Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-8945 (GCVE-0-2020-8945)
Vulnerability from cvelistv5 – Published: 2020-02-12 17:20 – Updated: 2024-08-04 10:12
VLAI
EPSS
Summary
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://github.com/proglottis/gpgme/pull/23 | x_refsource_MISC |
| https://bugzilla.redhat.com/show_bug.cgi?id=1795838 | x_refsource_MISC |
| https://github.com/proglottis/gpgme/compare/v0.1.… | x_refsource_MISC |
| https://github.com/containers/image/commit/4c7a23… | x_refsource_MISC |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://access.redhat.com/errata/RHSA-2020:0679 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2020:0689 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2020:0697 | vendor-advisoryx_refsource_REDHAT |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/proglottis/gpgme/pull/23"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1"
},
{
"name": "FEDORA-2020-f317e13ecf",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/"
},
{
"name": "FEDORA-2020-2a0aac3502",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/"
},
{
"name": "FEDORA-2020-ccc3e64ea5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/"
},
{
"name": "RHSA-2020:0679",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0679"
},
{
"name": "RHSA-2020:0689",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0689"
},
{
"name": "RHSA-2020:0697",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0697"
},
{
"name": "FEDORA-2020-aeea04cd13",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T02:06:18.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/proglottis/gpgme/pull/23"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1"
},
{
"name": "FEDORA-2020-f317e13ecf",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/"
},
{
"name": "FEDORA-2020-2a0aac3502",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/"
},
{
"name": "FEDORA-2020-ccc3e64ea5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/"
},
{
"name": "RHSA-2020:0679",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0679"
},
{
"name": "RHSA-2020:0689",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0689"
},
{
"name": "RHSA-2020:0697",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0697"
},
{
"name": "FEDORA-2020-aeea04cd13",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8945",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/proglottis/gpgme/pull/23",
"refsource": "MISC",
"url": "https://github.com/proglottis/gpgme/pull/23"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"name": "https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1",
"refsource": "MISC",
"url": "https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1"
},
{
"name": "https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1",
"refsource": "MISC",
"url": "https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1"
},
{
"name": "FEDORA-2020-f317e13ecf",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/"
},
{
"name": "FEDORA-2020-2a0aac3502",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/"
},
{
"name": "FEDORA-2020-ccc3e64ea5",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/"
},
{
"name": "RHSA-2020:0679",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0679"
},
{
"name": "RHSA-2020:0689",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0689"
},
{
"name": "RHSA-2020:0697",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0697"
},
{
"name": "FEDORA-2020-aeea04cd13",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8945",
"datePublished": "2020-02-12T17:20:43.000Z",
"dateReserved": "2020-02-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:12:10.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-8945",
"date": "2026-05-29",
"epss": "0.01939",
"percentile": "0.83719"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-8945\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-02-12T18:15:10.470\",\"lastModified\":\"2024-11-21T05:39:42.933\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.\"},{\"lang\":\"es\",\"value\":\"El contenedor Proglottis Go versiones anteriores a 0.1.1 para la biblioteca GPGME, presenta un uso de la memoria previamente liberada, como es demostrado por el uso para las extracciones de im\u00e1genes de contenedores para Docker o CRI-O. Esto conlleva a un bloqueo o posible ejecuci\u00f3n de c\u00f3digo durante una comprobaci\u00f3n de la firma GPG.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:P/A:P\",\"baseScore\":5.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gpgme_project:gpgme:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"0.1.1\",\"matchCriteriaId\":\"D6AF4CA3-6FB7-4184-B62B-5CC4389C7B01\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F87326E-0B56-4356-A889-73D026DB1D4B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C85A84D-A70F-4B02-9E5D-CD9660ABF048\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E57E25E-342F-411A-8840-6AF01078D09F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"44C5E433-229C-4BB9-8481-8A74AFA8DB8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D432C063-0805-4151-A819-508FE8954101\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D9E8067-7EEF-4D59-B55D-6C2B33405963\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"23F02265-FA70-4FE1-8EE1-F30C61E11F94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3AD34820-B5A7-470F-B290-E4C7C8BFAF80\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D0C69D6-E171-4750-8676-5F16DB88A197\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97A4B8DF-58DA-4AB6-A1F9-331B36409BA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"566507B6-AC95-47F7-A3FB-C6F414E45F51\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4A684C7-88FD-43C4-9BDB-AE337FCBD0AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51EF4996-72F4-4FA4-814F-F5991E7A8318\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"825ECE2D-E232-46E0-A047-074B34DB1E97\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F87326E-0B56-4356-A889-73D026DB1D4B\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0679\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0689\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0697\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1795838\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/proglottis/gpgme/pull/23\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0679\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0689\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0697\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1795838\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/proglottis/gpgme/pull/23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
RHSA-2020:1230
Vulnerability from csaf_redhat - Published: 2020-04-01 00:26 - Updated: 2026-02-27 06:51Summary
Red Hat Security Advisory: skopeo security and bug fix update
Severity
Moderate
Notes
Topic: An update for skopeo is now available for Red Hat Enterprise Linux 7 Extras.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.
Security Fix(es):
* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Skopeo doesn't handle HTTP 429 errors properly (BZ#1752775)
* skopeo does not show manifest manifest.list.v2 for special cases (BZ#1754905)
* skopeo inspect results in panic: runtime error: invalid memory address or nil pointer dereference (BZ#1769575)
* skopeo should be linked against gpgme-pthread (BZ#1793080)
* docker won't start because registries service won't start (BZ#1812505)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
7.5 (High)
Affected products
Fixed
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for skopeo is now available for Red Hat Enterprise Linux 7 Extras.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.\n\nSecurity Fix(es):\n\n* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Skopeo doesn\u0027t handle HTTP 429 errors properly (BZ#1752775)\n\n* skopeo does not show manifest manifest.list.v2 for special cases (BZ#1754905)\n\n* skopeo inspect results in panic: runtime error: invalid memory address or nil pointer dereference (BZ#1769575)\n\n* skopeo should be linked against gpgme-pthread (BZ#1793080)\n\n* docker won\u0027t start because registries service won\u0027t start (BZ#1812505)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:1230",
"url": "https://access.redhat.com/errata/RHSA-2020:1230"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1752775",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752775"
},
{
"category": "external",
"summary": "1754905",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1754905"
},
{
"category": "external",
"summary": "1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "1812505",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1812505"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1230.json"
}
],
"title": "Red Hat Security Advisory: skopeo security and bug fix update",
"tracking": {
"current_release_date": "2026-02-27T06:51:21+00:00",
"generator": {
"date": "2026-02-27T06:51:21+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.1"
}
},
"id": "RHSA-2020:1230",
"initial_release_date": "2020-04-01T00:26:07+00:00",
"revision_history": [
{
"date": "2020-04-01T00:26:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-04-01T00:26:07+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-02-27T06:51:21+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux 7 Extras",
"product": {
"name": "Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras_other:7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux 7 Extras",
"product": {
"name": "Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras_other:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux Extras"
},
{
"branches": [
{
"category": "product_version",
