Source: podman Version: 5.4.2+ds1-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for podman. CVE-2025-9566[0]: | There's a vulnerability in podman where an attacker may use the kube | play command to overwrite host files when the kube file container a | Secrete or a ConfigMap volume mount and such volume contains a | symbolic link to a host file path. In a successful attack, the | attacker can only control the target file to be overwritten but not | the content to be written into the file. Binary-Affected: podman | Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1 The only (initial) reference was the bugzilla[1] entry from Red Hat, but the commit [2] matches the description TTBOMK. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-9566 https://www.cve.org/CVERecord?id=CVE-2025-9566 [1] https://bugzilla.redhat.com/show_bug.cgi?id=2393152 [2] https://github.com/containers/podman/commit/aaf8b9dc0cfec76444f7eda60660347646b90a13 Please adjust the affected versions in the BTS as needed. Regards, Salvatore _______________________________________________ Pkg-go-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-go-maintainers
