suse-su-2023:1814-1
Vulnerability from csaf_suse
Published
2023-04-11 12:40
Modified
2023-04-11 12:40
Summary
Security update for podman
Notes
Title of the patch
Security update for podman
Description of the patch
This update for podman fixes the following issues:
Update to version 4.4.4:
* libpod: always use direct mapping
* macos pkginstaller: do not fail when podman-mac-helper fails
* podman-mac-helper: install: do not error if already installed
- podman.spec: Bump required version for libcontainers-common (bsc#1209495)
Update to version 4.4.3:
* compat: /auth: parse server address correctly
* vendor github.com/containers/common@v0.51.1
* pkginstaller: bump Qemu to version 7.2.0
* podman machine: Adjust Chrony makestep config
* [v4.4] fix --health-on-failure=restart in transient unit
* podman logs passthrough driver support --cgroups=split
* journald logs: simplify entry parsing
* podman logs: read journald with passthrough
* journald: remove initializeJournal()
* netavark: only use aardvark ip as nameserver
* compat API: network create return 409 for duplicate
* fix 'podman logs --since --follow' flake
* system service --log-level=trace: support hijack
* podman-mac-helper: exit 1 on error
* bump golang.org/x/net to v0.8.0
* Fix package restore
* Quadlet - use the default runtime
Update to version 4.4.2:
* Revert 'CI: Temporarily disable all AWS EC2-based tasks'
* kube play: only enforce passthrough in Quadlet
* Emergency fix for man pages: check for broken includes
* CI: Temporarily disable all AWS EC2-based tasks
* quadlet system tests: add useful defaults, logging
* volume,container: chroot to source before exporting content
* install sigproxy before start/attach
* Update to c/image 5.24.1
* events + container inspect test: RHEL fixes
- podman.spec: add `crun` requirement for quadlet
- podman.spec: set PREFIX at build stage (bsc#1208510)
- CVE-2023-0778: Fixed symlink exchange attack in podman export volume (bsc#1208364)
Update to version 4.4.1:
* kube play: do not teardown unconditionally on error
* Resolve symlink path for qemu directory if possible
* events: document journald identifiers
* Quadlet: exit 0 when there are no files to process
* Cleanup podman-systemd.unit file
* Install podman-systemd.unit man page, make quadlet discoverable
* Add missing return after errors
* oci: bind mount /sys with --userns=(auto|pod:)
* docs: specify order preference for FROM
* Cirrus: Fix & remove GraphQL API tests
* test: adapt test to work on cgroupv1
* make hack/markdown-preprocess parallel-safe
* Fix default handling of pids-limit
* system tests: fix volume exec/noexec test
Update to version 4.4.0:
* Emergency fix for RHEL8 gating tests
* Do not mount /dev/tty into rootless containers
* Fixes port collision issue on use of --publish-all
* Fix usage of absolute windows paths with --image-path
* fix #17244: use /etc/timezone where `timedatectl` is missing on Linux
* podman-events: document verbose create events
* Making gvproxy.exe optional for building Windows installer
* Add gvproxy to Windows packages
* Match VT device paths to be blocked from mounting exactly
* Clean up more language for inclusiveness
* Set runAsNonRoot=true in gen kube
* quadlet: Add device support for .volume files
* fix: running check error when podman is default in wsl
* fix: don't output 'ago' when container is currently up and running
* journald: podman logs only show logs for current user
* journald: podman events only show events for current user
* Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml)
* DB: make loading container states optional
* ps: do not sync container
* Allow --device-cgroup-rule to be passed in by docker API
* Create release notes for v4.4.0
* Cirrus: Update operating branch
* fix APIv2 python attach test flake
* ps: query health check in batch mode
* make example volume import, not import volume
* Correct output when inspecting containers created with --ipc
* Vendor containers/(storage, image, common, buildah)
* Get correct username in pod when using --userns=keep-id
* ps: get network data in batch mode
* build(deps): bump github.com/onsi/gomega from 1.25.0 to 1.26.0
* add hack/perf for comparing two container engines
* systems: retrofit dns options test to honor other search domains
* ps: do not create copy of container config
* libpod: set search domain independently of nameservers
* libpod,netavark: correctly populate /etc/resolv.conf with custom dns server
* podman: relay custom DNS servers to network stack
* (fix) mount_program is in storage.options.overlay
* Change example target to default in doc
* network create: do not allow `default` as name
* kube-play: add support for HostPID in podSpec
* build(deps): bump github.com/docker/docker
* Let's see if #14653 is fixed or not
* Add support for podman build --group-add
* vendor in latests containers/(storage, common, build, image)
* unskip network update test
* do not install swagger by default
* pasta: skip 'Local forwarder, IPv4' test
* add testbindings Makefile target
* update CI images to include pasta
* [CI:DOCS] Add CNI deprecation notices to documentation
* Cirrus: preserve podman-server logs
* waitPidStop: reduce sleep time to 10ms
* StopContainer: return if cleanup process changed state
* StopSignal: add a comment
* StopContainer: small refactor
* waitPidStop: simplify code
* e2e tests: reenable long-skipped build test
* Add openssh-clients to podmanimage
* Reworks Windows smoke test to tunnel through interactive session.
* fix bud-multiple-platform-with-base-as-default-arg flake
* Remove ReservedAnnotations from kube generate specification
* e2e: update test/README.md
* e2e: use isRootless() instead of rootless.IsRootless()
* Cleanup documentation on --userns=auto
* Vendor in latest c/common
* sig-proxy system test: bump timeout
* build(deps): bump github.com/containernetworking/plugins
* rootless: rename auth-scripts to preexec-hooks
* Docs: version-check updates
* commit: use libimage code to parse changes
* [CI:DOCS] Remove experimental mac tutorial
* man: Document the interaction between --systemd and --privileged
* Make rootless privileged containers share the same tty devices as rootfull ones
* container kill: handle stopped/exited container
* Vendor in latest containers/(image,ocicrypt)
* add a comment to container removal
* Vendor in latest containers/storage
* Cirrus: Run machine tests on PR merge
* fix flake in kube system test
* kube play: complete container spec
* E2E Tests: Use inspect instead of actual data to avoid UDP flake
* Use containers/storage/pkg/regexp in place of regexp
* Vendor in latest containers/storage
* Cirrus: Support using updated/latest NV/AV in PRs
* Limit replica count to 1 when deploying from kubernetes YAML
* Set StoppedByUser earlier in the process of stopping
* podman-play system test: refactor
* network: add support for podman network update and --network-dns-server
* service container: less verbose error logs
* Quadlet Kube - add support for PublishPort key
* e2e: fix systemd_activate_test
* Compile regex on demand not in init
* [docker compat] Don't overwrite the NetworkMode if containers.conf overrides netns.
* E2E Test: Play Kube set deadline to connection to avoid hangs
* Only prevent VTs to be mounted inside privileged systemd containers
* e2e: fix play_kube_test
* Updated error message for supported VolumeSource types
* Introduce pkg retry logic in win installer task
* logformatter: include base SHA, with history link
* Network tests: ping redhat.com, not podman.io
* cobra: move engine shutdown to Execute
* Updated options for QEMU on Windows hosts
* Update Mac installer to use gvproxy v0.5.0
* podman: podman rm -f doesn't leave processes
* oci: check for valid PID before kill(pid, 0)
* linux: add /sys/fs/cgroup if /sys is a bind mount
* Quadlet: Add support for ConfigMap key in Kube section
* remove service container _after_ pods
* Kube Play - allow setting and overriding published host ports
* oci: terminate all container processes on cleanup
* Update win-sshproxy to 0.5.0 gvisor tag
* Vendor in latest containers/common
* Fix a potential defer logic error around locking
* logformatter: nicer formatting for bats failures
* logformatter: refactor verbose line-print
* e2e tests: stop using UBI images
* k8s-file: podman logs --until --follow exit after time
* journald: podman logs --until --follow exit after time
* journald: seek to time when --since is used
* podman logs: journald fix --since and --follow
* Preprocess files in UTF-8 mode
* Vendor in latest containers/(common, image, storage)
* Switch to C based msi hooks for win installer
* hack/bats: improve usage message
* hack/bats: add --remote option
* hack/bats: fix root/rootless logic
* Describe copy volume options
* Support sig-proxy for podman-remote attach and start
* libpod: fix race condition rm'ing stopping containers
* e2e: fix run_volume_test
* Add support for Windows ARM64
* Add shared --compress to man pages
* Add container error message to ContainerState
* Man page checker: require canonical name in SEE ALSO
* system df: improve json output code
* kube play: fix the error logic with --quiet
* System tests: quadlet network test
* Fix: List container with volume filter
* adding -dryrun flag
* Quadlet Container: Add support for EnvironmentFile and EnvironmentHost
* Kube Play: use passthrough as the default log-driver if service-container is set
* System tests: add missing cleanup
* System tests: fix unquoted question marks
* Build and use a newer systemd image
* Quadlet Network - Fix the name of the required network service
* System Test Quadlet - Volume dependency test did not test the dependency
* fix `podman system connection - tcp` flake
* vendor: bump c/storage to a747b27
* Fix instructions about setting storage driver on command-line
* Test README - point users to hack/bats
* System test: quadlet kube basic test
* Fixed `podman update --pids-limit`
* podman-remote,bindings: trim context path correctly when its emptydir
* Quadlet Doc: Add section for .kube files
* e2e: fix containers_conf_test
* Allow '/' to prefix container names to match Docker
* Remove references to qcow2
* Fix typos in man page regarding transient storage mode.