"name": "containers-common-1:0.1.40-7.el7_8.x86_64",
"product": {
"name": "containers-common-1:0.1.40-7.el7_8.x86_64",
"product_id": "containers-common-1:0.1.40-7.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containers-common@0.1.40-7.el7_8?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "skopeo-1:0.1.40-7.el7_8.x86_64",
"product": {
"name": "skopeo-1:0.1.40-7.el7_8.x86_64",
"product_id": "skopeo-1:0.1.40-7.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skopeo@0.1.40-7.el7_8?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64",
"product": {
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64",
"product_id": "skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skopeo-debuginfo@0.1.40-7.el7_8?arch=x86_64\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "skopeo-1:0.1.40-7.el7_8.src",
"product": {
"name": "skopeo-1:0.1.40-7.el7_8.src",
"product_id": "skopeo-1:0.1.40-7.el7_8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skopeo@0.1.40-7.el7_8?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "containers-common-1:0.1.40-7.el7_8.ppc64le",
"product": {
"name": "containers-common-1:0.1.40-7.el7_8.ppc64le",
"product_id": "containers-common-1:0.1.40-7.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containers-common@0.1.40-7.el7_8?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "skopeo-1:0.1.40-7.el7_8.ppc64le",
"product": {
"name": "skopeo-1:0.1.40-7.el7_8.ppc64le",
"product_id": "skopeo-1:0.1.40-7.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skopeo@0.1.40-7.el7_8?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"product": {
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"product_id": "skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skopeo-debuginfo@0.1.40-7.el7_8?arch=ppc64le\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "containers-common-1:0.1.40-7.el7_8.s390x",
"product": {
"name": "containers-common-1:0.1.40-7.el7_8.s390x",
"product_id": "containers-common-1:0.1.40-7.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containers-common@0.1.40-7.el7_8?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "skopeo-1:0.1.40-7.el7_8.s390x",
"product": {
"name": "skopeo-1:0.1.40-7.el7_8.s390x",
"product_id": "skopeo-1:0.1.40-7.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skopeo@0.1.40-7.el7_8?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"product": {
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"product_id": "skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skopeo-debuginfo@0.1.40-7.el7_8?arch=s390x\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containers-common-1:0.1.40-7.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.ppc64le"
},
"product_reference": "containers-common-1:0.1.40-7.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containers-common-1:0.1.40-7.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.s390x"
},
"product_reference": "containers-common-1:0.1.40-7.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containers-common-1:0.1.40-7.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.x86_64"
},
"product_reference": "containers-common-1:0.1.40-7.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-1:0.1.40-7.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.ppc64le"
},
"product_reference": "skopeo-1:0.1.40-7.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-1:0.1.40-7.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.s390x"
},
"product_reference": "skopeo-1:0.1.40-7.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-1:0.1.40-7.el7_8.src as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.src"
},
"product_reference": "skopeo-1:0.1.40-7.el7_8.src",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-1:0.1.40-7.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.x86_64"
},
"product_reference": "skopeo-1:0.1.40-7.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le"
},
"product_reference": "skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.s390x"
},
"product_reference": "skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64"
},
"product_reference": "skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containers-common-1:0.1.40-7.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.ppc64le"
},
"product_reference": "containers-common-1:0.1.40-7.el7_8.ppc64le",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containers-common-1:0.1.40-7.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.s390x"
},
"product_reference": "containers-common-1:0.1.40-7.el7_8.s390x",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containers-common-1:0.1.40-7.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.x86_64"
},
"product_reference": "containers-common-1:0.1.40-7.el7_8.x86_64",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-1:0.1.40-7.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.ppc64le"
},
"product_reference": "skopeo-1:0.1.40-7.el7_8.ppc64le",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-1:0.1.40-7.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.s390x"
},
"product_reference": "skopeo-1:0.1.40-7.el7_8.s390x",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-1:0.1.40-7.el7_8.src as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.src"
},
"product_reference": "skopeo-1:0.1.40-7.el7_8.src",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-1:0.1.40-7.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.x86_64"
},
"product_reference": "skopeo-1:0.1.40-7.el7_8.x86_64",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le"
},
"product_reference": "skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.s390x"
},
"product_reference": "skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64"
},
"product_reference": "skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8945",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2020-01-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1795838"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.\n\nAfter extensive testing of the mentioned vulnerability Red Hat has chosen a severity of Moderate instead of High, because the deallocation of GPGME objects while other parts of code are still using it, the vulnerability can only result in a crash and cannot be used to execute code in any feasible manner, moreover the vulnerability only results in crash if finalizers are called to clean up variables while objects are still being used by the underlying C code. Given the inherent attack complexity being high and the exploitability of the vulnerability limited to a crash, Moderate severity seems adequate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.ppc64le",
"7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.s390x",
"7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.x86_64",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.ppc64le",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.s390x",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.src",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.x86_64",
"7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.s390x",
"7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.s390x",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.src",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8945"
},
{
"category": "external",
"summary": "RHBZ#1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8945",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
],
"release_date": "2020-01-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-04-01T00:26:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.ppc64le",
"7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.s390x",
"7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.x86_64",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.ppc64le",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.s390x",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.src",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.x86_64",
"7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.s390x",
"7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.s390x",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.src",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1230"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.ppc64le",
"7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.s390x",
"7Server-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.x86_64",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.ppc64le",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.s390x",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.src",
"7Server-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.x86_64",
"7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"7Server-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.s390x",
"7Workstation-EXTRAS-7.8:containers-common-1:0.1.40-7.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.s390x",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.src",
"7Workstation-EXTRAS-7.8:skopeo-1:0.1.40-7.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.s390x",
"7Workstation-EXTRAS-7.8:skopeo-debuginfo-1:0.1.40-7.el7_8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
}
]
}
RHSA-2020:1231
Vulnerability from csaf_redhat - Published: 2020-04-01 00:26 - Updated: 2026-02-27 06:51Summary
Red Hat Security Advisory: buildah security and bug fix update
Severity
Moderate
Notes
Topic: An update for buildah is now available for Red Hat Enterprise Linux 7 Extras.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to:
* Create a working container, either from scratch or using an image as a starting point.
* Create an image, either from a working container or using the instructions in a Dockerfile.
* Build both Docker and OCI images.
