(RHSA-2023:6474) Moderate: podman security, bug fix, and enhancement update

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

Security Fix(es):

• golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)

• net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

• golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)

• golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)

• golang.org/x/net/html: Cross site scripting (CVE-2023-3978)

• golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)

• golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)

• golang: go/parser: Infinite loop in parsing (CVE-2023-24537)

• golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)

• golang: html/template: improper sanitization of CSS values (CVE-2023-24539)

• containerd: Supplementary groups are not set up properly (CVE-2023-25173)

• golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400)

• golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section.