* make: Use PYTHON var for .install.pre-commit
* Add containers.conf read-only flag support
* Explain that relabeling/chowning of volumes can take along time
* events: support 'die' filter
* infra/abi: refactor ContainerRm
* When in transient store mode, use rundir for bundlepath
* quadlet: Support Type=oneshot container files
* hacks/bats: keep QUADLET env var in test env
* New system tests for conflicting options
* Vendor in latest containers/(buildah, image, common)
* Output Size and Reclaimable in human form for json output
* podman service: close duplicated /dev/null fd
* ginkgo tests: apply ginkgolinter fixes
* Add support for hostPath and configMap subpath usage
* export: use io.Writer instead of file
* rootless: always create userns with euid != 0
* rootless: inhibit copy mapping for euid != 0
* pkg/domain/infra/abi: introduce `type containerWrapper`
* vendor: bump to buildah ca578b290144 and use new cache API
* quadlet: Handle booleans that have defaults better
* quadlet: Rename parser.LookupBoolean to LookupBooleanWithDefault
* Add podman-clean-transient.service service
* Stop recording annotations set to false
* Unify --noheading and -n to be consistent on all commands
* pkg/domain/infra/abi: add `getContainers`
* Update vendor of containters/(common, image)
* specfile: Drop user-add depedency from quadlet subpackage.
* quadlet: Default BINDIR to /usr/bin if tag not specified
* Quadlet: add network support
* Add comment for jsonMarshal command
* Always allow pushing from containers-storage
* libpod: move NetNS into state db instead of extra bucket
* Add initial system tests for quadlets
* quadlet: Add --user option
* libpod: remove CNI word were no longer applicable
* libpod: fix header length in http attach with logs
* podman-kube@ template: use `podman kube`
* build(deps): bump github.com/docker/docker
* wait: add --ignore option
* qudlet: Respect $PODMAN env var for podman binary
* e2e: Add assert-key-is-regex check to quadlet e2e testsuite
* e2e: Add some assert to quadlet test to make sure testcases are sane
* remove unmapped ports from inspect port bindings
* update podman-network-create for clarity
* Vendor in latest containers/common with default capabilities
* pkg/rootless: Change error text ...
* rootless: add cli validator
* rootless: define LIBEXECPODMAN
* doc: fix documentation for idmapped mounts
* bump golangci-lint to v1.50.1
* build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2
* [CI:DOCS] podman-mount: s/umount/unmount/
* create/pull --help: list pull policies
* Network Create: Add --ignore flag to support idempotent script
* Make qemu security model none
* libpod: use OCI idmappings for mounts
* stop reporting errors removing containers that don't exist
* test: added test from wait endpoint with to long label
* quadlet: Default VolatileTmp to off
* build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.11
* docs/options/ipc: fix list syntax
* Docs: Add dedicated DOWNLOAD doc w/ links to bins
* Make a consistently-named windows installer
* checkpoint restore: fix --ignore-static-ip/mac
* add support for subpath in play kube for named volumes
* build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0
* golangci-lint: remove three deprecated linters
* parse-localbenchmarks: separate standard deviation
* build(deps): bump golang.org/x/term from 0.2.0 to 0.3.0
* podman play kube support container startup probe
* Add podman buildx version support
* Cirrus: Collect benchmarks on machine instances
* Cirrus: Remove escape codes from log files
* [CI:DOCS] Clarify secret target behavior
* Fix typo on network docs
* podman-remote build add --volume support
* remote: allow --http-proxy for remote clients
* Cleanup kube play workloads if error happens
* health check: ignore dependencies of transient systemd units/timers
* fix: event read from syslog
* Fixes secret (un)marshaling for kube play.
* Remove 'you' from man pages
* build(deps): bump golang.org/x/tools from 0.3.0 to 0.4.0 in /test/tools
* [CI:DOCS] test/README.md: run tests with podman-remote
* e2e: keeps the http_proxy value
* Makefile: Add podman-mac-helper to darwin client zip
* test/e2e: enable 'podman run with ipam none driver' for nv
* [skip-ci] GHA/Cirrus-cron: Fix execution order
* kube sdnotify: run proxies for the lifespan of the service
* Update containers common package
* podman manpage: Use man-page links instead of file names
* e2e: fix e2e tests in proxy environment
* Fix test
* disable healthchecks automatically on non systemd systems
* Quadlet Kube: Add support for userns flag
* [CI:DOCS] Add warning about --opts,o with mount's -o
* Add podman system prune --external
* Add some tests for transient store
* runtime: In transient_store mode, move bolt_state.db to rundir
* runtime: Handle the transient store options
* libpod: Move the creation of TmpDir to an earlier time
* network create: support '-o parent=XXX' for ipvlan
* compat API: allow MacAddress on container config
* Quadlet Kube: Add support for relative path for YAML file
* notify k8s system test: move sending message into exec
* runtime: do not chown idmapped volumes
* quadlet: Drop ExecStartPre=rm %t/%N.cid
* Quadlet Kube: Set SyslogIdentifier if was not set
* Add a FreeBSD cross build to the cirrus alt build task
* Add completion for --init-ctr
* Fix handling of readonly containers when defined in kube.yaml
* Build cross-compilation fixes
* libpod: Track healthcheck API changes in healthcheck_unsupported.go
* quadlet: Use same default capability set as podman run
* quadlet: Drop --pull=never
* quadlet: Change default of ReadOnly to no
* quadlet: Change RunInit default to no
* quadlet: Change NoNewPrivileges default to false
* test: podman run with checkpoint image
* Enable 'podman run' for checkpoint images
* test: Add tests for checkpoint images
* CI setup: simplify environment passthrough code
* Init containers should not be restarted
* Update c/storage after https://github.com/containers/storage/pull/1436
* Set the latest release explicitly
* add friendly comment
* fix an overriding logic and load config problem
* Update the issue templates
* Update vendor of containers/(image, buildah)
* [CI:DOCS] Skip windows-smoke when not useful
* [CI:DOCS] Remove broken gate-container docs
* OWNERS: add Jason T. Greene
* hack/podmansnoop: print arguments
* Improve atomicity of VM state persistence on Windows
* [CI:BUILD] copr: enable podman-restart.service on rpm installation
* macos: pkg: Use -arm64 suffix instead of -aarch64
* linux: Add -linux suffix to podman-remote-static binaries
* linux: Build amd64 and arm64 podman-remote-static binaries
* container create: add inspect data to event
* Allow manual override of install location
* Run codespell on code
* Add missing parameters for checkpoint/restore endpoint
* Add support for startup healthchecks
* Add information on metrics to the `network create` docs
* Introduce podman machine os commands
* Document that ignoreRootFS depends on export/import
* Document ignoreVolumes in checkpoint/restore endpoint
* Remove leaveRunning from swagger restore endpoint
* libpod: Add checks to avoid nil pointer dereference if network setup fails
* Address golangci-lint issues
* Documenting Hyper-V QEMU acceleration settings
* Kube Play: fix the handling of the optional field of SecretVolumeSource
* Update Vendor of containers/(common, image, buildah)
* Fix swapped NetInput/-Output stats
* libpod: Use O_CLOEXEC for descriptors returned by (*Container).openDirectory
* chore: Fix MD for Troubleshooting Guide link in GitHub Issue Template
* test/tools: rebuild when files are changed
* ginkgo tests: apply ginkgolinter fixes
* ginkgo: restructure install work flow
* Fix manpage emphasis
* specgen: support CDI devices from containers.conf
* vendor: update containers/common
* pkg/trust: Take the default policy path from c/common/pkg/config
* Add validate-in-container target
* Adding encryption decryption feature
* container restart: clean up healthcheck state
* Add support for podman-remote manifest annotate
* Quadlet: Add support for .kube files
* Update vendor of containers/(buildah, common, storage, image)
* specgen: honor user namespace value
* [CI:DOCS] Migrate OSX Cross to M1
* quadlet: Rework uid/gid remapping
* GHA: Fix cirrus re-run workflow for other repos.
* ssh system test: skip until it becomes a test
* shell completion: fix hard coded network drivers
* libpod: Report network setup errors properly on FreeBSD
* E2E Tests: change the registry for the search test to avoid authentication
* pkginstaller: install podman-mac-helper by default
* Fix language. Mostly spelling a -> an
* podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd environment.
* [CI:DOCS] Fix spelling and typos
* Modify man page of '--pids-limit' option to correct a default value.
