RLSA-2023:6938

See a problem?
Please try reporting it to the source first.
Source
https://errata.rockylinux.org/RLSA-2023:6938
Import Source
https://storage.googleapis.com/resf-osv-data/RLSA-2023:6938.json
JSON Data
https://api.test.osv.dev/v1/vulns/RLSA-2023:6938
Upstream
Published
2025-11-28T09:04:16.963841Z
Modified
2025-11-28T09:32:36.105712Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Moderate: container-tools:4.0 security and bug fix update
Details

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

Security Fix(es):

  • go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents (CVE-2022-3064)

  • golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)

  • net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

  • golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)

  • golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)

  • golang.org/x/net/html: Cross site scripting (CVE-2023-3978)

  • golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)

  • golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)

  • golang: go/parser: Infinite loop in parsing (CVE-2023-24537)

  • golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)

  • golang: html/template: improper sanitization of CSS values (CVE-2023-24539)

  • runc: Rootless runc makes /sys/fs/cgroup writable (CVE-2023-25809)

  • runc: volume mount race condition (regression of CVE-2019-19921) (CVE-2023-27561)

  • runc: AppArmor can be bypassed when /proc inside the container is symlinked with a specific mount configuration (CVE-2023-28642)

  • golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400)

  • golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Rocky Linux 8.9 Release Notes linked from the References section.

References
Credits
    • Rocky Enterprise Software Foundation
    • Red Hat

Affected packages

Rocky Linux:8

buildah

Package

Name
buildah
Purl
pkg:rpm/rocky-linux/buildah?distro=rocky-linux-8&epoch=1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.24.6-7.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

cockpit-podman

Package

Name
cockpit-podman
Purl
pkg:rpm/rocky-linux/cockpit-podman?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:46-1.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

conmon

Package

Name
conmon
Purl
pkg:rpm/rocky-linux/conmon?distro=rocky-linux-8&epoch=2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:2.1.4-2.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

containernetworking-plugins

Package

Name
containernetworking-plugins
Purl
pkg:rpm/rocky-linux/containernetworking-plugins?distro=rocky-linux-8&epoch=1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.1.1-5.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

containers-common

Package

Name
containers-common
Purl
pkg:rpm/rocky-linux/containers-common?distro=rocky-linux-8&epoch=2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:1-38.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

container-selinux

Package

Name
container-selinux
Purl
pkg:rpm/rocky-linux/container-selinux?distro=rocky-linux-8&epoch=2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:2.205.0-3.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

criu

Package

Name
criu
Purl
pkg:rpm/rocky-linux/criu?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.15-3.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

crun

Package

Name
crun
Purl
pkg:rpm/rocky-linux/crun?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:1.8.3-1.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

fuse-overlayfs

Package

Name
fuse-overlayfs
Purl
pkg:rpm/rocky-linux/fuse-overlayfs?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:1.9-2.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

libslirp

Package

Name
libslirp
Purl
pkg:rpm/rocky-linux/libslirp?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:4.4.0-1.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

oci-seccomp-bpf-hook

Package

Name
oci-seccomp-bpf-hook
Purl
pkg:rpm/rocky-linux/oci-seccomp-bpf-hook?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:1.2.5-2.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

podman

Package

Name
podman
Purl
pkg:rpm/rocky-linux/podman?distro=rocky-linux-8&epoch=2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:4.0.2-24.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

python-podman

Package

Name
python-podman
Purl
pkg:rpm/rocky-linux/python-podman?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:4.0.0-2.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

runc

Package

Name
runc
Purl
pkg:rpm/rocky-linux/runc?distro=rocky-linux-8&epoch=1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.1.5-2.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

slirp4netns

Package

Name
slirp4netns
Purl
pkg:rpm/rocky-linux/slirp4netns?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:1.1.8-3.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}

udica

Package

Name
udica
Purl
pkg:rpm/rocky-linux/udica?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:0.2.6-4.module+el8.9.0+1445+07728297
Database specific 
{
    "yum_repository": "AppStream"
}