Security Fix(es):
* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* rootless buildah does not work with UID in /etc/subuid (BZ#1765469)
* Extras RHEL-7.8 update - buildah (BZ#1791286)
* buildah should be linked against gpgme-pthread (BZ#1793074)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
10 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for buildah is now available for Red Hat Enterprise Linux 7 Extras.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to:\n* Create a working container, either from scratch or using an image as a starting point.\n* Create an image, either from a working container or using the instructions in a Dockerfile.\n* Build both Docker and OCI images.\n\nSecurity Fix(es):\n\n* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* rootless buildah does not work with UID in /etc/subuid (BZ#1765469)\n\n* Extras RHEL-7.8 update - buildah (BZ#1791286)\n\n* buildah should be linked against gpgme-pthread (BZ#1793074)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:1231",
"url": "https://access.redhat.com/errata/RHSA-2020:1231"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1765469",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1765469"
},
{
"category": "external",
"summary": "1791286",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1791286"
},
{
"category": "external",
"summary": "1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1231.json"
}
],
"title": "Red Hat Security Advisory: buildah security and bug fix update",
"tracking": {
"current_release_date": "2026-02-27T06:51:24+00:00",
"generator": {
"date": "2026-02-27T06:51:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.1"
}
},
"id": "RHSA-2020:1231",
"initial_release_date": "2020-04-01T00:26:19+00:00",
"revision_history": [
{
"date": "2020-04-01T00:26:19+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-04-01T00:26:19+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-02-27T06:51:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux 7 Extras",
"product": {
"name": "Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras_other:7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux 7 Extras",
"product": {
"name": "Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras_other:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux Extras"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-0:1.11.6-8.el7_8.x86_64",
"product": {
"name": "buildah-0:1.11.6-8.el7_8.x86_64",
"product_id": "buildah-0:1.11.6-8.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/buildah@1.11.6-8.el7_8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.x86_64",
"product": {
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.x86_64",
"product_id": "buildah-debuginfo-0:1.11.6-8.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/buildah-debuginfo@1.11.6-8.el7_8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-0:1.11.6-8.el7_8.src",
"product": {
"name": "buildah-0:1.11.6-8.el7_8.src",
"product_id": "buildah-0:1.11.6-8.el7_8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/buildah@1.11.6-8.el7_8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-0:1.11.6-8.el7_8.ppc64le",
"product": {
"name": "buildah-0:1.11.6-8.el7_8.ppc64le",
"product_id": "buildah-0:1.11.6-8.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/buildah@1.11.6-8.el7_8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"product": {
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"product_id": "buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/buildah-debuginfo@1.11.6-8.el7_8?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-0:1.11.6-8.el7_8.s390x",
"product": {
"name": "buildah-0:1.11.6-8.el7_8.s390x",
"product_id": "buildah-0:1.11.6-8.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/buildah@1.11.6-8.el7_8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"product": {
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"product_id": "buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/buildah-debuginfo@1.11.6-8.el7_8?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-0:1.11.6-8.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.ppc64le"
},
"product_reference": "buildah-0:1.11.6-8.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-0:1.11.6-8.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.s390x"
},
"product_reference": "buildah-0:1.11.6-8.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-0:1.11.6-8.el7_8.src as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.src"
},
"product_reference": "buildah-0:1.11.6-8.el7_8.src",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-0:1.11.6-8.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.x86_64"
},
"product_reference": "buildah-0:1.11.6-8.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le"
},
"product_reference": "buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.s390x"
},
"product_reference": "buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.x86_64"
},
"product_reference": "buildah-debuginfo-0:1.11.6-8.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-0:1.11.6-8.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.ppc64le"
},
"product_reference": "buildah-0:1.11.6-8.el7_8.ppc64le",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-0:1.11.6-8.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.s390x"
},
"product_reference": "buildah-0:1.11.6-8.el7_8.s390x",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-0:1.11.6-8.el7_8.src as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.src"
},
"product_reference": "buildah-0:1.11.6-8.el7_8.src",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-0:1.11.6-8.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.x86_64"
},
"product_reference": "buildah-0:1.11.6-8.el7_8.x86_64",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le"
},
"product_reference": "buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.s390x"
},
"product_reference": "buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-debuginfo-0:1.11.6-8.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.x86_64"
},
"product_reference": "buildah-debuginfo-0:1.11.6-8.el7_8.x86_64",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8945",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2020-01-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1795838"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.\n\nAfter extensive testing of the mentioned vulnerability Red Hat has chosen a severity of Moderate instead of High, because the deallocation of GPGME objects while other parts of code are still using it, the vulnerability can only result in a crash and cannot be used to execute code in any feasible manner, moreover the vulnerability only results in crash if finalizers are called to clean up variables while objects are still being used by the underlying C code. Given the inherent attack complexity being high and the exploitability of the vulnerability limited to a crash, Moderate severity seems adequate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.ppc64le",
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.s390x",
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.src",
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.x86_64",
"7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.s390x",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.src",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8945"
},
{
"category": "external",
"summary": "RHBZ#1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8945",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
],
"release_date": "2020-01-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-04-01T00:26:19+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.ppc64le",
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.s390x",
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.src",
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.x86_64",
"7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.s390x",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.src",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1231"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.ppc64le",
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.s390x",
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.src",
"7Server-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.x86_64",
"7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"7Server-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.s390x",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.src",
"7Workstation-EXTRAS-7.8:buildah-0:1.11.6-8.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.s390x",
"7Workstation-EXTRAS-7.8:buildah-debuginfo-0:1.11.6-8.el7_8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
}
]
}
RHSA-2020:1234
Vulnerability from csaf_redhat - Published: 2020-04-01 00:26 - Updated: 2026-03-03 16:25Summary
Red Hat Security Advisory: docker security and bug fix update
Severity
Moderate
Notes
Topic: An update for docker is now available for Red Hat Enterprise Linux 7 Extras.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere.
Security Fix(es):
* runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc (CVE-2019-16884)
* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
* containers/image: Container images read entire image manifest into memory (CVE-2020-1702)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Whitelist statx(2) in docker (BZ#1784228)
* Upgrading docker resulting into increase Systemd logs (BZ#1791870)
* docker should be linked against gpgme-pthread (BZ#1792243)
* docker cannot be updated to 108 on rhos13 as a container fails to start with "pivot_root invalid argument" error. (BZ#1795376)
* OVS pods are unable to stop when running under docker version 1.13.1-108 (BZ#1796451)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.
6.5 (Medium)
Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. An attacker can use this flaw to trick a user, with privileges to pull container images, into crashing the process responsible for pulling the image.
CWE-400 - Uncontrolled Resource ConsumptionAffected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
7.5 (High)
Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
21 references
Acknowledgments
Red Hat
Oleg Bulatov
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for docker is now available for Red Hat Enterprise Linux 7 Extras.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere. \n\nSecurity Fix(es):\n\n* runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc (CVE-2019-16884)\n\n* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)\n\n* containers/image: Container images read entire image manifest into memory (CVE-2020-1702)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Whitelist statx(2) in docker (BZ#1784228)\n\n* Upgrading docker resulting into increase Systemd logs (BZ#1791870)\n\n* docker should be linked against gpgme-pthread (BZ#1792243)\n\n* docker cannot be updated to 108 on rhos13 as a container fails to start with \"pivot_root invalid argument\" error. (BZ#1795376)\n\n* OVS pods are unable to stop when running under docker version 1.13.1-108 (BZ#1796451)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:1234",
"url": "https://access.redhat.com/errata/RHSA-2020:1234"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1757214",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1757214"
},
{
"category": "external",
"summary": "1784228",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1784228"
},
{
"category": "external",
"summary": "1792796",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792796"
},
{
"category": "external",
"summary": "1795376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795376"
},
{
"category": "external",
"summary": "1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "1796451",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796451"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1234.json"
}
],
"title": "Red Hat Security Advisory: docker security and bug fix update",
"tracking": {
"current_release_date": "2026-03-03T16:25:23+00:00",
"generator": {
"date": "2026-03-03T16:25:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.2"
}
},
"id": "RHSA-2020:1234",
"initial_release_date": "2020-04-01T00:26:32+00:00",
"revision_history": [
{
"date": "2020-04-01T00:26:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-04-01T00:26:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-03T16:25:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux 7 Extras",
"product": {
"name": "Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras_other:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux Extras"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product": {
"name": "docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_id": "docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker@1.13.1-161.git64e9980.el7_8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product": {
"name": "docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_id": "docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-client@1.13.1-161.git64e9980.el7_8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product": {
"name": "docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_id": "docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-common@1.13.1-161.git64e9980.el7_8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product": {