* Update docs/source/markdown/podman-remote.1.md
* Update pkg/bindings/connection.go
* Add more documentation on UID/GID Mappings with --userns=keep-id
* support podman-remote to connect tcpURL with proxy
* Removing the RawInput from the API output
* fix port issues for CONTAINER_HOST
* CI: Package versions: run in the 'main' step
* build(deps): bump github.com/rootless-containers/rootlesskit
* pkg/domain: Make checkExecPreserveFDs platform-specific
* e2e tests: fix restart race
* Fix podman --noout to suppress all output
* remove pod if creation has failed
* pkg/rootless: Implement rootless.IsFdInherited on FreeBSD
* Fix more podman-logs flakes
* healthcheck system tests: try to fix flake
* libpod: treat ESRCH from /proc/PID/cgroup as ENOENT
* GHA: Configure workflows for reuse
* compat,build: handle docker's preconfigured cacheTo,cacheFrom
* docs: deprecate pasta network name
* utils: Enable cgroup utils for FreeBSD
* pkg/specgen: Disable kube play tests on FreeBSD
* libpod/lock: Fix build and tests for SHM locks on FreeBSD
* podman cp: fix copying with '.' suffix
* pkginstaller: bump Qemu to version 7.1.0
* specgen,wasm: switch to crun-wasm wherever applicable
* vendor: bump c/common to v0.50.2-0.20221111184705-791b83e1cdf1
* libpod: Make unit test for statToPercent Linux only
* Update vendor of containers/storage
* fix connection usage with containers.conf
* Add --quiet and --no-info flags to podman machine start
* Add hidden podman manifest inspect -v option
* Add podman volume create -d short option for driver
* Vendor in latest containers/(common,image,storage)
* Add podman system events alias to podman events
* Fix search_test to return correct version of alpine
* GHA: Fix undefined secret env. var.
* Release notes for 4.3.1
* GHA: Fix make_email-body script reference
* Add release keys to README
* GHA: Fix typo setting output parameter
* GHA: Fix typo.
* New tool, docs/version-check
* Formalize our compare-against-docker mechanism
* Add restart-sec for container service files
* test/tools: bump module to go 1.17
* contrib/cirrus/check_go_changes.sh: ignore test/tools/vendor
* build(deps): bump golang.org/x/tools from 0.1.12 to 0.2.0 in /test/tools
* libpod: Add FreeBSD support in packageVersion
* Allow podman manigest push --purge|-p as alias for --rm
* [CI:DOCS] Add performance tutorial
* [CI:DOCS] Fix build targets in build_osx.md.
* fix --format {{json .}} output to match docker
* remote: fix manifest add --annotation
* Skip test if `--events-backend` is necessary with podman-remote
* kube play: update the handling of PersistentVolumeClaim
* system tests: fix a system test in proxy environment
* Use single unqualified search registry on Windows
* test/system: Add, use tcp_port_probe() to check for listeners rather than binds
* test/system: Add tests for pasta(1) connectivity
* test/system: Move network-related helpers to helpers.network.bash
* test/system: Use procfs to find bound ports, with optional address and protocol
* test/system: Use port_is_free() from wait_for_port()
* libpod: Add pasta networking mode
* More log-flake work
* Fix test flakes caused by improper podman-logs
* fix incorrect systemd booted check
* Cirrus: Add tests for GHA scripts
* GHA: Update scripts to pass shellcheck
* Cirrus: Shellcheck github-action scripts
* Cirrus: shellcheck support for github-action scripts
* GHA: Fix cirrus-cron scripts
* Makefile: don't install to tmpfiles.d on FreeBSD
* Make sure we can build and read each line of docker py's api client
* Docker compat build api - make sure only one line appears per flush
* Run codespell on code
* Update vendor of containers/(image, storage, common)
* Allow namespace path network option for pods.
* Cirrus: Never skip running Windows Cross task
* GHA: Auto. re-run failed cirrus-cron builds once
* GHA: Migrate inline script to file
* GHA: Simplify script reference
* test/e2e: do not use apk in builds
* remove container/pod id file along with container/pod
* Cirrus: Synchronize windows image
* Add --insecure,--tls-verify,--verbose flags to podman manifest inspect
* runtime: add check for valid pod systemd cgroup
* CI: set and verify DESIRED_NETWORK (netavark, cni)
* [CI:DOCS] troubleshooting: document keep-id options
* Man pages: refactor common options: --security-opt
* Cirrus: Guarantee CNI testing w/o nv/av present
* Cirrus: temp. disable all Ubuntu testing
* Cirrus: Update to F37beta
* buildah bud tests: better handling of remote
* quadlet: Warn in generator if using short names
* Add Windows Smoke Testing
* Add podman kube apply command
* docs: offer advice on installing test dependencies
* Fix documentation on read-only-tmpfs
* version bump to 4.4.0-dev
* deps: bump go-criu to v6
* Makefile: Add cross build targets for freebsd
* pkg/machine: Make this build on FreeBSD/arm64
* pkg/rctl: Remove unused cgo dependency
* man pages: assorted underscore fixes
* Upgrade GitHub actions packages from v2 to v3
* vendor github.com/godbus/dbus/v5@4b691ce
* [CI:DOCS] fix --tmpdir typos
* Do not report that /usr/share/containers/storage.conf has been edited.
* Eval symlinks on XDG_RUNTIME_DIR
* hack/podmansnoop
* rootless: support keep-id with one mapping
* rootless: add argument to GetConfiguredMappings
* Update vendor containers/(common,storage,buildah,image)
* Fix deadlock between 'podman ps' and 'container inspect' commands
* Add information about where the libpod/boltdb database lives
* Consolidate the dependencies for the IsTerminal() API
* Ensure that StartAndAttach locks while sending signals
* ginkgo testing: fix podman usernamespace join
* Test runners: nuke podman from $PATH before tests
* volumes: Fix idmap not working for volumes
* FIXME: Temporary workaround for ubi8 CI breakage
* System tests: teardown: clean up volumes
* update api versions on docs.podman.io
* system tests: runlabel: use podman-under-test
* system tests: podman network create: use random port
* sig-proxy test: bump timeout
* play kube: Allow the user to import the contents of a tar file into a volume
* Clarify the docs on DropCapability
* quadlet tests: Disable kmsg logging while testing
* quadlet: Support multiple Network=
* quadlet: Add support for Network=...
* Fix manpage for podman run --network option
* quadlet: Add support for AddDevice=
* quadlet: Add support for setting seccomp profile
* quadlet: Allow multiple elements on each Add/DropCaps line
* quadlet: Embed the correct binary name in the generated comment
* quadlet: Drop the SocketActivated key
* quadlet: Switch log-driver to passthrough
* quadlet: Change ReadOnly to default to enabled
* quadlet tests: Run the tests even for (exected) failed tests
* quadlet tests: Fix handling of stderr checks
* Remove unused script file
* notifyproxy: fix container watcher
* container/pod id file: truncate instead of throwing an error
* quadlet: Use the new podman create volume --ignore
* Add podman volume create --ignore
* logcollector: include aardvark-dns
* build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1
* build(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1
* docs: generate systemd: point to kube template
* docs: kube play: mention restart policy
* Fixes: 15858 (podman system reset --force destroy machine)
* fix search flake
* use cached containers.conf
* adding regex support to the ancestor ps filter function
* Fix `system df` issues with `-f` and `-v`
* markdown-preprocess: cross-reference where opts are used
* Default qemu flags for Windows amd64
* build(deps): bump golang.org/x/text from 0.3.8 to 0.4.0
* Update main to reflect v4.3.0 release
* build(deps): bump github.com/docker/docker
* move quadlet packages into pkg/systemd
* system df: fix image-size calculations
* Add man page for quadlet
* Fix small typo
* testimage: add iproute2 & socat, for pasta networking
* Set up minikube for k8s testing
* Makefile: don't install systemd generator binaries on FreeBSD
* [CI:BUILD] copr: podman rpm should depend on containers-common-extra
* Podman image: Set default_sysctls to empty for rootless containers
* Don't use github.com/docker/distribution
* libpod: Add support for 'podman top' on FreeBSD
* libpod: Factor out jail name construction from stats_freebsd.go
* pkg/util: Add pid information descriptors for FreeBSD
* Initial quadlet version integrated in golang
* bump golangci-lint to v1.49.0
* Update vendor containers/(common,image,storage)
* Allow volume mount dups, iff source and dest dirs
* rootless: fix return value handling
* Change to correct break statements
* vendor containers/psgo@v1.8.0
* Clarify that MacOSX docs are client specific
* libpod: Factor out the call to PidFdOpen from (*Container).WaitForExit
* Add swagger install + allow version updates in CI
* Cirrus: Fix windows clone race
* build(deps): bump github.com/docker/docker
* kill: wait for the container
* generate systemd: set --stop-timeout for stopping containers
* hack/tree_status.sh: print diff at the end
* Fix markdown header typo
* markdown-preprocess: add generic include mechanism
* markdown-preprocess: almost complete OO rewrite
* Update tests for changed error messages
* Update c/image after https://github.com/containers/image/pull/1299
* Man pages: refactor common options (misc)
* Man pages: Refactor common options: --detach-keys
* vendor containers/storage@main
* Man pages: refactor common options: --attach
* build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0
* KillContainer: improve error message
* docs: add missing options
* Man pages: refactor common options: --annotation (manifest)
* build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0
* system tests: health-on-failure: fix broken logic
