ship podman 5.2.5 for CVE-2024-9675, CVE-2024-9676

coreos / fedora-coreos-tracker

Issue tracker for Fedora CoreOS

https://fedoraproject.org/coreos/

264 stars 59 forks source link

ship podman 5.2.5 for CVE-2024-9675, CVE-2024-9676 #1821

Closed dustymabe closed 1 week ago

dustymabe commented 4 weeks ago

Podman 5.2.5 was released on Wednesday:

Security

This release addresses CVE-2024-9675, which allows arbitrary access to the host filesystem from RUN --mount type=cache arguments to a Dockerfile being built.

This release also addresses CVE-2024-9676, which allows malicious images with a symlink /etc/passwd or /etc/group to potentially cause a denial of service through reading a FIFO on the host.

dustymabe commented 4 weeks ago

This made it into next-devel in https://github.com/coreos/fedora-coreos-config/commit/71fd51054473fff1d5e69ed7e0547bd46a87517a

dustymabe commented 3 weeks ago

The fix for this went into next stream release 41.20241024.1.0. Please try out the new release and report issues.

dustymabe commented 3 weeks ago

The fix for this went into testing stream release 41.20241027.2.0. Please try out the new release and report issues.

dustymabe commented 1 week ago

The fix for this went into stable stream release 41.20241027.3.0.