Bug 1097970 - (CVE-2018-10856) VUL-0: CVE-2018-10856: podman: Containers run as non-root users do not drop capabilities
VUL-0: CVE-2018-10856: podman: Containers run as non-root users do not drop c...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P2 - High : Normal
: ---
Assigned To: Valentin Rothberg
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2018-06-18 06:33 UTC by Marcus Meissner
Modified: 2022-02-04 18:25 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-06-18 06:33:34 UTC
Podman before version 0.6.1 does not drop capabilities when executing a container as a non-root user. This results in unnecessary privileges being granted to the container.

Comment 1 Marcus Meissner 2018-06-18 06:34:02 UTC
is to be in CAASP 3 and 4 and also in Factory.

no IBS maitnainer assigned yet.
Comment 2 Valentin Rothberg 2018-06-18 06:51:20 UTC
Thanks for opening the issue. Factory isn't affected anymore, as we're already on v0.6.2 and I just opened an SR for v0.6.3 an hour ago.

In case of CaaSP, I think that we can update it. Note that Podman isn't run by default in _any_ deployment; it's sole purpose is to help debugging a CRI-O cluster (tech preview).
Comment 6 Swamp Workflow Management 2018-09-13 16:11:44 UTC
SUSE-SU-2018:2704-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1097970
CVE References: CVE-2018-10856
Sources used:
SUSE CaaS Platform 3.0 (src):    podman-0.8.5-3.3.1
Comment 7 Valentin Rothberg 2018-10-01 05:34:00 UTC
Marcus, can we close this bug? The update is finally available but I am hesitant to close it as I am not part of the security team.
Comment 9 Marcus Meissner 2018-10-01 09:04:05 UTC
updates are released