* build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8
* build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1
* ContainerEngine.SetupRootless(): Avoid calling container.Config()
* Container filters: Avoid use of ctr.Config()
* Avoid unnecessary calls to Container.Spec()
* Add and use Container.LinuxResource() helper
* play kube: notifyproxy: listen before starting the pod
* play kube: add support for configmap binaryData
* Add and use libpod/Container.Terminal() helper
* Revert 'Add checkpoint image tests'
* Revert 'cmd/podman: add support for checkpoint images'
* healthcheck: fix --on-failure=stop
* Man pages: Add mention of behavior due to XDG_CONFIG_HOME
* build(deps): bump github.com/containers/ocicrypt from 1.1.5 to 1.1.6
* Avoid unnecessary timeout of 250msec when waiting on container shutdown
* health checks: make on-failure action retry aware
* libpod: Remove 100msec delay during shutdown
* libpod: Add support for 'podman pod' on FreeBSD
* libpod: Factor out cgroup validation from (*Runtime).NewPod
* libpod: Move runtime_pod_linux.go to runtime_pod_common.go
* specgen/generate: Avoid a nil dereference in MakePod
* libpod: Factor out cgroups handling from (*Pod).refresh
* Adds a link to OSX docs in CONTRIBUTING.md
* Man pages: refactor common options: --os-version
* Create full path to a directory when DirectoryOrCreate is used with play kube
* Return error in podman system service if URI scheme is not unix/tcp
* Man pages: refactor common options: --time
* man pages: document some --format options: images
* Clean up when stopping pods
* Update vendor of containers/buildah v1.28.0
* Proof of concept: nightly dependency treadmill
- Make the priority for picking the storage driver configurable (bsc#1197093)
Patchnames
SUSE-2023-1814,SUSE-SLE-Micro-5.3-2023-1814,SUSE-SLE-Micro-5.4-2023-1814,SUSE-SLE-Module-Containers-15-SP4-2023-1814,openSUSE-Leap-Micro-5.3-2023-1814,openSUSE-SLE-15.4-2023-1814
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for podman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for podman fixes the following issues:\n\nUpdate to version 4.4.4:\n\n * libpod: always use direct mapping\n * macos pkginstaller: do not fail when podman-mac-helper fails\n * podman-mac-helper: install: do not error if already installed\n\n- podman.spec: Bump required version for libcontainers-common (bsc#1209495)\n\nUpdate to version 4.4.3:\n\n * compat: /auth: parse server address correctly\n * vendor github.com/containers/common@v0.51.1\n * pkginstaller: bump Qemu to version 7.2.0\n * podman machine: Adjust Chrony makestep config\n * [v4.4] fix --health-on-failure=restart in transient unit\n * podman logs passthrough driver support --cgroups=split\n * journald logs: simplify entry parsing\n * podman logs: read journald with passthrough\n * journald: remove initializeJournal()\n * netavark: only use aardvark ip as nameserver\n * compat API: network create return 409 for duplicate\n * fix \u0027podman logs --since --follow\u0027 flake\n * system service --log-level=trace: support hijack\n * podman-mac-helper: exit 1 on error\n * bump golang.org/x/net to v0.8.0\n * Fix package restore\n * Quadlet - use the default runtime\n\nUpdate to version 4.4.2:\n\n * Revert \u0027CI: Temporarily disable all AWS EC2-based tasks\u0027\n * kube play: only enforce passthrough in Quadlet\n * Emergency fix for man pages: check for broken includes\n * CI: Temporarily disable all AWS EC2-based tasks\n * quadlet system tests: add useful defaults, logging\n * volume,container: chroot to source before exporting content\n * install sigproxy before start/attach\n * Update to c/image 5.24.1\n * events + container inspect test: RHEL fixes\n\n- podman.spec: add `crun` requirement for quadlet\n- podman.spec: set PREFIX at build stage (bsc#1208510)\n\n- CVE-2023-0778: Fixed symlink exchange attack in podman export volume (bsc#1208364)\n\nUpdate to version 4.4.1:\n\n * kube play: do not teardown unconditionally on error\n * Resolve symlink path for qemu directory if possible\n * events: document journald identifiers\n * Quadlet: exit 0 when there are no files to process\n * Cleanup podman-systemd.unit file\n * Install podman-systemd.unit man page, make quadlet discoverable\n * Add missing return after errors\n * oci: bind mount /sys with --userns=(auto|pod:)\n * docs: specify order preference for FROM\n * Cirrus: Fix \u0026 remove GraphQL API tests\n * test: adapt test to work on cgroupv1\n * make hack/markdown-preprocess parallel-safe\n * Fix default handling of pids-limit\n * system tests: fix volume exec/noexec test\n\nUpdate to version 4.4.0:\n\n * Emergency fix for RHEL8 gating tests\n * Do not mount /dev/tty into rootless containers\n * Fixes port collision issue on use of --publish-all\n * Fix usage of absolute windows paths with --image-path\n * fix #17244: use /etc/timezone where `timedatectl` is missing on Linux\n * podman-events: document verbose create events\n * Making gvproxy.exe optional for building Windows installer\n * Add gvproxy to Windows packages\n * Match VT device paths to be blocked from mounting exactly\n * Clean up more language for inclusiveness\n * Set runAsNonRoot=true in gen kube\n * quadlet: Add device support for .volume files\n * fix: running check error when podman is default in wsl\n * fix: don\u0027t output \u0027ago\u0027 when container is currently up and running\n * journald: podman logs only show logs for current user\n * journald: podman events only show events for current user\n * Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml)\n * DB: make loading container states optional\n * ps: do not sync container\n * Allow --device-cgroup-rule to be passed in by docker API\n * Create release notes for v4.4.0\n * Cirrus: Update operating branch\n * fix APIv2 python attach test flake\n * ps: query health check in batch mode\n * make example volume import, not import volume\n * Correct output when inspecting containers created with --ipc\n * Vendor containers/(storage, image, common, buildah)\n * Get correct username in pod when using --userns=keep-id\n * ps: get network data in batch mode\n * build(deps): bump github.com/onsi/gomega from 1.25.0 to 1.26.0\n * add hack/perf for comparing two container engines\n * systems: retrofit dns options test to honor other search domains\n * ps: do not create copy of container config\n * libpod: set search domain independently of nameservers\n * libpod,netavark: correctly populate /etc/resolv.conf with custom dns server\n * podman: relay custom DNS servers to network stack\n * (fix) mount_program is in storage.options.overlay\n * Change example target to default in doc\n * network create: do not allow `default` as name\n * kube-play: add support for HostPID in podSpec\n * build(deps): bump github.com/docker/docker\n * Let\u0027s see if #14653 is fixed or not\n * Add support for podman build --group-add\n * vendor in latests containers/(storage, common, build, image)\n * unskip network update test\n * do not install swagger by default\n * pasta: skip \u0027Local forwarder, IPv4\u0027 test\n * add testbindings Makefile target\n * update CI images to include pasta\n * [CI:DOCS] Add CNI deprecation notices to documentation\n * Cirrus: preserve podman-server logs\n * waitPidStop: reduce sleep time to 10ms\n * StopContainer: return if cleanup process changed state\n * StopSignal: add a comment\n * StopContainer: small refactor\n * waitPidStop: simplify code\n * e2e tests: reenable long-skipped build test\n * Add openssh-clients to podmanimage\n * Reworks Windows smoke test to tunnel through interactive session.\n * fix bud-multiple-platform-with-base-as-default-arg flake\n * Remove ReservedAnnotations from kube generate specification\n * e2e: update test/README.md\n * e2e: use isRootless() instead of rootless.IsRootless()\n * Cleanup documentation on --userns=auto\n * Vendor in latest c/common\n * sig-proxy system test: bump timeout\n * build(deps): bump github.com/containernetworking/plugins\n * rootless: rename auth-scripts to preexec-hooks\n * Docs: version-check updates\n * commit: use libimage code to parse changes\n * [CI:DOCS] Remove experimental mac tutorial\n * man: Document the interaction between --systemd and --privileged\n * Make rootless privileged containers share the same tty devices as rootfull ones\n * container kill: handle stopped/exited container\n * Vendor in latest containers/(image,ocicrypt)\n * add a comment to container removal\n * Vendor in latest containers/storage\n * Cirrus: Run machine tests on PR merge\n * fix flake in kube system test\n * kube play: complete container spec\n * E2E Tests: Use inspect instead of actual data to avoid UDP flake\n * Use containers/storage/pkg/regexp in place of regexp\n * Vendor in latest containers/storage\n * Cirrus: Support using updated/latest NV/AV in PRs\n * Limit replica count to 1 when deploying from kubernetes YAML\n * Set StoppedByUser earlier in the process of stopping\n * podman-play system test: refactor\n * network: add support for podman network update and --network-dns-server\n * service container: less verbose error logs\n * Quadlet Kube - add support for PublishPort key\n * e2e: fix systemd_activate_test\n * Compile regex on demand not in init\n * [docker compat] Don\u0027t overwrite the NetworkMode if containers.conf overrides netns.