Security update for buildah SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:1437-1 Final 1 1 2022-04-27T12:55:23Z current 2022-04-27T12:55:23Z 2022-04-27T12:55:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for buildah This update for buildah fixes the following issues: - CVE-2022-27651: Fixed incorrect default inheritable capabilities for linux container (bsc#1197870). Update to version 1.25.1. The following non-security bugs were fixed: - add workaround for https://bugzilla.opensuse.org/show_bug.cgi?id=1183043 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-1437,SUSE-SLE-Module-Containers-15-SP3-2022-1437,openSUSE-SLE-15.3-2022-1437 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20221437-1/ Link for SUSE-SU-2022:1437-1 https://lists.suse.com/pipermail/sle-security-updates/2022-April/010855.html E-Mail link for SUSE-SU-2022:1437-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1197870 SUSE Bug 1197870 https://www.suse.com/security/cve/CVE-2022-27651/ SUSE CVE CVE-2022-27651 page SUSE Linux Enterprise Module for Containers 15 SP3 openSUSE Leap 15.3 buildah-1.25.1-150300.8.6.1 buildah-1.25.1-150300.8.6.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP3 buildah-1.25.1-150300.8.6.1 as a component of openSUSE Leap 15.3 A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity. CVE-2022-27651 SUSE Linux Enterprise Module for Containers 15 SP3:buildah-1.25.1-150300.8.6.1 openSUSE Leap 15.3:buildah-1.25.1-150300.8.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221437-1/ https://www.suse.com/security/cve/CVE-2022-27651.html CVE-2022-27651 https://bugzilla.suse.com/1197870 SUSE Bug 1197870