tag 'no_openssl'\n[1:0.1.31-8.git0144aa8]\n- Resolves: #1614934 - containers-common soft dep on slirp4netns and\nfuse-overlayfs\n[1:0.1.31-7.git0144aa8]\n- build with %gobuild\n- use scl-ized go-toolset as dep\n- disable i686 builds temporarily because of go-toolset issues\n[1:0.1.31-6.git0144aa8]\n- add statx to seccomp.json to containers-config\n- add seccomp.json to containers-config\n[1:0.1.31-4.git0144aa8]\n- Resolves: #1597629 - handle dependency issue for skopeo-containers\n- rename skopeo-containers to containers-common as in Fedora\n[1:0.1.31-3.git0144aa8]\n- Resolves: #1583762 - btrfs dep removal needs exclude_graphdriver_btrfs\nbuildtag\n[1:0.1.31-2.git0144aa8]\n- correct bz in previous changelog\n[1:0.1.31-1.git0144aa8]\n- Resolves: #1580938 - resolve FTBFS\n- Resolves: #1583762 - remove dependency on btrfs-progs-devel\n- bump to v0.1.31 (from master)\n- built commit ca3bff6\n- use go-toolset deps for rhel8\n[0.1.29-5.git7add6fc]\n- Fix small typo in registries.conf\n[0.1.29-4.git]\n- Add policy.json.5\n[0.1.29-3.git]\n- Add registries.conf\n[0.1.29-2.git]\n- Add registries.conf man page\n[0.1.29-1.git]\n- bump to 0.1.29-1\n- Updated containers/image\n docker-archive generates docker legacy compatible images\n Do not create subdirectories for layers with no configs\n Ensure the layer IDs in legacy docker/tarfile metadata are unique\n docker-archive: repeated layers are symlinked in the tar file\n sysregistries: remove all trailing slashes\n Improve docker/* error messages\n Fix failure to make auth directory\n Create a new slice in Schema1.UpdateLayerInfos\n Drop unused storageImageDestination.{image,systemContext}\n Load a *storage.Image only once in storageImageSource\n Support gzip for docker-archive files\n Remove .tar extension from blob and config file names\n ostree, src: support copy of compressed layers\n ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size\n image: fix docker schema v1 -> OCI conversion\n Add /etc/containers/certs.d as default certs directory\n[0.1.28-2.git0270e56]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild\n[0.1.28-1.git]\n- Vendor in fixed libraries in containers/image and containers/storage\n[0.1.27-1.git]\n- Fix Conflicts to Obsoletes\n- Add better docs to man pages.\n- Use credentials from authfile for skopeo commands\n- Support storage='' in /etc/containers/storage.conf\n- Add global --override-arch and --override-os options\n[0.1.25-2.git2e8377a7]\n- Add manifest type conversion to skopeo copy\n- User can select from 3 manifest types: oci, v2s1, or v2s2\n- e.g skopeo copy --format v2s1 --compress-blobs docker-archive:alp.tar dir:my-directory\n[0.1.25-2.git7fd6f66b]\n- Force storage.conf to default to overlay\n[0.1.25-1.git7fd6f66b]\n- Fix CVE in tar-split\n- copy: add shared blob directory support for OCI sources/destinations\n- Aligning Docker version between containers/image and skopeo\n- Update image-tools, and remove the duplicate Sirupsen/logrus vendor\n- makefile: use -buildmode=pie\n[0.1.24-8.git28d4e08a]\n- Add /usr/share/containers/mounts.conf\n[0.1.24-7.git28d4e08a]\n- Bug fixes\n- Update to release\n[0.1.24-6.dev.git28d4e08]\n- skopeo-containers conflicts with docker-rhsubscription <= 2:1.13.1-31\n[0.1.24-5.dev.git28d4e08]\n- Add rhel subscription secrets data to skopeo-containers\n[0.1.24-4.dev.git28d4e08]\n- Update container/storage.conf and containers-storage.conf man page\n- Default override to true so it is consistent with RHEL.\n[0.1.24-3.dev.git28d4e08]\n- built commit 28d4e08\n[0.1.24-2.dev.git875dd2e]\n- built commit 875dd2e\n- Resolves: gh#416\n[0.1.24-1.dev.gita41cd0]\n- bump to 0.1.24-dev\n- correct a prior bogus date\n- fix macro in comment warning\n[0.1.23-6.dev.git1bbd87]\n- Change name of storage.conf.5 man page to containers-storage.conf.5, since\nit conflicts with inn package\n- Also remove default to 'overalay' in the configuration, since we should\n- allow containers storage to pick the best default for the platform.