\n * E2E Test: Play Kube set deadline to connection to avoid hangs\n * Only prevent VTs to be mounted inside privileged systemd containers\n * e2e: fix play_kube_test\n * Updated error message for supported VolumeSource types\n * Introduce pkg retry logic in win installer task\n * logformatter: include base SHA, with history link\n * Network tests: ping redhat.com, not podman.io\n * cobra: move engine shutdown to Execute\n * Updated options for QEMU on Windows hosts\n * Update Mac installer to use gvproxy v0.5.0\n * podman: podman rm -f doesn\u0027t leave processes\n * oci: check for valid PID before kill(pid, 0)\n * linux: add /sys/fs/cgroup if /sys is a bind mount\n * Quadlet: Add support for ConfigMap key in Kube section\n * remove service container _after_ pods\n * Kube Play - allow setting and overriding published host ports\n * oci: terminate all container processes on cleanup\n * Update win-sshproxy to 0.5.0 gvisor tag\n * Vendor in latest containers/common\n * Fix a potential defer logic error around locking\n * logformatter: nicer formatting for bats failures\n * logformatter: refactor verbose line-print\n * e2e tests: stop using UBI images\n * k8s-file: podman logs --until --follow exit after time\n * journald: podman logs --until --follow exit after time\n * journald: seek to time when --since is used\n * podman logs: journald fix --since and --follow\n * Preprocess files in UTF-8 mode\n * Vendor in latest containers/(common, image, storage)\n * Switch to C based msi hooks for win installer\n * hack/bats: improve usage message\n * hack/bats: add --remote option\n * hack/bats: fix root/rootless logic\n * Describe copy volume options\n * Support sig-proxy for podman-remote attach and start\n * libpod: fix race condition rm\u0027ing stopping containers\n * e2e: fix run_volume_test\n * Add support for Windows ARM64\n * Add shared --compress to man pages\n * Add container error message to ContainerState\n * Man page checker: require canonical name in SEE ALSO\n * system df: improve json output code\n * kube play: fix the error logic with --quiet\n * System tests: quadlet network test\n * Fix: List container with volume filter\n * adding -dryrun flag\n * Quadlet Container: Add support for EnvironmentFile and EnvironmentHost\n * Kube Play: use passthrough as the default log-driver if service-container is set\n * System tests: add missing cleanup\n * System tests: fix unquoted question marks\n * Build and use a newer systemd image\n * Quadlet Network - Fix the name of the required network service\n * System Test Quadlet - Volume dependency test did not test the dependency\n * fix `podman system connection - tcp` flake\n * vendor: bump c/storage to a747b27\n * Fix instructions about setting storage driver on command-line\n * Test README - point users to hack/bats\n * System test: quadlet kube basic test\n * Fixed `podman update --pids-limit`\n * podman-remote,bindings: trim context path correctly when its emptydir\n * Quadlet Doc: Add section for .kube files\n * e2e: fix containers_conf_test\n * Allow \u0027/\u0027 to prefix container names to match Docker\n * Remove references to qcow2\n * Fix typos in man page regarding transient storage mode.\n * make: Use PYTHON var for .install.pre-commit\n * Add containers.conf read-only flag support\n * Explain that relabeling/chowning of volumes can take along time\n * events: support \u0027die\u0027 filter\n * infra/abi: refactor ContainerRm\n * When in transient store mode, use rundir for bundlepath\n * quadlet: Support Type=oneshot container files\n * hacks/bats: keep QUADLET env var in test env\n * New system tests for conflicting options\n * Vendor in latest containers/(buildah, image, common)\n * Output Size and Reclaimable in human form for json output\n * podman service: close duplicated /dev/null fd\n * ginkgo tests: apply ginkgolinter fixes\n * Add support for hostPath and configMap subpath usage\n * export: use io.Writer instead of file\n * rootless: always create userns with euid != 0\n * rootless: inhibit copy mapping for euid != 0\n * pkg/domain/infra/abi: introduce `type containerWrapper`\n * vendor: bump to buildah ca578b290144 and use new cache API\n * quadlet: Handle booleans that have defaults better\n * quadlet: Rename parser.LookupBoolean to LookupBooleanWithDefault\n * Add podman-clean-transient.service service\n * Stop recording annotations set to false\n * Unify --noheading and -n to be consistent on all commands\n * pkg/domain/infra/abi: add `getContainers`\n * Update vendor of containters/(common, image)\n * specfile: Drop user-add depedency from quadlet subpackage.\n * quadlet: Default BINDIR to /usr/bin if tag not specified\n * Quadlet: add network support\n * Add comment for jsonMarshal command\n * Always allow pushing from containers-storage\n * libpod: move NetNS into state db instead of extra bucket\n * Add initial system tests for quadlets\n * quadlet: Add --user option\n * libpod: remove CNI word were no longer applicable\n * libpod: fix header length in http attach with logs\n * podman-kube@ template: use `podman kube`\n * build(deps): bump github.com/docker/docker\n * wait: add --ignore option\n * qudlet: Respect $PODMAN env var for podman binary\n * e2e: Add assert-key-is-regex check to quadlet e2e testsuite\n * e2e: Add some assert to quadlet test to make sure testcases are sane\n * remove unmapped ports from inspect port bindings\n * update podman-network-create for clarity\n * Vendor in latest containers/common with default capabilities\n * pkg/rootless: Change error text ...\n * rootless: add cli validator\n * rootless: define LIBEXECPODMAN\n * doc: fix documentation for idmapped mounts\n * bump golangci-lint to v1.50.1\n * build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2\n * [CI:DOCS] podman-mount: s/umount/unmount/\n * create/pull --help: list pull policies\n * Network Create: Add --ignore flag to support idempotent script\n * Make qemu security model none\n * libpod: use OCI idmappings for mounts\n * stop reporting errors removing containers that don\u0027t exist\n * test: added test from wait endpoint with to long label\n * quadlet: Default VolatileTmp to off\n * build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.11\n * docs/options/ipc: fix list syntax\n * Docs: Add dedicated DOWNLOAD doc w/ links to bins\n * Make a consistently-named windows installer\n * checkpoint restore: fix --ignore-static-ip/mac\n * add support for subpath in play kube for named volumes\n * build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0\n * golangci-lint: remove three deprecated linters\n * parse-localbenchmarks: separate standard deviation\n * build(deps): bump golang.org/x/term from 0.2.0 to 0.3.0\n * podman play kube support container startup probe\n * Add podman buildx version support\n * Cirrus: Collect benchmarks on machine instances\n * Cirrus: Remove escape codes from log files\n * [CI:DOCS] Clarify secret target behavior\n * Fix typo on network docs\n * podman-remote build add --volume support\n * remote: allow --http-proxy for remote clients\n * Cleanup kube play workloads if error happens\n * health check: ignore dependencies of transient systemd units/timers\n * fix: event read from syslog\n * Fixes secret (un)marshaling for kube play.\n * Remove \u0027you\u0027 from man pages\n * build(deps): bump golang.org/x/tools from 0.3.0 to 0.4.0 in /test/tools\n * [CI:DOCS] test/README.md: run tests with podman-remote\n * e2e: keeps the http_proxy value\n * Makefile: Add podman-mac-helper to darwin client zip\n * test/e2e: enable \u0027podman run with ipam none driver\u0027 for nv\n * [skip-ci] GHA/Cirrus-cron: Fix execution order\n * kube sdnotify: run proxies for the lifespan of the service\n * Update containers common package\n * podman manpage: Use man-page links instead of file names\n * e2e: fix e2e tests in proxy environment\n * Fix test\n * disable healthchecks automatically on non systemd systems\n * Quadlet Kube: Add support for userns flag\n * [CI:DOCS] Add warning about --opts,o with mount\u0027s -o\n * Add podman system prune --external\n * Add some tests for transient store\n * runtime: In transient_store mode, move bolt_state.db to rundir\n * runtime: Handle the transient store options\n * libpod: Move the creation of TmpDir to an earlier time\n * network create: support \u0027-o parent=XXX\u0027 for ipvlan\n * compat API: allow MacAddress on container config\n * Quadlet Kube: Add support for relative path for YAML file\n * notify k8s system test: move sending message into exec\n * runtime: do not chown idmapped volumes\n * quadlet: Drop ExecStartPre=rm %t/%N.cid\n * Quadlet Kube: Set SyslogIdentifier if was not set\n * Add a FreeBSD cross build to the cirrus alt build task\n * Add completion for --init-ctr\n * Fix handling of readonly containers when defined in kube.yaml\n * Build cross-compilation fixes\n * libpod: Track healthcheck API changes in healthcheck_unsupported.go\n * quadlet: Use same default capability set as podman run\n * quadlet: Drop --pull=never\n * quadlet: Change default of ReadOnly to no\n * quadlet: Change RunInit default to no\n * quadlet: Change NoNewPrivileges default to false\n * test: podman run with checkpoint image\n * Enable \u0027podman run\u0027 for checkpoint images\n * test: Add tests for checkpoint images\n * CI setup: simplify environment passthrough code\n * Init containers should not be restarted\n * Update c/storage after https://github.com/containers/storage/pull/1436\n * Set the latest release explicitly\n * add friendly comment\n * fix an overriding logic and load config problem\n * Update the issue templates\n * Update vendor of containers/(image, buildah)\n * [CI:DOCS] Skip windows-smoke when not useful\n * [CI:DOCS] Remove broken gate-container docs\n * OWNERS: add Jason T. Greene\n * hack/podmansnoop: print arguments\n * Improve atomicity of VM state persistence on Windows\n * [CI:BUILD] copr: enable podman-restart.service on rpm installation\n * macos: pkg: Use -arm64 suffix instead of -aarch64\n * linux: Add -linux suffix to podman-remote-static binaries\n * linux: Build amd64 and arm64 podman-remote-static binaries\n * container create: add inspect data to event\n * Allow manual override of install location\n * Run codespell on code\n * Add missing parameters for checkpoint/restore endpoint\n * Add support for startup healthchecks\n * Add information on metrics to the `network create` docs\n * Introduce podman machine os commands\n * Document that ignoreRootFS depends on export/import\n * Document ignoreVolumes in checkpoint/restore endpoint\n * Remove leaveRunning from swagger restore endpoint\n * libpod: Add checks to avoid nil pointer dereference if network setup fails\n * Address golangci-lint issues\n * Documenting Hyper-V QEMU acceleration settings\n * Kube Play: fix the handling of the optional field of SecretVolumeSource\n * Update Vendor of containers/(common, image, buildah)\n * Fix swapped NetInput/-Output stats\n * libpod: Use O_CLOEXEC for descriptors returned by (*Container).openDirectory\n * chore: Fix MD for Troubleshooting Guide link in GitHub Issue Template\n * test/tools: rebuild when files are changed\n * ginkgo tests: apply ginkgolinter fixes\n * ginkgo: restructure install work flow\n * Fix manpage emphasis\n * specgen: support CDI devices from containers.conf\n * vendor: update containers/common\n * pkg/trust: Take the default policy path from c/common/pkg/config\n * Add validate-in-container target\n * Adding encryption decryption feature\n * container restart: clean up healthcheck state\n * Add support for podman-remote manifest annotate\n * Quadlet: Add support for .kube files\n * Update vendor of containers/(buildah, common, storage, image)\n * specgen: honor user namespace value\n * [CI:DOCS] Migrate OSX Cross to M1\n * quadlet: Rework uid/gid remapping\n * GHA: Fix cirrus re-run workflow for other repos.\n * ssh system test: skip until it becomes a test\n * shell completion: fix hard coded network drivers\n * libpod: Report network setup errors properly on FreeBSD\n * E2E Tests: change the registry for the search test to avoid authentication\n * pkginstaller: install podman-mac-helper by default\n * Fix language. Mostly spelling a -\u003e an\n * podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd environment.\n * [CI:DOCS] Fix spelling and typos\n * Modify man page of \u0027--pids-limit\u0027 option to correct a default value.\n * Update docs/source/markdown/podman-remote.1.md\n * Update pkg/bindings/connection.go\n * Add more documentation on UID/GID Mappings with --userns=keep-id\n * support podman-remote to connect tcpURL with proxy\n * Removing the RawInput from the API output\n * fix port issues for CONTAINER_HOST\n * CI: Package versions: run in the \u0027main\u0027 step\n * build(deps): bump github.com/rootless-containers/rootlesskit\n * pkg/domain: Make checkExecPreserveFDs platform-specific\n * e2e tests: fix restart race\n * Fix podman --noout to suppress all output\n * remove pod if creation has failed\n * pkg/rootless: Implement rootless.IsFdInherited on FreeBSD\n * Fix more podman-logs flakes\n * healthcheck system tests: try to fix flake\n * libpod: treat ESRCH from /proc/PID/cgroup as ENOENT\n * GHA: Configure workflows for reuse\n * compat,build: handle docker\u0027s preconfigured cacheTo,cacheFrom\n * docs: deprecate pasta network name\n * utils: Enable cgroup utils for FreeBSD\n * pkg/specgen: Disable kube play tests on FreeBSD\n * libpod/lock: Fix build and tests for SHM locks on FreeBSD\n * podman cp: fix copying with \u0027.\u0027 suffix\n * pkginstaller: bump Qemu to version 7.1.0\n * specgen,wasm: switch to crun-wasm wherever applicable\n * vendor: bump c/common to v0.50.2-0.20221111184705-791b83e1cdf1\n * libpod: Make unit test for statToPercent Linux only\n * Update vendor of containers/storage\n * fix connection usage with containers.conf\n * Add --quiet and --no-info flags to podman machine start\n * Add hidden podman manifest inspect -v option\n * Add podman volume create -d short option for driver\n * Vendor in latest containers/(common,image,storage)\n * Add podman system events alias to podman events\n * Fix search_test to return correct version of alpine\n * GHA: Fix undefined secret env. var.\n * Release notes for 4.3.1\n * GHA: Fix make_email-body script reference\n * Add release keys to README\n * GHA: Fix typo setting output parameter\n * GHA: Fix typo.\n * New tool, docs/version-check\n * Formalize our compare-against-docker mechanism\n * Add restart-sec for container service files\n * test/tools: bump module to go 1.17\n * contrib/cirrus/check_go_changes.sh: ignore test/tools/vendor\n * build(deps): bump golang.org/x/tools from 0.1.12 to 0.2.0 in /test/tools\n * libpod: Add FreeBSD support in packageVersion\n * Allow podman manigest push --purge|-p as alias for --rm\n * [CI:DOCS] Add performance tutorial\n * [CI:DOCS] Fix build targets in build_osx.md.\n * fix --format {{json .}} output to match docker\n * remote: fix manifest add --annotation\n * Skip test if `--events-backend` is necessary with podman-remote\n * kube play: update the handling of PersistentVolumeClaim\n * system tests: fix a system test in proxy environment\n * Use single unqualified search registry on Windows\n * test/system: Add, use tcp_port_probe() to check for listeners rather than binds\n * test/system: Add tests for pasta(1) connectivity\n * test/system: Move network-related helpers to helpers.network.bash\n * test/system: Use procfs to find bound ports, with optional address and protocol\n * test/system: Use port_is_free() from wait_for_port()\n * libpod: Add pasta networking mode\n * More log-flake work\n * Fix test flakes caused by improper podman-logs\n * fix incorrect systemd booted check\n * Cirrus: Add tests for GHA scripts\n * GHA: Update scripts to pass shellcheck\n * Cirrus: Shellcheck github-action scripts\n * Cirrus: shellcheck support for github-action scripts\n * GHA: Fix cirrus-cron scripts\n * Makefile: don\u0027t install to tmpfiles.d on FreeBSD\n * Make sure we can build and read each line of docker py\u0027s api client\n * Docker compat build api - make sure only one line appears per flush\n * Run codespell on code\n * Update vendor of containers/(image, storage, common)\n * Allow namespace path network option for pods.\n * Cirrus: Never skip running Windows Cross task\n * GHA: Auto. re-run failed cirrus-cron builds once\n * GHA: Migrate inline script to file\n * GHA: Simplify script reference\n * test/e2e: do not use apk in builds\n * remove container/pod id file along with container/pod\n * Cirrus: Synchronize windows image\n * Add --insecure,--tls-verify,--verbose flags to podman manifest inspect\n * runtime: add check for valid pod systemd cgroup\n * CI: set and verify DESIRED_NETWORK (netavark, cni)\n * [CI:DOCS] troubleshooting: document keep-id options\n * Man pages: refactor common options: --security-opt\n * Cirrus: Guarantee CNI testing w/o nv/av present\n * Cirrus: temp. disable all Ubuntu testing\n * Cirrus: Update to F37beta\n * buildah bud tests: better handling of remote\n * quadlet: Warn in generator if using short names\n * Add Windows Smoke Testing\n * Add podman kube apply command\n * docs: offer advice on installing test dependencies\n * Fix documentation on read-only-tmpfs\n * version bump to 4.4.0-dev\n * deps: bump go-criu to v6\n * Makefile: Add cross build targets for freebsd\n * pkg/machine: Make this build on FreeBSD/arm64\n * pkg/rctl: Remove unused cgo dependency\n * man pages: assorted underscore fixes\n * Upgrade GitHub actions packages from v2 to v3\n * vendor github.com/godbus/dbus/v5@4b691ce\n * [CI:DOCS] fix --tmpdir typos\n * Do not report that /usr/share/containers/storage.conf has been edited.\n * Eval symlinks on XDG_RUNTIME_DIR\n * hack/podmansnoop\n * rootless: support keep-id with one mapping\n * rootless: add argument to GetConfiguredMappings\n * Update vendor containers/(common,storage,buildah,image)\n * Fix deadlock between \u0027podman ps\u0027 and \u0027container inspect\u0027 commands\n * Add information about where the libpod/boltdb database lives\n * Consolidate the dependencies for the IsTerminal() API\n * Ensure that StartAndAttach locks while sending signals\n * ginkgo testing: fix podman usernamespace join\n * Test runners: nuke podman from $PATH before tests\n * volumes: Fix idmap not working for volumes\n * FIXME: Temporary workaround for ubi8 CI breakage\n * System tests: teardown: clean up volumes\n * update api versions on docs.podman.io\n * system tests: runlabel: use podman-under-test\n * system tests: podman network create: use random port\n * sig-proxy test: bump timeout\n * play kube: Allow the user to import the contents of a tar file into a volume\n * Clarify the docs on DropCapability\n * quadlet tests: Disable kmsg logging while testing\n * quadlet: Support multiple Network=\n * quadlet: Add support for Network=...