[RHSA-2020:0942-01] Moderate: runc security update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Mon Mar 23 13:53:10 UTC 2020 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: runc security update
Advisory ID:       RHSA-2020:0942-01
Product:           Red Hat Enterprise Linux Extras
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:0942
Issue date:        2020-03-23
CVE Names:         CVE-2019-19921 
=====================================================================

1. Summary:

An update for runc is now available for Red Hat Enterprise Linux 7 Extras.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux 7 Extras - ppc64le, s390x, x86_64

3. Description:

The runC tool is a lightweight, portable implementation of the Open
Container Format (OCF) that provides container runtime.

Security Fix(es):

* runc: volume mount race condition with shared mounts leads to information
leak/integrity manipulation (CVE-2019-19921)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1796107 - CVE-2019-19921 runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation

6. Package List:

Red Hat Enterprise Linux 7 Extras:

Source:
runc-1.0.0-66.rc8.el7_7.src.rpm

ppc64le:
runc-1.0.0-66.rc8.el7_7.ppc64le.rpm
runc-debuginfo-1.0.0-66.rc8.el7_7.ppc64le.rpm

s390x:
runc-1.0.0-66.rc8.el7_7.s390x.rpm
runc-debuginfo-1.0.0-66.rc8.el7_7.s390x.rpm

x86_64:
runc-1.0.0-66.rc8.el7_7.x86_64.rpm
runc-debuginfo-1.0.0-66.rc8.el7_7.x86_64.rpm

Red Hat Enterprise Linux 7 Extras:

Source:
runc-1.0.0-66.rc8.el7_7.src.rpm

x86_64:
runc-1.0.0-66.rc8.el7_7.x86_64.rpm
runc-debuginfo-1.0.0-66.rc8.el7_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-19921
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXni/Q9zjgjWX9erEAQiVSg/7BrCwsKZjsGXU33neLp28uwI4VILYP+Sh
DOxsrIWd1Vx+FyyJ4l2YDqj/wqUrOCX8rqbPgeoIkenX9KNVNUuy8/77OPpMgrMw
o0IDfD4J517U4jVC6ThWANHQaD/J8pturt1yaDLYBDHe/S//GEIqdJKqnK1TDhpD
8cQh6mPab1wSV8xG30kTJbVAwErDccyJNIm3NxkCQhnaY+clBumtlS7MT5Ym8YiK
pXsW+F165/2S9ZL6pmryRgSZNJvSLqJgVzqETRQW7DEp1cCPWy454k1P6GBoUVmv
QiKdsHXBM9TzhHrgTQLZkkeVQKAV3TzmczTSb1JFv44MHjaxazhLkT8IJADw2rYM
ILhf0vpYCls5PsVP9BYucFXxRBMKjQlR8YsXo18yVhLorVLe2dMnGicxOmTbKrOy
Y0tcTJhGEQETEnkfBZUp52+G2TSK7fRAbMs6KmCfkoft9Cmmon44APV8KU0V9CYC
q9AY/6+CuO1LBzBg5BN3I2BMts6gAiHWMoNA1qeGjZIB+ksW4G9IJtzjcHQj+o7G
8FbHSbq4/uWrPVKpb+ToHCXFCtp5ZrjeS4CffmkOmX+g4trds5jRLN3sKLE61F4T
ngxyiF/n/Wz/MQwKHSVSMEjgvb3zWF/Kk2MIePR9NhAvVChYBwgdi6wT7IcnTOau
KmAMqUQ9pM0=
=KkjT
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list