Both new version cures.
Assigning to Joseph who currently maintains these pkgs.

Assignee: bugsquad => joequant

Fedora has issued an advisory on May 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/

Status comment: Fixed upstream in buildah 1.35.1 and podman 4.9.4 => Fixed upstream in buildah 1.35.4 and podman 4.9.4
CVE: CVE-2024-1753 => CVE-2024-1753, CVE-2024-3727
Summary: buildah and podman new security issue CVE-2024-1753 => buildah and podman new security issue CVE-2024-1753, buildah new security issue CVE-2024-3727

SUSE has issued an advisory on June 11:
https://lwn.net/Articles/977925/

Skopeo version 1.14.4 solves the problem so only Mageia 9 is affected.

Source RPM: buildah-1.35.0-1.mga10.src.rpm, podman-4.8.3-1.mga10.src.rpm => buildah-1.35.0-1.mga10.src.rpm, podman-4.8.3-1.mga10.src.rpm, skopeo-1.12.0-1.mga9.src.rpm
Summary: buildah and podman new security issue CVE-2024-1753, buildah new security issue CVE-2024-3727 => buildah and podman new security issue CVE-2024-1753, buildah and skopeo new security issue CVE-2024-3727

RedHat has issued advisories on June 12:
https://lwn.net/Articles/978101/
https://lwn.net/Articles/978102/

Summary: buildah and podman new security issue CVE-2024-1753, buildah and skopeo new security issue CVE-2024-3727 => buildah and podman new security issues CVE-2024-1753, CVE-2023-45290, CVE-2024-28180 and CVE-2024-28176; buildah and skopeo new security issue CVE-2024-3727
CVE: CVE-2024-1753, CVE-2024-3727 => CVE-2024-1753, CVE-2024-3727, CVE-2023-45290, CVE-2024-28180, CVE-2024-28176

SUSE has issued an advisory on July 3:
https://lists.suse.com/pipermail/sle-security-updates/2024-July/018858.html

Summary: buildah and podman new security issues CVE-2024-1753, CVE-2023-45290, CVE-2024-28180 and CVE-2024-28176; buildah and skopeo new security issue CVE-2024-3727 => buildah and podman new security issues CVE-2024-1753, CVE-2023-45290, CVE-2024-28180 and CVE-2024-28176; buildah and skopeo new security issue CVE-2024-3727; podman new security issue CVE-2024-6104

openSUSE has issued advisories on October 8:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/PJ4RBOYLRKSRUVS77S4OAZ7SQJWH36K2/ (buildah)
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/MYMA7BZJZTURAPGKHV2ACU3HBJTKVYMK/ (podman)

CVE: CVE-2024-1753, CVE-2024-3727, CVE-2023-45290, CVE-2024-28180, CVE-2024-28176 => CVE-2024-1753, CVE-2024-3727, CVE-2023-45290, CVE-2024-28180, CVE-2024-28176, CVE-2024-9341, CVE-2024-3727, CVE-2024-6104, CVE-2024-9407
Summary: buildah and podman new security issues CVE-2024-1753, CVE-2023-45290, CVE-2024-28180 and CVE-2024-28176; buildah and skopeo new security issue CVE-2024-3727; podman new security issue CVE-2024-6104 => buildah and podman new security issues CVE-2024-1753, CVE-2023-45290, CVE-2024-28180, CVE-2024-28176 and CVE-2024-9341; buildah and skopeo new security issue CVE-2024-3727; podman new security issue CVE-2024-6104; buildah new security issue CVE-2024-9407
Status comment: Fixed upstream in buildah 1.35.4 and podman 4.9.4 => Fixed upstream in buildah 1.35.4 and podman 4.9.5, patches available from openSUSE

Fixing

CC: (none) => joequant

cauldron has been updated to 

buildah 1.37.4
skopeo 1.16.1
podman 5.2.4

Will run over the weekend and then push to mageia 9

I updated the following in mageia 9 testing

skopeo 1.16.1
buildah 1.37.4

Uploaded podman version 4.9.5 to mageia 9 testing.  Please test

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time. (CVE-2024-1753)