\n * Fix manpage for podman run --network option\n * quadlet: Add support for AddDevice=\n * quadlet: Add support for setting seccomp profile\n * quadlet: Allow multiple elements on each Add/DropCaps line\n * quadlet: Embed the correct binary name in the generated comment\n * quadlet: Drop the SocketActivated key\n * quadlet: Switch log-driver to passthrough\n * quadlet: Change ReadOnly to default to enabled\n * quadlet tests: Run the tests even for (exected) failed tests\n * quadlet tests: Fix handling of stderr checks\n * Remove unused script file\n * notifyproxy: fix container watcher\n * container/pod id file: truncate instead of throwing an error\n * quadlet: Use the new podman create volume --ignore\n * Add podman volume create --ignore\n * logcollector: include aardvark-dns\n * build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1\n * build(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1\n * docs: generate systemd: point to kube template\n * docs: kube play: mention restart policy\n * Fixes: 15858 (podman system reset --force destroy machine)\n * fix search flake\n * use cached containers.conf\n * adding regex support to the ancestor ps filter function\n * Fix `system df` issues with `-f` and `-v`\n * markdown-preprocess: cross-reference where opts are used\n * Default qemu flags for Windows amd64\n * build(deps): bump golang.org/x/text from 0.3.8 to 0.4.0\n * Update main to reflect v4.3.0 release\n * build(deps): bump github.com/docker/docker\n * move quadlet packages into pkg/systemd\n * system df: fix image-size calculations\n * Add man page for quadlet\n * Fix small typo\n * testimage: add iproute2 \u0026 socat, for pasta networking\n * Set up minikube for k8s testing\n * Makefile: don\u0027t install systemd generator binaries on FreeBSD\n * [CI:BUILD] copr: podman rpm should depend on containers-common-extra\n * Podman image: Set default_sysctls to empty for rootless containers\n * Don\u0027t use github.com/docker/distribution\n * libpod: Add support for \u0027podman top\u0027 on FreeBSD\n * libpod: Factor out jail name construction from stats_freebsd.go\n * pkg/util: Add pid information descriptors for FreeBSD\n * Initial quadlet version integrated in golang\n * bump golangci-lint to v1.49.0\n * Update vendor containers/(common,image,storage)\n * Allow volume mount dups, iff source and dest dirs\n * rootless: fix return value handling\n * Change to correct break statements\n * vendor containers/psgo@v1.8.0\n * Clarify that MacOSX docs are client specific\n * libpod: Factor out the call to PidFdOpen from (*Container).WaitForExit\n * Add swagger install + allow version updates in CI\n * Cirrus: Fix windows clone race\n * build(deps): bump github.com/docker/docker\n * kill: wait for the container\n * generate systemd: set --stop-timeout for stopping containers\n * hack/tree_status.sh: print diff at the end\n * Fix markdown header typo\n * markdown-preprocess: add generic include mechanism\n * markdown-preprocess: almost complete OO rewrite\n * Update tests for changed error messages\n * Update c/image after https://github.com/containers/image/pull/1299\n * Man pages: refactor common options (misc)\n * Man pages: Refactor common options: --detach-keys\n * vendor containers/storage@main\n * Man pages: refactor common options: --attach\n * build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0\n * KillContainer: improve error message\n * docs: add missing options\n * Man pages: refactor common options: --annotation (manifest)\n * build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0\n * system tests: health-on-failure: fix broken logic\n * build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8\n * build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1\n * ContainerEngine.SetupRootless(): Avoid calling container.Config()\n * Container filters: Avoid use of ctr.Config()\n * Avoid unnecessary calls to Container.Spec()\n * Add and use Container.LinuxResource() helper\n * play kube: notifyproxy: listen before starting the pod\n * play kube: add support for configmap binaryData\n * Add and use libpod/Container.Terminal() helper\n * Revert \u0027Add checkpoint image tests\u0027\n * Revert \u0027cmd/podman: add support for checkpoint images\u0027\n * healthcheck: fix --on-failure=stop\n * Man pages: Add mention of behavior due to XDG_CONFIG_HOME\n * build(deps): bump github.com/containers/ocicrypt from 1.1.5 to 1.1.6\n * Avoid unnecessary timeout of 250msec when waiting on container shutdown\n * health checks: make on-failure action retry aware\n * libpod: Remove 100msec delay during shutdown\n * libpod: Add support for \u0027podman pod\u0027 on FreeBSD\n * libpod: Factor out cgroup validation from (*Runtime).NewPod\n * libpod: Move runtime_pod_linux.go to runtime_pod_common.go\n * specgen/generate: Avoid a nil dereference in MakePod\n * libpod: Factor out cgroups handling from (*Pod).refresh\n * Adds a link to OSX docs in CONTRIBUTING.md\n * Man pages: refactor common options: --os-version\n * Create full path to a directory when DirectoryOrCreate is used with play kube\n * Return error in podman system service if URI scheme is not unix/tcp\n * Man pages: refactor common options: --time\n * man pages: document some --format options: images\n * Clean up when stopping pods\n * Update vendor of containers/buildah v1.28.0\n * Proof of concept: nightly dependency treadmill\n\n- Make the priority for picking the storage driver configurable (bsc#1197093)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-1814,SUSE-SLE-Micro-5.3-2023-1814,SUSE-SLE-Micro-5.4-2023-1814,SUSE-SLE-Module-Containers-15-SP4-2023-1814,openSUSE-Leap-Micro-5.3-2023-1814,openSUSE-SLE-15.4-2023-1814",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_1814-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2023:1814-1",
"url": "https://www.suse.com/support/update/announcement/2023/suse-su-20231814-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2023:1814-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-May/014735.html"
},
{
"category": "self",
"summary": "SUSE Bug 1197093",
"url": "https://bugzilla.suse.com/1197093"
},
{
"category": "self",
"summary": "SUSE Bug 1208364",
"url": "https://bugzilla.suse.com/1208364"
},
{
"category": "self",
"summary": "SUSE Bug 1208510",
"url": "https://bugzilla.suse.com/1208510"
},
{
"category": "self",
"summary": "SUSE Bug 1209495",
"url": "https://bugzilla.suse.com/1209495"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-0778 page",
"url": "https://www.suse.com/security/cve/CVE-2023-0778/"
}
],
"title": "Security update for podman",
"tracking": {
"current_release_date": "2023-04-11T12:40:40Z",
"generator": {
"date": "2023-04-11T12:40:40Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2023:1814-1",
"initial_release_date": "2023-04-11T12:40:40Z",
"revision_history": [
{
"date": "2023-04-11T12:40:40Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "podman-4.4.4-150400.4.16.1.aarch64",
"product": {
"name": "podman-4.4.4-150400.4.16.1.aarch64",
"product_id": "podman-4.4.4-150400.4.16.1.aarch64"
}
},
{
"category": "product_version",
"name": "podman-remote-4.4.4-150400.4.16.1.aarch64",
"product": {
"name": "podman-remote-4.4.4-150400.4.16.1.aarch64",
"product_id": "podman-remote-4.4.4-150400.4.16.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-4.4.4-150400.4.16.1.i586",
"product": {
"name": "podman-4.4.4-150400.4.16.1.i586",
"product_id": "podman-4.4.4-150400.4.16.1.i586"
}
},
{
"category": "product_version",
"name": "podman-remote-4.4.4-150400.4.16.1.i586",
"product": {
"name": "podman-remote-4.4.4-150400.4.16.1.i586",
"product_id": "podman-remote-4.4.4-150400.4.16.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-cni-config-4.4.4-150400.4.16.1.noarch",
"product": {
"name": "podman-cni-config-4.4.4-150400.4.16.1.noarch",
"product_id": "podman-cni-config-4.4.4-150400.4.16.1.noarch"
}
},
{
"category": "product_version",
"name": "podman-docker-4.4.4-150400.4.16.1.noarch",
"product": {
"name": "podman-docker-4.4.4-150400.4.16.1.noarch",
"product_id": "podman-docker-4.4.4-150400.4.16.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-4.4.4-150400.4.16.1.ppc64le",
"product": {
"name": "podman-4.4.4-150400.4.16.1.ppc64le",
"product_id": "podman-4.4.4-150400.4.16.1.ppc64le"
}
},
{
"category": "product_version",
"name": "podman-remote-4.4.4-150400.4.16.1.ppc64le",
"product": {
"name": "podman-remote-4.4.4-150400.4.16.1.ppc64le",
"product_id": "podman-remote-4.4.4-150400.4.16.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-4.4.4-150400.4.16.1.s390x",
"product": {
"name": "podman-4.4.4-150400.4.16.1.s390x",
"product_id": "podman-4.4.4-150400.4.16.1.s390x"
}
},
{
"category": "product_version",
"name": "podman-remote-4.4.4-150400.4.16.1.s390x",
"product": {
"name": "podman-remote-4.4.4-150400.4.16.1.s390x",
"product_id": "podman-remote-4.4.4-150400.4.16.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-4.4.4-150400.4.16.1.x86_64",
"product": {
"name": "podman-4.4.4-150400.4.16.1.x86_64",
"product_id": "podman-4.4.4-150400.4.16.1.x86_64"
}
},
{
"category": "product_version",
"name": "podman-remote-4.4.4-150400.4.16.1.x86_64",
"product": {
"name": "podman-remote-4.4.4-150400.4.16.1.x86_64",
"product_id": "podman-remote-4.4.4-150400.4.16.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.3",
"product": {
"name": "SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-micro:5.3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.4",
"product": {
"name": "SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-micro:5.4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Containers 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-containers:15:sp4"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap Micro 5.3",
"product": {
"name": "openSUSE Leap Micro 5.3",
"product_id": "openSUSE Leap Micro 5.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap-micro:5.3"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.aarch64 as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.aarch64"
},
"product_reference": "podman-4.4.4-150400.4.16.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.s390x as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.s390x"
},
