An update for podman is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1074 Final 1.0 1.0 2025-01-24 Initial 2025-01-24 2025-01-24 openEuler SA Tool V1.0 2025-01-24 podman security update An update for podman is now available for openEuler-22.03-LTS-SP4 Podman manages the entire container ecosystem which includes pods, containers, container images, and container volumes using the libpod library. Security Fix(es): A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.(CVE-2022-27649) An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.(CVE-2022-2989) A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.(CVE-2023-0778) If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.(CVE-2024-24785) An update for podman is now available for openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High podman https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1074 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-27649 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-2989 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-0778 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-24785 https://nvd.nist.gov/vuln/detail/CVE-2022-27649 https://nvd.nist.gov/vuln/detail/CVE-2022-2989 https://nvd.nist.gov/vuln/detail/CVE-2023-0778 https://nvd.nist.gov/vuln/detail/CVE-2024-24785 openEuler-22.03-LTS-SP4 podman-3.4.4-8.oe2203sp4.aarch64.rpm podman-debuginfo-3.4.4-8.oe2203sp4.aarch64.rpm podman-debugsource-3.4.4-8.oe2203sp4.aarch64.rpm podman-gvproxy-3.4.4-8.oe2203sp4.aarch64.rpm podman-plugins-3.4.4-8.oe2203sp4.aarch64.rpm podman-remote-3.4.4-8.oe2203sp4.aarch64.rpm podman-3.4.4-8.oe2203sp4.src.rpm podman-3.4.4-8.oe2203sp4.x86_64.rpm podman-debuginfo-3.4.4-8.oe2203sp4.x86_64.rpm podman-debugsource-3.4.4-8.oe2203sp4.x86_64.rpm podman-gvproxy-3.4.4-8.oe2203sp4.x86_64.rpm podman-plugins-3.4.4-8.oe2203sp4.x86_64.rpm podman-remote-3.4.4-8.oe2203sp4.x86_64.rpm podman-docker-3.4.4-8.oe2203sp4.noarch.rpm podman-help-3.4.4-8.oe2203sp4.noarch.rpm A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. 2025-01-24 CVE-2022-27649 openEuler-22.03-LTS-SP4 High 7.5 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H podman security update 2025-01-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1074 An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. 2025-01-24 CVE-2022-2989 openEuler-22.03-LTS-SP4 High 7.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N podman security update 2025-01-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1074 A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system. 2025-01-24 CVE-2023-0778 openEuler-22.03-LTS-SP4 Medium 6.8 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N podman security update 2025-01-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1074 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. 2025-01-24 CVE-2024-24785 openEuler-22.03-LTS-SP4 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N podman security update 2025-01-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1074