Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2021-4024 - v3.4 branch #12497

Merged
merged 1 commit into from
Dec 3, 2021
Merged

Fix CVE-2021-4024 - v3.4 branch #12497

merged 1 commit into from
Dec 3, 2021

Conversation

mheon
Copy link
Member

@mheon mheon commented Dec 3, 2021

This resolves CVE-2021-4024, where an attacker could access the API externally and forward any port they desired to the VM from podman machine.

This is only required on v3.4 and v3.4.2-rhel branches, as main already has a similar fix from @Luap99 rewriting this code. Unfortunately we can't backport that, as it's an extensive rewrite that depends on the even more extensive rewrites of the network code.

[NO NEW TESTS NEEDED] gvproxy is not tested directly at this time.

@mheon
Swap bind address for gvproxy to localhost-only
57c5e22 
This resolves CVE-2021-4024, where an attacker could access the
API externally and forward any port they desired to the VM from
`podman machine`.

[NO NEW TESTS NEEDED] gvproxy is not tested directly at this
time.

Signed-off-by: Matthew Heon <[email protected]>
@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Dec 3, 2021
rst0git
rst0git approved these changes Dec 3, 2021
View reviewed changes
Copy link
Contributor

@rst0git rst0git left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 3, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mheon, rst0git

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mheon
Copy link
Member Author

mheon commented Dec 3, 2021

Confirmed working on OS X by @baude - removing WIP

@mheon mheon changed the title [WIP] Fix CVE-2021-4024 - v3.4 branch Fix CVE-2021-4024 - v3.4 branch Dec 3, 2021
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 3, 2021
@mheon
Copy link
Member Author

mheon commented Dec 3, 2021

@containers/podman-maintainers PTAL

@rhatdan
Copy link
Member

rhatdan commented Dec 3, 2021

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 3, 2021
@openshift-merge-robot openshift-merge-robot merged commit fe44757 into containers:v3.4 Dec 3, 2021
@TomSweeneyRedHat
Copy link
Member

LGTM

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rst0git rst0git rst0git approved these changes

Assignees

@rhatdan rhatdan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mheon @rhatdan @TomSweeneyRedHat @rst0git @openshift-merge-robot