A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. (CVE-2024-3727)

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. (CVE-2023-45290)

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. (CVE-2024-28180)

jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5. (CVE-2024-28176)

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system. (CVE-2024-9341)

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. (CVE-2024-6104)

A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files. (CVE-2024-9407)

References:
https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
https://github.com/containers/podman/security/advisories/GHSA-874v-pj72-92f3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/
https://lwn.net/Articles/978101/
https://lwn.net/Articles/978102/
https://lists.suse.com/pipermail/sle-security-updates/2024-July/018858.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/PJ4RBOYLRKSRUVS77S4OAZ7SQJWH36K2/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/MYMA7BZJZTURAPGKHV2ACU3HBJTKVYMK/
========================

Updated packages in core/updates_testing:
========================
skopeo-1.16.1-1.mga9

buildah-1.37.4-1.mga9
buildah-tests-1.37.4-1.mga9

podman-4.9.5-1.mga9
podman-docker-4.9.5-1.mga9
podman-fish-completion-4.9.5-1.mga9
podman-gvproxy-4.9.5-1.mga9
podman-plugins-4.9.5-1.mga9
podman-remote-4.9.5-1.mga9
podman-zsh-completion-4.9.5-1.mga9

from SRPMS:
skopeo-1.16.1-1.mga9.src.rpm
buildah-1.37.4-1.mga9.src.rpm
podman-4.9.5-1.mga9.src.rpm

CVE: CVE-2024-1753, CVE-2024-3727, CVE-2023-45290, CVE-2024-28180, CVE-2024-28176, CVE-2024-9341, CVE-2024-3727, CVE-2024-6104, CVE-2024-9407 => CVE-2024-1753, CVE-2024-3727, CVE-2023-45290, CVE-2024-28180, CVE-2024-28176, CVE-2024-9341, CVE-2024-6104, CVE-2024-9407
Whiteboard: MGA9TOO => (none)
Assignee: joequant => qa-bugs
Status comment: Fixed upstream in buildah 1.35.4 and podman 4.9.5, patches available from openSUSE => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED

MGA9-64 MATE on HP-Pavillion
No installation issues.
This is a field way-out of my knowledge area, so I'm glad it apparently does not harm anything else.

CC: (none) => herman.viaene

I don't know what I'm doing either, but that's nothing new. Forging on...

MGA9-64 Plasma. I downloaded the test packages using qarepo, and installed all of them, plus dependencies, with no issues.

Scouring the web, I found a Youtube video "for beginners" of podman. The first thing was to get the version:

[tom@localhost ~]$ podman version
Client:       Podman Engine
Version:      4.9.5
API Version:  4.9.5
Go Version:   go1.21.12
Built:        Sun Oct 13 22:26:52 2024
OS/Arch:      linux/amd64

The next suggestion was to run a test container, but here is where the video and I went in different directions. The video's command produced a cute little graphic, but mine accessed a docker container of the same name:

[tom@localhost ~]$ podman run hello-world
Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob c1ec31eb5944 done   | 
Copying config d2c94e258d done   | 
Writing manifest to image destination

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

Encouraged by the message that it was working properly (even if it was a docker message), I modified the suggested "more ambitious" docker command into a podman command:

[tom@localhost ~]$ podman run -it ubuntu bash
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:latest...
Getting image source signatures
Copying blob ff65ddf9395b done   | 
Copying config 59ab366372 done   | 
Writing manifest to image destination
root@b6f53c2aef2c:/# 

That looks like it's working to me. That's as far as I can take it. Giving this a tentative OK with this basic test, but it feels... incomplete. 

However, further testing may be beyond the scope of QA. I'll leave it for a couple of days before validating, and if anyone wants to try to take it further, feel free to do so.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0343.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED