{"id":"RLSA-2023:2802","summary":"Moderate: container-tools:4.0 security and bug fix update","details":"The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n\n* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\n\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n\n* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\n\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* podman: symlink exchange attack in podman export volume (CVE-2023-0778)\n\n* podman: possible information disclosure and modification (CVE-2022-2989)\n\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.8 Release Notes linked from the References section.","modified":"2025-11-28T09:32:48.594457Z","published":"2025-11-28T09:04:16.963841Z","upstream":["CVE-2022-1705","CVE-2022-1962","CVE-2022-27664","CVE-2022-28131","CVE-2022-2989","CVE-2022-30630","CVE-2022-30631","CVE-2022-30632","CVE-2022-30633","CVE-2022-30635","CVE-2022-32148","CVE-2022-32189","CVE-2022-41717","CVE-2023-0778"],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2023:2802"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107342"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107371"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107374"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107376"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107383"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107386"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107388"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107390"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107392"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2113814"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2121445"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2124669"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2161274"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168256"}],"affected":[{"package":{"name":"cockpit-podman","ecosystem":"Rocky Linux:8","purl":"pkg:rpm/rocky-linux/cockpit-podman?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:46-1.module+el8.9.0+1445+07728297"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2023:2802.json"}},{"package":{"name":"criu","ecosystem":"Rocky Linux:8","purl":"pkg:rpm/rocky-linux/criu?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:3.15-3.module+el8.9.0+1445+07728297"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2023:2802.json"}},{"package":{"name":"libslirp","ecosystem":"Rocky Linux:8","purl":"pkg:rpm/rocky-linux/libslirp?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:4.4.0-1.module+el8.9.0+1445+07728297"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2023:2802.json"}},{"package":{"name":"oci-seccomp-bpf-hook","ecosystem":"Rocky Linux:8","purl":"pkg:rpm/rocky-linux/oci-seccomp-bpf-hook?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:1.2.5-2.module+el8.9.0+1445+07728297"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2023:2802.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]}