"name": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_id": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-logrotate@1.13.1-161.git64e9980.el7_8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product": {
"name": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_id": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-lvm-plugin@1.13.1-161.git64e9980.el7_8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product": {
"name": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_id": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-novolume-plugin@1.13.1-161.git64e9980.el7_8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product": {
"name": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_id": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-rhel-push-plugin@1.13.1-161.git64e9980.el7_8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product": {
"name": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_id": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-v1.10-migrator@1.13.1-161.git64e9980.el7_8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product": {
"name": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_id": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-debuginfo@1.13.1-161.git64e9980.el7_8?arch=ppc64le\u0026epoch=2"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"product": {
"name": "docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_id": "docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker@1.13.1-161.git64e9980.el7_8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"product": {
"name": "docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_id": "docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-client@1.13.1-161.git64e9980.el7_8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"product": {
"name": "docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_id": "docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-common@1.13.1-161.git64e9980.el7_8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"product": {
"name": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_id": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-logrotate@1.13.1-161.git64e9980.el7_8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"product": {
"name": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_id": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-lvm-plugin@1.13.1-161.git64e9980.el7_8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"product": {
"name": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_id": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-novolume-plugin@1.13.1-161.git64e9980.el7_8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"product": {
"name": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_id": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-rhel-push-plugin@1.13.1-161.git64e9980.el7_8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"product": {
"name": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_id": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-v1.10-migrator@1.13.1-161.git64e9980.el7_8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"product": {
"name": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_id": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-debuginfo@1.13.1-161.git64e9980.el7_8?arch=s390x\u0026epoch=2"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product": {
"name": "docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_id": "docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker@1.13.1-161.git64e9980.el7_8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product": {
"name": "docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_id": "docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-client@1.13.1-161.git64e9980.el7_8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product": {
"name": "docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_id": "docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-common@1.13.1-161.git64e9980.el7_8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product": {
"name": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_id": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-logrotate@1.13.1-161.git64e9980.el7_8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product": {
"name": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_id": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-lvm-plugin@1.13.1-161.git64e9980.el7_8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product": {
"name": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_id": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-novolume-plugin@1.13.1-161.git64e9980.el7_8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product": {
"name": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_id": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-rhel-push-plugin@1.13.1-161.git64e9980.el7_8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product": {
"name": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_id": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-v1.10-migrator@1.13.1-161.git64e9980.el7_8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product": {
"name": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_id": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker-debuginfo@1.13.1-161.git64e9980.el7_8?arch=x86_64\u0026epoch=2"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-2:1.13.1-161.git64e9980.el7_8.src",
"product": {
"name": "docker-2:1.13.1-161.git64e9980.el7_8.src",
"product_id": "docker-2:1.13.1-161.git64e9980.el7_8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker@1.13.1-161.git64e9980.el7_8?arch=src\u0026epoch=2"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-2:1.13.1-161.git64e9980.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le"
},
"product_reference": "docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-2:1.13.1-161.git64e9980.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x"
},
"product_reference": "docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-2:1.13.1-161.git64e9980.el7_8.src as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src"
},
"product_reference": "docker-2:1.13.1-161.git64e9980.el7_8.src",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-2:1.13.1-161.git64e9980.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64"
},
"product_reference": "docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le"
},
"product_reference": "docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-client-2:1.13.1-161.git64e9980.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x"
},
"product_reference": "docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64"
},
"product_reference": "docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le"
},
"product_reference": "docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-common-2:1.13.1-161.git64e9980.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x"
},
"product_reference": "docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64"
},
"product_reference": "docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le"
},
"product_reference": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x"
},
"product_reference": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64"
},
"product_reference": "docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le"
},
"product_reference": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x"
},
"product_reference": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64"
},
"product_reference": "docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le"
},
"product_reference": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x"
},
"product_reference": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64"
},
"product_reference": "docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le"
},
"product_reference": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x"
},
"product_reference": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64"
},
"product_reference": "docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le"
},
"product_reference": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x"
},
"product_reference": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64"
},
"product_reference": "docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le"
},
"product_reference": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x"
},
"product_reference": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64"
},
"product_reference": "docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-16884",
"cwe": {
"id": "CWE-41",
"name": "Improper Resolution of Path Equivalence"
},
"discovery_date": "2019-09-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1757214"
}
],
"notes": [
{
"category": "description",
"text": "runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The AppArmor security module is not supported by Red Hat, on the other hand the flaw also affects SELinux based distributions like Red Hat Enterprise Linux.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-16884"
},
{
"category": "external",
"summary": "RHBZ#1757214",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1757214"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-16884",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16884"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16884",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16884"
}
],
"release_date": "2019-09-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-04-01T00:26:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc"
},
{
"acknowledgments": [
{
"names": [
"Oleg Bulatov"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2020-1702",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2020-01-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1792796"
}
],
"notes": [
{
"category": "description",
"text": "A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. An attacker can use this flaw to trick a user, with privileges to pull container images, into crashing the process responsible for pulling the image.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "containers/image: Container images read entire image manifest into memory",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-1702"
},
{
"category": "external",
"summary": "RHBZ#1792796",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792796"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-1702",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1702"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1702",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1702"
}
],
"release_date": "2020-01-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-04-01T00:26:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "containers/image: Container images read entire image manifest into memory"
},
{
"cve": "CVE-2020-8945",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2020-01-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1795838"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.\n\nAfter extensive testing of the mentioned vulnerability Red Hat has chosen a severity of Moderate instead of High, because the deallocation of GPGME objects while other parts of code are still using it, the vulnerability can only result in a crash and cannot be used to execute code in any feasible manner, moreover the vulnerability only results in crash if finalizers are called to clean up variables while objects are still being used by the underlying C code. Given the inherent attack complexity being high and the exploitability of the vulnerability limited to a crash, Moderate severity seems adequate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8945"
},
{
"category": "external",
"summary": "RHBZ#1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8945",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
],
"release_date": "2020-01-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-04-01T00:26:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.src",
"7Server-EXTRAS-7.8:docker-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-client-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-common-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-debuginfo-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-logrotate-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-lvm-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-novolume-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-rhel-push-plugin-2:1.13.1-161.git64e9980.el7_8.x86_64",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.ppc64le",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.s390x",
"7Server-EXTRAS-7.8:docker-v1.10-migrator-2:1.13.1-161.git64e9980.el7_8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
}
]
}
RHSA-2020:1396
Vulnerability from csaf_redhat - Published: 2020-04-14 15:38 - Updated: 2026-03-04 04:49Summary
Red Hat Security Advisory: OpenShift Container Platform 4.3.12 podman security update
Severity
Low
Notes
Topic: An update for podman is now available for Red Hat OpenShift Container Platform 4.3.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The podman tool manages Pods, container images, and containers. It is part of the libpod library, which is for applications that use container Pods. Container Pods is a concept in Kubernetes.