"product_reference": "podman-4.4.4-150400.4.16.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.x86_64 as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.x86_64"
},
"product_reference": "podman-4.4.4-150400.4.16.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-cni-config-4.4.4-150400.4.16.1.noarch as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:podman-cni-config-4.4.4-150400.4.16.1.noarch"
},
"product_reference": "podman-cni-config-4.4.4-150400.4.16.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.aarch64 as component of SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.aarch64"
},
"product_reference": "podman-4.4.4-150400.4.16.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.s390x as component of SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.s390x"
},
"product_reference": "podman-4.4.4-150400.4.16.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.x86_64 as component of SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.x86_64"
},
"product_reference": "podman-4.4.4-150400.4.16.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-cni-config-4.4.4-150400.4.16.1.noarch as component of SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4:podman-cni-config-4.4.4-150400.4.16.1.noarch"
},
"product_reference": "podman-cni-config-4.4.4-150400.4.16.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.aarch64"
},
"product_reference": "podman-4.4.4-150400.4.16.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.ppc64le"
},
"product_reference": "podman-4.4.4-150400.4.16.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.s390x as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.s390x"
},
"product_reference": "podman-4.4.4-150400.4.16.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.x86_64"
},
"product_reference": "podman-4.4.4-150400.4.16.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-cni-config-4.4.4-150400.4.16.1.noarch as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:podman-cni-config-4.4.4-150400.4.16.1.noarch"
},
"product_reference": "podman-cni-config-4.4.4-150400.4.16.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-4.4.4-150400.4.16.1.noarch as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:podman-docker-4.4.4-150400.4.16.1.noarch"
},
"product_reference": "podman-docker-4.4.4-150400.4.16.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-4.4.4-150400.4.16.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.aarch64"
},
"product_reference": "podman-remote-4.4.4-150400.4.16.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-4.4.4-150400.4.16.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.ppc64le"
},
"product_reference": "podman-remote-4.4.4-150400.4.16.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-4.4.4-150400.4.16.1.s390x as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.s390x"
},
"product_reference": "podman-remote-4.4.4-150400.4.16.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-4.4.4-150400.4.16.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.x86_64"
},
"product_reference": "podman-remote-4.4.4-150400.4.16.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.aarch64 as component of openSUSE Leap Micro 5.3",
"product_id": "openSUSE Leap Micro 5.3:podman-4.4.4-150400.4.16.1.aarch64"
},
"product_reference": "podman-4.4.4-150400.4.16.1.aarch64",
"relates_to_product_reference": "openSUSE Leap Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.x86_64 as component of openSUSE Leap Micro 5.3",
"product_id": "openSUSE Leap Micro 5.3:podman-4.4.4-150400.4.16.1.x86_64"
},
"product_reference": "podman-4.4.4-150400.4.16.1.x86_64",
"relates_to_product_reference": "openSUSE Leap Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-cni-config-4.4.4-150400.4.16.1.noarch as component of openSUSE Leap Micro 5.3",
"product_id": "openSUSE Leap Micro 5.3:podman-cni-config-4.4.4-150400.4.16.1.noarch"
},
"product_reference": "podman-cni-config-4.4.4-150400.4.16.1.noarch",
"relates_to_product_reference": "openSUSE Leap Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.aarch64"
},
"product_reference": "podman-4.4.4-150400.4.16.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.ppc64le"
},
"product_reference": "podman-4.4.4-150400.4.16.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.s390x"
},
"product_reference": "podman-4.4.4-150400.4.16.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-4.4.4-150400.4.16.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.x86_64"
},
"product_reference": "podman-4.4.4-150400.4.16.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-cni-config-4.4.4-150400.4.16.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:podman-cni-config-4.4.4-150400.4.16.1.noarch"
},
"product_reference": "podman-cni-config-4.4.4-150400.4.16.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-4.4.4-150400.4.16.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:podman-docker-4.4.4-150400.4.16.1.noarch"
},
"product_reference": "podman-docker-4.4.4-150400.4.16.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-4.4.4-150400.4.16.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.aarch64"
},
"product_reference": "podman-remote-4.4.4-150400.4.16.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-4.4.4-150400.4.16.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.ppc64le"
},
"product_reference": "podman-remote-4.4.4-150400.4.16.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-4.4.4-150400.4.16.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.s390x"
},
"product_reference": "podman-remote-4.4.4-150400.4.16.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-4.4.4-150400.4.16.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.x86_64"
},
"product_reference": "podman-remote-4.4.4-150400.4.16.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0778",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-0778"
}
],
"notes": [
{
"category": "general",
"text": "A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.x86_64",
"SUSE Linux Enterprise Micro 5.3:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.x86_64",
"SUSE Linux Enterprise Micro 5.4:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-docker-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.aarch64",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.ppc64le",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.s390x",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap 15.4:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"openSUSE Leap 15.4:podman-docker-4.4.4-150400.4.16.1.noarch",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.aarch64",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.ppc64le",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.s390x",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap Micro 5.3:podman-4.4.4-150400.4.16.1.aarch64",
"openSUSE Leap Micro 5.3:podman-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap Micro 5.3:podman-cni-config-4.4.4-150400.4.16.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-0778",
"url": "https://www.suse.com/security/cve/CVE-2023-0778"
},
{
"category": "external",
"summary": "SUSE Bug 1208364 for CVE-2023-0778",
"url": "https://bugzilla.suse.com/1208364"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.x86_64",
"SUSE Linux Enterprise Micro 5.3:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.x86_64",
"SUSE Linux Enterprise Micro 5.4:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-docker-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.aarch64",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.ppc64le",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.s390x",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap 15.4:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"openSUSE Leap 15.4:podman-docker-4.4.4-150400.4.16.1.noarch",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.aarch64",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.ppc64le",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.s390x",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap Micro 5.3:podman-4.4.4-150400.4.16.1.aarch64",
"openSUSE Leap Micro 5.3:podman-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap Micro 5.3:podman-cni-config-4.4.4-150400.4.16.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Micro 5.3:podman-4.4.4-150400.4.16.1.x86_64",
"SUSE Linux Enterprise Micro 5.3:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Micro 5.4:podman-4.4.4-150400.4.16.1.x86_64",
"SUSE Linux Enterprise Micro 5.4:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-4.4.4-150400.4.16.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-docker-4.4.4-150400.4.16.1.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:podman-remote-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.aarch64",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.ppc64le",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.s390x",
"openSUSE Leap 15.4:podman-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap 15.4:podman-cni-config-4.4.4-150400.4.16.1.noarch",
"openSUSE Leap 15.4:podman-docker-4.4.4-150400.4.16.1.noarch",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.aarch64",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.ppc64le",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.s390x",
"openSUSE Leap 15.4:podman-remote-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap Micro 5.3:podman-4.4.4-150400.4.16.1.aarch64",
"openSUSE Leap Micro 5.3:podman-4.4.4-150400.4.16.1.x86_64",
"openSUSE Leap Micro 5.3:podman-cni-config-4.4.4-150400.4.16.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-04-11T12:40:40Z",
"details": "moderate"
}
],
"title": "CVE-2023-0778"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…