rh#2134063

The following cri-o packages as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31 and 4.11.6 included an incorrect version of cri-o that was missing the fix for CVE-2022-27652:

- cri-o-1.22.5-10.rhaos4.9.gitd14fede.el8 via RHBA-2022:6316 (https://access.redhat.com/errata/RHBA-2022:6316)
- cri-o-1.23.3-16.rhaos4.10.gitd7c9b35.el8 via RHBA-2022:6257 (https://access.redhat.com/errata/RHBA-2022:6257)
- cri-o-1.24.2-7.rhaos4.11.gitca400e0.el8 via RHBA-2022:6658 (https://access.redhat.com/errata/RHBA-2022:6658)

The regressed CVE-2022-27652 was previously corrected in Red Hat OpenShift Container Platform 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600, respectively.

CVE-2022-3466 was assigned to this security regression and it is specific to the cri-o packages produced by Red Hat. The original issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details about the original issue, see:

https://access.redhat.com/security/cve/CVE-2022-27652
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-27652

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2134063
https://bugzilla.redhat.com/show_bug.cgi?id=2066839
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3466