Lucene search

K
redhatRedHatRHSA-2024:2988
HistoryMay 22, 2024 - 6:35 a.m.

(RHSA-2024:2988) Moderate: container-tools:rhel8 security update

2024-05-2206:35:17
access.redhat.com
17
container-tools rhel8 security urllib3 golang crypto/tls podman buildah skopeo runc cvss red hat enterprise linux 8.10 release notes references unix

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.965

Percentile

99.6%

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

Security Fix(es):

  • urllib3: urllib3 does not remove the authorization HTTP header when following a cross-origin redirect (CVE-2018-25091)

  • golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)

  • golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

  • golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)

  • golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)

  • golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

  • golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)

  • golang: html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318)

  • golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)

  • golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)

  • golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

  • golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

  • golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)

  • urllib3: Request body not stripped after redirect from 303 status changes request method to GET (CVE-2023-45803)

  • ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

  • moby/buildkit: Possible race condition with accessing subpaths from cache mounts (CVE-2024-23650)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.10 Release Notes linked from the References section.

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.965

Percentile

99.6%