Security Fix(es):
* buildah: a crafted input tar file could overwrite local files during the image build process (CVE-2020-10696)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
7.5 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A path traversal flaw was found in Buildah. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
8.8 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.3:podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
References
12 references
Acknowledgments
Erik Sjölund
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for podman is now available for Red Hat OpenShift Container Platform 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The podman tool manages Pods, container images, and containers. It is part of the libpod library, which is for applications that use container Pods. Container Pods is a concept in Kubernetes.\n\nSecurity Fix(es):\n\n* buildah: a crafted input tar file could overwrite local files during the image build process (CVE-2020-10696)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:1396",
"url": "https://access.redhat.com/errata/RHSA-2020:1396"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#low",
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"category": "external",
"summary": "1817651",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817651"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1396.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.3.12 podman security update",
"tracking": {
"current_release_date": "2026-03-04T04:49:11+00:00",
"generator": {
"date": "2026-03-04T04:49:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.2"
}
},
"id": "RHSA-2020:1396",
"initial_release_date": "2020-04-14T15:38:54+00:00",
"revision_history": [
{
"date": "2020-04-14T15:38:54+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-04-14T15:38:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-04T04:49:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.3",
"product": {
"name": "Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product": {
"name": "podman-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_id": "podman-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@1.6.4-10.rhaos4.3.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product": {
"name": "podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_id": "podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-remote@1.6.4-10.rhaos4.3.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product": {
"name": "podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_id": "podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-tests@1.6.4-10.rhaos4.3.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product": {
"name": "podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_id": "podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debugsource@1.6.4-10.rhaos4.3.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product": {
"name": "podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_id": "podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debuginfo@1.6.4-10.rhaos4.3.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product": {
"name": "podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_id": "podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-remote-debuginfo@1.6.4-10.rhaos4.3.el8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-0:1.6.4-10.rhaos4.3.el8.src",
"product": {
"name": "podman-0:1.6.4-10.rhaos4.3.el8.src",
"product_id": "podman-0:1.6.4-10.rhaos4.3.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@1.6.4-10.rhaos4.3.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch",
"product": {
"name": "podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch",
"product_id": "podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-docker@1.6.4-10.rhaos4.3.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch",
"product": {
"name": "podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch",
"product_id": "podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-manpages@1.6.4-10.rhaos4.3.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-0:1.6.4-10.rhaos4.3.el8.src as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.src"
},
"product_reference": "podman-0:1.6.4-10.rhaos4.3.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-0:1.6.4-10.rhaos4.3.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.x86_64"
},
"product_reference": "podman-0:1.6.4-10.rhaos4.3.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64"
},
"product_reference": "podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64"
},
"product_reference": "podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch"
},
"product_reference": "podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch"
},
"product_reference": "podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64"
},
"product_reference": "podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64"
},
"product_reference": "podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64"
},
"product_reference": "podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8945",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2020-01-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1795838"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.\n\nAfter extensive testing of the mentioned vulnerability Red Hat has chosen a severity of Moderate instead of High, because the deallocation of GPGME objects while other parts of code are still using it, the vulnerability can only result in a crash and cannot be used to execute code in any feasible manner, moreover the vulnerability only results in crash if finalizers are called to clean up variables while objects are still being used by the underlying C code. Given the inherent attack complexity being high and the exploitability of the vulnerability limited to a crash, Moderate severity seems adequate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.src",
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8945"
},
{
"category": "external",
"summary": "RHBZ#1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8945",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
],
"release_date": "2020-01-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-04-14T15:38:54+00:00",
"details": "For OpenShift Container Platform 4.3 see the following documentation, which\nwill be updated shortly for release 4.3.12, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.3/updating/updating-cluster-cli.html.",
"product_ids": [
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.src",
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1396"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.src",
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
},
{
"acknowledgments": [
{
"names": [
"Erik Sj\u00f6lund"
]
}
],
"cve": "CVE-2020-10696",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2020-03-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1817651"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal flaw was found in Buildah. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user\u0027s system anywhere that the user has permissions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "buildah: Crafted input tar file may lead to local file overwrite during image build process",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While OpenShift Container Platform does include the vulnerable buildah code, it doesn\u0027t make use of the vulnerable function. Podman is also included in OpenShift Container Platform, but it isn\u0027t used to perform a build, so it has been given a low impact rating.\n\nOpenShift Container Platform 3.11 now used podman from the RHEL Extra repository, and not the podman package shipped in the OpenShift 3.11 RPM repository. This issue is fixed in podman in RHEL Extras so we won\u0027t fix the podman package shipped in the OpenShift 3.11 RPM repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.src",
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10696"
},
{
"category": "external",
"summary": "RHBZ#1817651",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817651"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10696",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10696"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10696",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10696"
}
],
"release_date": "2020-03-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-04-14T15:38:54+00:00",
"details": "For OpenShift Container Platform 4.3 see the following documentation, which\nwill be updated shortly for release 4.3.12, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.3/updating/updating-cluster-cli.html.",
"product_ids": [
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.src",
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1396"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.src",
"8Base-RHOSE-4.3:podman-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-debugsource-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-docker-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-manpages-0:1.6.4-10.rhaos4.3.el8.noarch",
"8Base-RHOSE-4.3:podman-remote-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-remote-debuginfo-0:1.6.4-10.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:podman-tests-0:1.6.4-10.rhaos4.3.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "buildah: Crafted input tar file may lead to local file overwrite during image build process"
}
]
}
RHSA-2020:1402
Vulnerability from csaf_redhat - Published: 2020-04-14 12:46 - Updated: 2026-02-27 06:51Summary
Red Hat Security Advisory: OpenShift Container Platform 4.2.28 openshift-enterprise-builder-container security update
Severity
Moderate
Notes
Topic: An update for openshift-enterprise-builder-container is now available for Red Hat OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
7.5 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.2:openshift4/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.2:openshift4/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openshift-enterprise-builder-container is now available for Red Hat OpenShift Container Platform 4.2.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:1402",
"url": "https://access.redhat.com/errata/RHSA-2020:1402"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1402.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.2.28 openshift-enterprise-builder-container security update",
"tracking": {
"current_release_date": "2026-02-27T06:51:35+00:00",
"generator": {
"date": "2026-02-27T06:51:35+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.1"
}
},
"id": "RHSA-2020:1402",
"initial_release_date": "2020-04-14T12:46:41+00:00",
"revision_history": [
{
"date": "2020-04-14T12:46:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-04-14T12:46:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-02-27T06:51:35+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.2",
"product": {
"name": "Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.2::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0_amd64",
"product": {
"name": "openshift4/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0_amd64",
"product_id": "openshift4/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-docker-builder\u0026tag=v4.2.28-202004061218"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be_s390x",
"product": {
"name": "openshift4/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be_s390x",
"product_id": "openshift4/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-docker-builder\u0026tag=v4.2.28-202004061218"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0_amd64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0_amd64"
},
"product_reference": "openshift4/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be_s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be_s390x"
},
"product_reference": "openshift4/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8945",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2020-01-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1795838"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.\n\nAfter extensive testing of the mentioned vulnerability Red Hat has chosen a severity of Moderate instead of High, because the deallocation of GPGME objects while other parts of code are still using it, the vulnerability can only result in a crash and cannot be used to execute code in any feasible manner, moreover the vulnerability only results in crash if finalizers are called to clean up variables while objects are still being used by the underlying C code. Given the inherent attack complexity being high and the exploitability of the vulnerability limited to a crash, Moderate severity seems adequate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8945"
},
{
"category": "external",
"summary": "RHBZ#1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8945",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
],
"release_date": "2020-01-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-04-14T12:46:41+00:00",
"details": "For OpenShift Container Platform 4.2 see the following documentation, which\nwill be updated shortly for release 4.2.28, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.2/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1402"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-docker-builder@sha256:1ab05850bc7900dc7f276671319f5b384e356750d50aad3300b0b9cf9194a6e0_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-docker-builder@sha256:6723ae0a3d83d8104d0fe388a0d9a3bb2cc8344cc16bdfcc1ff121df4657c9be_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
}
]
}
RHSA-2020:1937
Vulnerability from csaf_redhat - Published: 2020-05-04 10:18 - Updated: 2026-03-03 16:25Summary
Red Hat Security Advisory: OpenShift Container Platform 4.4.3 cri-o security update
Severity
Moderate
Notes
Topic: An update for cri-o is now available for Red Hat OpenShift Container Platform 4.4.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
* containers/image: Container images read entire image manifest into memory (CVE-2020-1702)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. An attacker can use this flaw to trick a user, with privileges to pull container images, into crashing the process responsible for pulling the image.