\n[0.1.23-5.git1bbd87f]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild\n[0.1.23-4.git1bbd87f]\n- Rebuild with binutils fix for ppc64le (#1475636)\n[0.1.23-3.git1bbd87f]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild\n[0.1.23-2.dev.git1bbd87]\n- Fix storage.conf man page to be storage.conf.5.gz so that it works.\n[0.1.23-1.dev.git1bbd87]\n- Support for OCI V1.0 Images\n- Update to image-spec v1.0.0 and revendor\n- Fixes for authentication\n[0.1.22-2.dev.git5d24b67]\n- Epoch: 1 for CentOS as CentOS Extras' build already has epoch set to 1\n[0.1.22-1.dev.git5d24b67]\n- Give more useful help when explaining usage\n- Also specify container-storage as a valid transport\n- Remove docker reference wherever possible\n- vendor in ostree fixes\n[0.1.21-1.dev.git0b73154]\n- Add support for storage.conf and storage-config.5.md from github container storage package\n- Bump to the latest version of skopeo\n- vendor.conf: add ostree-go\n- it is used by containers/image for pulling images to the OSTree storage.\n- fail early when image os does not match host os\n- Improve documentation on what to do with containers/image failures in test-skopeo\n- We now have the docker-archive: transport\n- Integration tests with built registries also exist\n- Support /etc/docker/certs.d\n- update image-spec to v1.0.0-rc6\n[0.1.20-1.dev.git0224d8c]\n- BZ #1380078 - New release\n[0.1.19-2.dev.git0224d8c]\n- No golang support for ppc64. Adding exclude arch. BZ #1445490\n[0.1.19-1.dev.git0224d8c]\n- bump to v0.1.19-dev\n- built commit 0224d8c\n[0.1.17-3.dev.git2b3af4a]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild\n[0.1.17-2.dev.git2b3af4a]\n- Rebuild for gpgme 1.18\n[0.1.17-1.dev.git2b3af4a]\n- bump to 0.1.17-dev\n[0.1.14-6.git550a480]\n- Fix BZ#1391932\n[0.1.14-5.git550a480]\n- Conflicts with atomic in skopeo-containers\n[0.1.14-4.git550a480]\n- built skopeo-containers\n[0.1.14-3.gitd830391]\n- built mtrmac/integrate-all-the-things commit d830391\n[0.1.14-2.git362bfc5]\n- built commit 362bfc5\n[0.1.14-1.gitffe92ed]\n- build origin/master commit ffe92ed\n[0.1.13-6]\n- https://fedoraproject.org/wiki/Changes/golang1.7\n[0.1.13-5]\n- include go-srpm-macros and compiler(go-compiler) in fedora conditionals\n- define %gobuild if not already\n- add patch to build with older version of golang\n[0.1.13-4]\n- update to v0.1.12\n[0.1.12-3]\n- fix go build source path\n[0.1.12-2]\n- update to v0.1.12\n[0.1.11-1]\n- update to v0.1.11\n[0.1.10-1]\n- update to v0.1.10\n- change runcom -> projectatomic\n[0.1.9-1]\n- update to v0.1.9\n[0.1.8-1]\n- update to v0.1.8\n[0.1.4-2]\n- https://fedoraproject.org/wiki/Changes/golang1.6\n[0.1.4]\n- First package for Fedora\nslirp4netns\n[0.1-5.dev.gitc4e1bc5]\n- backport fix for CVE-2020-7039\n- Resolves: #1791578\n[0.1-4.dev.gitc4e1bc5]\n- actually add CVE-2019-14378 patch to dist-git\n- Related: RHELPLAN-25139\n[0.1-3.dev.gitc4e1bc5]\n- Fix CVE-2019-14378 (#1768394).\n[0.1-2.dev.gitc4e1bc5]\n- changed summary\n[0.1-1.dev.gitc4e1bc5]\n- First package for RHEL 8\n- import from Fedora rawhide\n- Exclude ix86 and ppc64", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-03-05T00:00:00", "type": "oraclelinux", "title": "container-tools:1.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9962", "CVE-2019-14378", "CVE-2019-5736", "CVE-2019-9512", "CVE-2019-9514", "CVE-2020-10696", "CVE-2020-7039", "CVE-2021-20188"], "modified": "2021-03-05T00:00:00", "id": "ELSA-2021-0705", "href": "http://linux.oracle.com/errata/ELSA-2021-0705.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}