3:51 p.m.
Today, we're releasing updates to fix CVE-2020-14370 [1], a security
issue in Podman. This is a medium-severity information disclosure
vulnerability that affects containers created using Podman’s Varlink
API or the Docker-compatible version of its REST API. If two or more
containers are created using these APIs, and the first container had
environment variables added to it when it was created, all subsequent
containers created using the Varlink or Docker-compatible REST APIs
will also have these environment variables added. This effect does not
persist after restarting the Podman API service.
Podman v2.0.5 and higher contain a fix for the CVE. If you use either
of these APIs, please update to Podman v2.0.5 or later. We will also
be patching the long-term support v1.6.4 release used in RHEL and
CentOS.
[1] https://access.redhat.com/security/cve/cve-2020-14370