CWE-400 - Uncontrolled Resource ConsumptionAffected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.4:cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
7.5 (High)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.4:cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
13 references
Acknowledgments
Red Hat
Oleg Bulatov
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for cri-o is now available for Red Hat OpenShift Container Platform 4.4.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)\n\n* containers/image: Container images read entire image manifest into memory (CVE-2020-1702)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:1937",
"url": "https://access.redhat.com/errata/RHSA-2020:1937"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1792796",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792796"
},
{
"category": "external",
"summary": "1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1937.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.4.3 cri-o security update",
"tracking": {
"current_release_date": "2026-03-03T16:25:24+00:00",
"generator": {
"date": "2026-03-03T16:25:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.2"
}
},
"id": "RHSA-2020:1937",
"initial_release_date": "2020-05-04T10:18:35+00:00",
"revision_history": [
{
"date": "2020-05-04T10:18:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-05-04T10:18:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-03T16:25:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.4",
"product": {
"name": "Red Hat OpenShift Container Platform 4.4",
"product_id": "8Base-RHOSE-4.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.4::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.4",
"product": {
"name": "Red Hat OpenShift Container Platform 4.4",
"product_id": "7Server-RH7-RHOSE-4.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.4::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"product": {
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"product_id": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"product": {
"name": "cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"product_id": "cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"product": {
"name": "cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"product_id": "cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"product": {
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"product_id": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"product": {
"name": "cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"product_id": "cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src",
"product": {
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src",
"product_id": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src",
"product": {
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src",
"product_id": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src"
},
"product_reference": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64"
},
"product_reference": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "7Server-RH7-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64"
},
"product_reference": "cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src"
},
"product_reference": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64"
},
"product_reference": "cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "8Base-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64"
},
"product_reference": "cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "8Base-RHOSE-4.4:cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64"
},
"product_reference": "cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.4"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Oleg Bulatov"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2020-1702",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2020-01-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1792796"
}
],
"notes": [
{
"category": "description",
"text": "A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. An attacker can use this flaw to trick a user, with privileges to pull container images, into crashing the process responsible for pulling the image.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "containers/image: Container images read entire image manifest into memory",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src",
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"7Server-RH7-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-1702"
},
{
"category": "external",
"summary": "RHBZ#1792796",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792796"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-1702",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1702"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1702",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1702"
}
],
"release_date": "2020-01-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-05-04T10:18:35+00:00",
"details": "For OpenShift Container Platform 4.4 see the following documentation, which\nwill be updated shortly for release 4.4.3, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.4/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src",
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"7Server-RH7-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1937"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src",
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"7Server-RH7-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "containers/image: Container images read entire image manifest into memory"
},
{
"cve": "CVE-2020-8945",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2020-01-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1795838"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.\n\nAfter extensive testing of the mentioned vulnerability Red Hat has chosen a severity of Moderate instead of High, because the deallocation of GPGME objects while other parts of code are still using it, the vulnerability can only result in a crash and cannot be used to execute code in any feasible manner, moreover the vulnerability only results in crash if finalizers are called to clean up variables while objects are still being used by the underlying C code. Given the inherent attack complexity being high and the exploitability of the vulnerability limited to a crash, Moderate severity seems adequate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src",
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"7Server-RH7-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8945"
},
{
"category": "external",
"summary": "RHBZ#1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8945",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
],
"release_date": "2020-01-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-05-04T10:18:35+00:00",
"details": "For OpenShift Container Platform 4.4 see the following documentation, which\nwill be updated shortly for release 4.4.3, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.4/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src",
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"7Server-RH7-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1937"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src",
"7Server-RH7-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"7Server-RH7-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src",
"8Base-RHOSE-4.4:cri-o-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debuginfo-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64",
"8Base-RHOSE-4.4:cri-o-debugsource-0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
}
]
}
RHSA-2020:1940
Vulnerability from csaf_redhat - Published: 2020-05-04 10:51 - Updated: 2026-02-27 06:51Summary
Red Hat Security Advisory: OpenShift Container Platform 4.4.3 ose-cluster-policy-controller-container security update
Severity
Moderate
Notes
Topic: An update for ose-cluster-policy-controller-container is now available for Red Hat OpenShift Container Platform 4.4.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.4:openshift4/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-policy-controller-container is now available for Red Hat OpenShift Container Platform 4.4.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:1940",
"url": "https://access.redhat.com/errata/RHSA-2020:1940"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1940.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.4.3 ose-cluster-policy-controller-container security update",
"tracking": {
"current_release_date": "2026-02-27T06:51:40+00:00",
"generator": {
"date": "2026-02-27T06:51:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.1"
}
},
"id": "RHSA-2020:1940",
"initial_release_date": "2020-05-04T10:51:26+00:00",
"revision_history": [
{
"date": "2020-05-04T10:51:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-05-04T10:51:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-02-27T06:51:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.4",
"product": {
"name": "Red Hat OpenShift Container Platform 4.4",
"product_id": "7Server-RH7-RHOSE-4.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.4::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837_amd64",
"product": {
"name": "openshift4/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837_amd64",
"product_id": "openshift4/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-policy-controller-rhel7\u0026tag=v4.4.0-202004261927"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837_amd64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "7Server-RH7-RHOSE-4.4:openshift4/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837_amd64"
},
"product_reference": "openshift4/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8945",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2020-01-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1795838"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.\n\nAfter extensive testing of the mentioned vulnerability Red Hat has chosen a severity of Moderate instead of High, because the deallocation of GPGME objects while other parts of code are still using it, the vulnerability can only result in a crash and cannot be used to execute code in any feasible manner, moreover the vulnerability only results in crash if finalizers are called to clean up variables while objects are still being used by the underlying C code. Given the inherent attack complexity being high and the exploitability of the vulnerability limited to a crash, Moderate severity seems adequate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.4:openshift4/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8945"
},
{
"category": "external",
"summary": "RHBZ#1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8945",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
],
"release_date": "2020-01-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-05-04T10:51:26+00:00",
"details": "For OpenShift Container Platform 4.4 see the following documentation, which\nwill be updated shortly for release 4.4.3, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.4/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.4:openshift4/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:1940"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.4:openshift4/ose-cluster-policy-controller-rhel7@sha256:278bd31ebef2498df26f75de59e5c7e5b63c6a1f0fb18704af64498f2483c837_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
}
]
}
RHSA-2020:2027
Vulnerability from csaf_redhat - Published: 2020-05-13 11:15 - Updated: 2026-02-27 06:51Summary
Red Hat Security Advisory: OpenShift Container Platform 4.2.33 openshift-clients security update
Severity
Moderate
Notes
Topic: An update for openshift-clients is now available for Red Hat OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.2:openshift-clients-redistributable-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openshift-clients is now available for Red Hat OpenShift Container Platform 4.2.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2027",
"url": "https://access.redhat.com/errata/RHSA-2020:2027"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2027.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.2.33 openshift-clients security update",
"tracking": {
"current_release_date": "2026-02-27T06:51:42+00:00",
"generator": {
"date": "2026-02-27T06:51:42+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.1"
}
},
"id": "RHSA-2020:2027",
"initial_release_date": "2020-05-13T11:15:23+00:00",
"revision_history": [
{
"date": "2020-05-13T11:15:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-05-13T11:15:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-02-27T06:51:42+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.2",
"product": {
"name": "Red Hat OpenShift Container Platform 4.2",
"product_id": "8Base-RHOSE-4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.2::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.s390x",
"product": {
"name": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.s390x",
"product_id": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-clients@4.2.32-202005020632.git.1.1b0fab9.el8?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"product": {
"name": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"product_id": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-clients@4.2.32-202005020632.git.1.1b0fab9.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-clients-redistributable-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"product": {
"name": "openshift-clients-redistributable-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"product_id": "openshift-clients-redistributable-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-clients-redistributable@4.2.32-202005020632.git.1.1b0fab9.el8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.src",
"product": {
"name": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.src",
"product_id": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-clients@4.2.32-202005020632.git.1.1b0fab9.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.s390x"
},
"product_reference": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.src as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.src"
},
"product_reference": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64"
},
"product_reference": "openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-clients-redistributable-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "8Base-RHOSE-4.2:openshift-clients-redistributable-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64"
},
"product_reference": "openshift-clients-redistributable-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8945",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2020-01-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1795838"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.\n\nAfter extensive testing of the mentioned vulnerability Red Hat has chosen a severity of Moderate instead of High, because the deallocation of GPGME objects while other parts of code are still using it, the vulnerability can only result in a crash and cannot be used to execute code in any feasible manner, moreover the vulnerability only results in crash if finalizers are called to clean up variables while objects are still being used by the underlying C code. Given the inherent attack complexity being high and the exploitability of the vulnerability limited to a crash, Moderate severity seems adequate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.s390x",
"8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.src",
"8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"8Base-RHOSE-4.2:openshift-clients-redistributable-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8945"
},
{
"category": "external",
"summary": "RHBZ#1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8945",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
],
"release_date": "2020-01-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-05-13T11:15:23+00:00",
"details": "For OpenShift Container Platform 4.2 see the following documentation, which\nwill be updated shortly for release 4.2.33, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.2/updating/updating-cluster-cli.html.",
"product_ids": [
"8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.s390x",
"8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.src",
"8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"8Base-RHOSE-4.2:openshift-clients-redistributable-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2027"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.s390x",
"8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.src",
"8Base-RHOSE-4.2:openshift-clients-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64",
"8Base-RHOSE-4.2:openshift-clients-redistributable-0:4.2.32-202005020632.git.1.1b0fab9.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
}
]
}
RHSA-2020:2117
Vulnerability from csaf_redhat - Published: 2020-05-12 19:52 - Updated: 2026-03-04 04:49Summary
Red Hat Security Advisory: podman security update
Severity
Important
Notes
Topic: An update for podman is now available for Red Hat Enterprise Linux 7 Extras.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.
