CVE-2021-20199 (https://bugzilla.redhat.com/show_bug.cgi?id=1919050): Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards. Merged PR: https://github.com/containers/podman/commit/f02aba659447ea9198851231d7f11a8bfdfe69ba Maintainer, is it possible to backport the patch? If not we'll have to wait for a release.
There is https://github.com/containers/podman/pull/9221 which seems to be the backport to 2.2.1, but then again 3.0.0 was just released.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a18840200a21a31f189ca330a3061791c0ed53c2 commit a18840200a21a31f189ca330a3061791c0ed53c2 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-02-25 21:45:15 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-02-25 22:09:29 +0000 app-emulation/podman: Bump to version 3.0.1 Bug: https://bugs.gentoo.org/768597 Closes: https://bugs.gentoo.org/770505 Package-Manager: Portage-3.0.15, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-emulation/podman/Manifest | 1 + app-emulation/podman/podman-3.0.1.ebuild | 165 +++++++++++++++++++++++++++++++ 2 files changed, 166 insertions(+)
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9f0cfadb9f345905a350a9389c1f0034ff22754 commit d9f0cfadb9f345905a350a9389c1f0034ff22754 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-02-26 00:26:27 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-02-26 00:26:51 +0000 app-emulation/podman: Remove vulnerable version 2.2.1 Bug: https://bugs.gentoo.org/768597 Package-Manager: Portage-3.0.15, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-emulation/podman/Manifest | 1 - app-emulation/podman/podman-2.2.1.ebuild | 161 ------------------------------- 2 files changed, 162 deletions(-)
Thank you! No GLSA, closing.