ALSA-2022%3A8008
The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es): * containers/storage: DoS via malicious image (CVE-2021-20291) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191) * podman: possible information disclosure and modification (CVE-2022-2989) * buildah: possible information disclosure and modification (CVE-2022-2990) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| AlmaLinux:9 | buildah-tests | 0, 0 |
| AlmaLinux:9 | buildah | 0, 0 |
Timeline
- Nov 15, 2022 CVE Published
- Nov 18, 2022 CVE Updated
- Mar 6, 2026 Distribution Patch
- Mar 6, 2026 Distribution Patch
- Mar 6, 2026 Security Advisory
References
- https://access.redhat.com/errata/RHSA-2022:8008 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2021-20291 third-party-advisory
- https://access.redhat.com/security/cve/CVE-2021-33195 third-party-advisory
- https://access.redhat.com/security/cve/CVE-2021-33197 third-party-advisory
- https://access.redhat.com/security/cve/CVE-2021-33198 third-party-advisory
- https://access.redhat.com/security/cve/CVE-2022-27191 third-party-advisory
- https://access.redhat.com/security/cve/CVE-2022-2989 third-party-advisory
- https://access.redhat.com/security/cve/CVE-2022-2990 third-party-advisory
- https://bugzilla.redhat.com/1939485 third-party-advisory
- https://bugzilla.redhat.com/1989564 third-party-advisory
- https://bugzilla.redhat.com/1989570 third-party-advisory
- https://bugzilla.redhat.com/1989575 third-party-advisory
- https://bugzilla.redhat.com/2064702 third-party-advisory
- https://bugzilla.redhat.com/2121445 third-party-advisory
- https://bugzilla.redhat.com/2121453 third-party-advisory
- https://errata.almalinux.org/9/ALSA-2022-8008.html vendor-advisory