Security Fix(es):
* buildah: Crafted input tar file may lead to local file overwrite during image build process (CVE-2020-10696)
* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
7.5 (High)
Affected products
Fixed
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A path traversal flaw was found in Buildah. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
8.8 (High)
Affected products
Fixed
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
13 references
Acknowledgments
Erik Sjölund
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for podman is now available for Red Hat Enterprise Linux 7 Extras.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.\n\nSecurity Fix(es):\n\n* buildah: Crafted input tar file may lead to local file overwrite during image build process (CVE-2020-10696)\n\n* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2117",
"url": "https://access.redhat.com/errata/RHSA-2020:2117"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "1817651",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817651"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2117.json"
}
],
"title": "Red Hat Security Advisory: podman security update",
"tracking": {
"current_release_date": "2026-03-04T04:49:16+00:00",
"generator": {
"date": "2026-03-04T04:49:16+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.2"
}
},
"id": "RHSA-2020:2117",
"initial_release_date": "2020-05-12T19:52:10+00:00",
"revision_history": [
{
"date": "2020-05-12T19:52:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-05-12T19:52:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-04T04:49:16+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux 7 Extras",
"product": {
"name": "Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras_other:7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux 7 Extras",
"product": {
"name": "Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras_other:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux Extras"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-0:1.6.4-18.el7_8.x86_64",
"product": {
"name": "podman-0:1.6.4-18.el7_8.x86_64",
"product_id": "podman-0:1.6.4-18.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@1.6.4-18.el7_8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"product": {
"name": "podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"product_id": "podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debuginfo@1.6.4-18.el7_8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-0:1.6.4-18.el7_8.src",
"product": {
"name": "podman-0:1.6.4-18.el7_8.src",
"product_id": "podman-0:1.6.4-18.el7_8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@1.6.4-18.el7_8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-docker-0:1.6.4-18.el7_8.noarch",
"product": {
"name": "podman-docker-0:1.6.4-18.el7_8.noarch",
"product_id": "podman-docker-0:1.6.4-18.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-docker@1.6.4-18.el7_8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-0:1.6.4-18.el7_8.ppc64le",
"product": {
"name": "podman-0:1.6.4-18.el7_8.ppc64le",
"product_id": "podman-0:1.6.4-18.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@1.6.4-18.el7_8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"product": {
"name": "podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"product_id": "podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debuginfo@1.6.4-18.el7_8?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-0:1.6.4-18.el7_8.s390x",
"product": {
"name": "podman-0:1.6.4-18.el7_8.s390x",
"product_id": "podman-0:1.6.4-18.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@1.6.4-18.el7_8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"product": {
"name": "podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"product_id": "podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debuginfo@1.6.4-18.el7_8?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-0:1.6.4-18.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le"
},
"product_reference": "podman-0:1.6.4-18.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-0:1.6.4-18.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x"
},
"product_reference": "podman-0:1.6.4-18.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-0:1.6.4-18.el7_8.src as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src"
},
"product_reference": "podman-0:1.6.4-18.el7_8.src",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-0:1.6.4-18.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64"
},
"product_reference": "podman-0:1.6.4-18.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-0:1.6.4-18.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le"
},
"product_reference": "podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-0:1.6.4-18.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x"
},
"product_reference": "podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-0:1.6.4-18.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64"
},
"product_reference": "podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-0:1.6.4-18.el7_8.noarch as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch"
},
"product_reference": "podman-docker-0:1.6.4-18.el7_8.noarch",
"relates_to_product_reference": "7Server-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-0:1.6.4-18.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le"
},
"product_reference": "podman-0:1.6.4-18.el7_8.ppc64le",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-0:1.6.4-18.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x"
},
"product_reference": "podman-0:1.6.4-18.el7_8.s390x",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-0:1.6.4-18.el7_8.src as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src"
},
"product_reference": "podman-0:1.6.4-18.el7_8.src",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-0:1.6.4-18.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64"
},
"product_reference": "podman-0:1.6.4-18.el7_8.x86_64",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-0:1.6.4-18.el7_8.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le"
},
"product_reference": "podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-0:1.6.4-18.el7_8.s390x as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x"
},
"product_reference": "podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-0:1.6.4-18.el7_8.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64"
},
"product_reference": "podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-0:1.6.4-18.el7_8.noarch as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Workstation-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch"
},
"product_reference": "podman-docker-0:1.6.4-18.el7_8.noarch",
"relates_to_product_reference": "7Workstation-EXTRAS-7.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8945",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2020-01-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1795838"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.\n\nAfter extensive testing of the mentioned vulnerability Red Hat has chosen a severity of Moderate instead of High, because the deallocation of GPGME objects while other parts of code are still using it, the vulnerability can only result in a crash and cannot be used to execute code in any feasible manner, moreover the vulnerability only results in crash if finalizers are called to clean up variables while objects are still being used by the underlying C code. Given the inherent attack complexity being high and the exploitability of the vulnerability limited to a crash, Moderate severity seems adequate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8945"
},
{
"category": "external",
"summary": "RHBZ#1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8945",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
],
"release_date": "2020-01-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-05-12T19:52:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2117"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
},
{
"acknowledgments": [
{
"names": [
"Erik Sj\u00f6lund"
]
}
],
"cve": "CVE-2020-10696",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2020-03-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1817651"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal flaw was found in Buildah. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user\u0027s system anywhere that the user has permissions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "buildah: Crafted input tar file may lead to local file overwrite during image build process",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While OpenShift Container Platform does include the vulnerable buildah code, it doesn\u0027t make use of the vulnerable function. Podman is also included in OpenShift Container Platform, but it isn\u0027t used to perform a build, so it has been given a low impact rating.\n\nOpenShift Container Platform 3.11 now used podman from the RHEL Extra repository, and not the podman package shipped in the OpenShift 3.11 RPM repository. This issue is fixed in podman in RHEL Extras so we won\u0027t fix the podman package shipped in the OpenShift 3.11 RPM repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10696"
},
{
"category": "external",
"summary": "RHBZ#1817651",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817651"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10696",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10696"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10696",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10696"
}
],
"release_date": "2020-03-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-05-12T19:52:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2117"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Server-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Server-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Server-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.src",
"7Workstation-EXTRAS-7.8:podman-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.ppc64le",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.s390x",
"7Workstation-EXTRAS-7.8:podman-debuginfo-0:1.6.4-18.el7_8.x86_64",
"7Workstation-EXTRAS-7.8:podman-docker-0:1.6.4-18.el7_8.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "buildah: Crafted input tar file may lead to local file overwrite during image build process"
}
]
}
RHSA-2020:2413
Vulnerability from csaf_redhat - Published: 2020-07-13 16:46 - Updated: 2026-05-15 02:04Summary
Red Hat Security Advisory: OpenShift Container Platform 4.5 package security update
Severity
Moderate
Notes
Topic: An update for machine-config-daemon and openshift is now available for Red Hat OpenShift Container Platform 4.5.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* kubernetes: Denial of service in API server via crafted YAML payloads by authorized users (CVE-2019-11254)
* kubernetes: node localhost services reachable via martian packets (CVE-2020-8558)
* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Kubernetes that allows the logging of credentials when mounting AzureFile and CephFS volumes. This flaw allows an attacker to access kubelet logs, read the credentials, and use them to access other services. The highest threat from this vulnerability is to confidentiality.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src | — | ||
| Unresolved product id: 8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64 | — |
Threats
Impact
Moderate
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src | — |
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.
5.4 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src | — | ||
| Unresolved product id: 8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64 | — |
Threats
Impact
Moderate
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64 | — | ||
| Unresolved product id: 8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src | — | ||
| Unresolved product id: 8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64 | — |
Threats
Impact
Moderate
A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src | — | ||
| Unresolved product id: 8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64 | — |
Threats
Impact
Low
References
29 references
Acknowledgments
the Kubernetes Product Security Committee
Palo Alto Networks
Yuval Avrahami
Ariel Zelivansky
Ericsson
János Kövér
NCC Group
Rory McCune
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for machine-config-daemon and openshift is now available for Red Hat OpenShift Container Platform 4.5.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kubernetes: Denial of service in API server via crafted YAML payloads by authorized users (CVE-2019-11254)\n\n* kubernetes: node localhost services reachable via martian packets (CVE-2020-8558)\n\n* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2413",
"url": "https://access.redhat.com/errata/RHSA-2020:2413"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "1819486",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819486"
},
{
"category": "external",
"summary": "1843358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843358"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2413.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.5 package security update",
"tracking": {
"current_release_date": "2026-05-15T02:04:22+00:00",
"generator": {
"date": "2026-05-15T02:04:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2020:2413",
"initial_release_date": "2020-07-13T16:46:28+00:00",
"revision_history": [
{
"date": "2020-07-13T16:46:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-07-13T16:46:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-15T02:04:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.5",
"product": {
"name": "Red Hat OpenShift Container Platform 4.5",
"product_id": "8Base-RHOSE-4.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.5::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.5",
"product": {
"name": "Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.5::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"product": {
"name": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"product_id": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift@4.5.0-202007012112.p0.git.0.582d7fc.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"product": {
"name": "machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"product_id": "machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/machine-config-daemon@4.5.0-202007012112.p0.git.2527.d12c3da.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"product": {
"name": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"product_id": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift@4.5.0-202007012112.p0.git.0.582d7fc.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64",
"product": {
"name": "openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64",
"product_id": "openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-hyperkube@4.5.0-202007012112.p0.git.0.582d7fc.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64",
"product": {
"name": "machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64",
"product_id": "machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/machine-config-daemon@4.5.0-202007012112.p0.git.2527.d12c3da.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"product": {
"name": "openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"product_id": "openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-hyperkube@4.5.0-202007012112.p0.git.0.582d7fc.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src"
},
"product_reference": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64"
},
"product_reference": "openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src"
},
"product_reference": "machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
},
"product_reference": "machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src"
},
"product_reference": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
},
"product_reference": "openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-11252",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2020-07-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1860158"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Kubernetes that allows the logging of credentials when mounting AzureFile and CephFS volumes. This flaw allows an attacker to access kubelet logs, read the credentials, and use them to access other services. The highest threat from this vulnerability is to confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes: credential leak in kube-controller-manager via error messages in mount failure logs and events for AzureFile and CephFS volumes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) included the upstream patch for this flaw in the release of version 4.5. Prior versions are affected as OCP 4 supports AzureFile volumes and OCP 3 supports both AzureFile and CephFS volumes. OCP clusters not using these volume types are not vulnerable.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
],
"known_not_affected": [
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11252"
},
{
"category": "external",
"summary": "RHBZ#1860158",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860158"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11252",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11252"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11252",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11252"
}
],
"release_date": "2020-03-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T16:46:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2413"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes: credential leak in kube-controller-manager via error messages in mount failure logs and events for AzureFile and CephFS volumes"
},
{
"cve": "CVE-2019-11254",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2020-04-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1819486"
}
],
"notes": [
{
"category": "description",
"text": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The upstream Kubernetes fix for this vulnerability is to update the version of the Go dependency, gopkg.in/yaml.v2. This issue affects OpenShift Container Platform components that use versions before 2.2.8 of gopkg.in/yaml.v2 and accept YAML payloads.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
],
"known_not_affected": [
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11254"
},
{
"category": "external",
"summary": "RHBZ#1819486",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819486"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11254",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11254"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc",
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc"
}
],
"release_date": "2020-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T16:46:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2413"
},
{
"category": "workaround",
"details": "Prevent unauthenticated or unauthorized access to the API server",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users"
},
{
"acknowledgments": [
{
"names": [
"the Kubernetes Product Security Committee"
]
},
{
"names": [
"Yuval Avrahami",
"Ariel Zelivansky"
],
"organization": "Palo Alto Networks",
"summary": "Acknowledged by upstream."
},
{
"names": [
"J\u00e1nos K\u00f6v\u00e9r"
],
"organization": "Ericsson",
"summary": "Acknowledged by upstream."
},
{
"names": [
"Rory McCune"
],
"organization": "NCC Group",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2020-8558",
"cwe": {
"id": "CWE-300",
"name": "Channel Accessible by Non-Endpoint"
},
"discovery_date": "2020-05-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1843358"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes: node localhost services reachable via martian packets",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform does not expose the API server on a localhost port without authentication. The only service exposed on a localhost port not protected by authentication is Metrics, which exposes some cluster metadata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
],
"known_not_affected": [
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8558"
},
{
"category": "external",
"summary": "RHBZ#1843358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843358"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8558",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8558"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8558"
},
{
"category": "external",
"summary": "https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE"
}
],
"release_date": "2020-07-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T16:46:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2413"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes: node localhost services reachable via martian packets"
},
{
"cve": "CVE-2020-8945",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2020-01-22T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1795838"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.\n\nAfter extensive testing of the mentioned vulnerability Red Hat has chosen a severity of Moderate instead of High, because the deallocation of GPGME objects while other parts of code are still using it, the vulnerability can only result in a crash and cannot be used to execute code in any feasible manner, moreover the vulnerability only results in crash if finalizers are called to clean up variables while objects are still being used by the underlying C code. Given the inherent attack complexity being high and the exploitability of the vulnerability limited to a crash, Moderate severity seems adequate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8945"
},
{
"category": "external",
"summary": "RHBZ#1795838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8945",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
],
"release_date": "2020-01-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T16:46:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2413"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
},
{
"cve": "CVE-2020-9283",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2020-02-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1804533"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
],
"known_not_affected": [
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9283"
},
{
"category": "external",
"summary": "RHBZ#1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY",
"url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY"
}
],
"release_date": "2020-02-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T16:46:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2413"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.src",
"7Server-RH7-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el7.x86_64",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.src",
"8Base-RHOSE-4.5:machine-config-daemon-0:4.5.0-202007012112.p0.git.2527.d12c3da.el8.x86_64",
"8Base-RHOSE-4.5:openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.src",
"8Base-RHOSE-4.5:openshift-hyperkube-0:4.5.0-202007012112.p0.git.0.582d7fc.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…