suse-su-2025:20279-1
Vulnerability from csaf_suse
Published
2025-04-22 13:50
Modified
2025-04-22 13:50
Summary
Security update for podman
Notes
Title of the patch
Security update for podman
Description of the patch
This update for podman fixes the following issues:
- CVE-2023-45288: Fixed closing connection when receiving too many headers (bsc#1236507).
- CVE-2024-11218: Fixed container breakout by using --jobs=2 and a race condition when building a malicious Containerfile (bsc#1236270).
- CVE-2025-22869: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239330).
- CVE-2025-27144: Fixed Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237641).
- CVE-2024-9407: Fixed Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction (bsc#1231208).
- CVE-2024-3727: Fixed digest type (bsc#1224112).
- CVE-2024-1753: Fixed full container escape at build time (bsc#1221677).
Other fixes:
- Updated to version 5.2.5:
* RPM: remove dup Provides
* Packit: constrain koji and bodhi jobs to fedora package to avoid dupes
* Validate the bind-propagation option to `--mount`
* Updated Buildah to v1.37.4
* vendor: updated c/common to v0.60.4
* pkg/specgen: allow pasta when running inside userns
* libpod: convert owner IDs only with :idmap
* allow exposed sctp ports
* libpod: setupNetNS() correctly mount netns
* vendor: updated c/common to v0.60.3
* [skip-ci] Packit: split out ELN jobs and reuse fedora downstream targets
* [skip-ci] Packit: Enable sidetags for bodhi updates
* Updated gvisor-tap-vsock to 0.7.5
* CI: podman-machine: do not use cache registry
* [CI:DOCS] Add v5.2.2 lib updates to RELEASE_NOTES.md
* Update RELEASE_NOTES for v5.2.2
* [v5.2] Bump Buildah to v1.37.2, c/common v0.60.2, c/image v5.32.2
* [v5.2] golangci-lint: make darwin linting happy
* [v5.2] golangci-lint: make windows linting happy
* [v5.2] test/e2e: remove kernel version check
* [v5.2] golangci-lint: remove most skip dirs
* [v5.2] set !remote build tags where needed
* [v5.2] update golangci-lint to 1.60.1
* Packit: update targets for propose-downstream
* Create volume path before state initialization
* Update Cirrus DEST_BRANCH
* Bump to v5.2.2-dev
* Bump to v5.2.1
* Update release notes for v5.2.1
* [v5.2] Add zstd:chunked test fix
* [v5.2] Bump Buildah to v1.37.1, c/common v0.60.1, c/image v5.32.1
* libpod: reset state error on init
* libpod: do not save expected stop errors in ctr state
* libpod: fix broken saveContainerError()
* Bump to v5.2.1-dev
* Bump to v5.2.0
* Never skip checkout step in release workflow
* Bump to v5.2.0-dev
* Bump to v5.2.0-rc3
* Update release notes for v5.2.0-rc3
* Tweak versions in register_images.go
* fix network cleanup flake in play kube
* WIP: Fixes for vendoring Buildah
* Add --compat-volumes option to build and farm build
* Bump Buildah, c/storage, c/image, c/common
* libpod: bind ports before network setup
* pkg/api: do not leak config pointers into specgen
* build: Update gvisor-tap-vsock to 0.7.4
* test/system: fix borken pasta interface name checks
* test/system: fix bridge host.containers.internal test
* CI: system tests: instrument to allow failure analysis
* Use uploaded .zip for Windows action
* RPM: podman-iptables.conf only on Fedora
* Bump to v5.2.0-dev
* Bump to v5.2.0-rc2
* Update release notes for v5.2.0-rc2
* test/e2e: fix ncat tests
* libpod: add hidden env to set sqlite timeout
* Add support for StopSignal in quadlet .container files
* podman pod stats: fix race when ctr process exits
* Update module github.com/vbauerster/mpb/v8 to v8.7.4
* libpod: correctly capture healthcheck output
* Bump bundled krunkit to 0.1.2
* podman stats: fix race when ctr process exists
* nc -p considered harmful
* podman pod stats: fix pod rm race
* podman ps: fix racy pod name query
* system connection remove: use Args function to validate
* pkg/machine/compression: skip decompress bar for empty file
* nc -p considered harmful
* podman system df: fix fix ErrNoSuchCtr/Volume race
* podman auto-update: fix ErrNoSuchCtr race
* Fix name for builder in farm connection
* 700-play.bats: use unique pod/container/image/volume names
* safename: consistent within same test, and, dashes
* 700-kube.bats: refactor $PODMAN_TMPDIR/test.yaml
* 700-play.bats: eliminate $testYaml
* 700-play.bats: refactor clumsy yamlfile creation
* 700-play.bats: move _write_test_yaml up near top
* chore(deps): update dependency setuptools to v71
* Expand drop-in search paths * top-level (pod.d) * truncated (unit-.container.d)
* Remove references and checks for --gpus
* Do not crash on invalid filters
* fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.2.0
* Bump to v5.2.0-dev
* Bump to v5.2.0-rc1
* Keep the volume-driver flag deprecated
* Vendor in latest containers(common, storage,image, buildah)
* System tests: safe container/image/volume/etc names
* Implement disable default mounts via command line
* test: drop unmount for overlay
* test: gracefully terminate server
* libpod: shutdown Stop waits for handlers completion
* libpod: cleanup store at shutdown
* Add NetworkAlias= support to quadlet
* cmd: call shutdown handler stop function
* fix race conditions in start/attach logic
* swagger: exlude new docker network types
* vendor: bump c/storage
* update to docker 27
* contrib: use a distinct --pull-option= for each flag
* Update warning message when using external compose provider
* Update module github.com/cyphar/filepath-securejoin to v0.3.0
* Ignore result of EvalSymlinks on ENOENT
* test/upgrade: fix tests when netavark uses nftables
* test/system: fix network reload test with nftables
* test/e2e: rework some --expose tests
* test: remove publish tests from e2e
* CI: test nftables driver on fedora
* CI: use local registry, part 3 of 3: for developers
* CI: use local registry, part 2 of 3: fix tests
* CI: use local registry, part 1 of 3: setup
* CI: test composefs on rawhide
* chore(deps): update module google.golang.org/grpc to v1.64.1 [security]
* chore(deps): update dependency setuptools to ~=70.3.0
* Improve container filenname ambiguity.
* containers/attach: Note bug around goroutine leak
* Drop minikube CI test
* add libkrun test docs
* fix(deps): update module tags.cncf.io/container-device-interface to v0.8.0
* cirrus: check for header files in source code check
* pkg/machine/e2e: run debug command only for macos
* create runtime's worker queue before queuing any job
* test/system: fix pasta host.containers.internal test
* Visual Studio BuildTools as a MinGW alternative
* SetupRootless(): only reexec when needed
* pkg/rootless: simplify reexec for container code
* cirrus: add missing test/tools to danger files
* fix(deps): update module golang.org/x/tools to v0.23.0
* Windows Installer: switch to wix5
* fix(deps): update module golang.org/x/net to v0.27.0
* pkg/machine/e2e: print tests timings at the end
* pkg/machine/e2e: run debug commands after init
* pkg/machine/e2e: improve timeout handling
* libpod: first delete container then cidfile
* fix(deps): update module golang.org/x/term to v0.22.0
* System test fixes
* cirrus.yml: automatic skips based on source
* fix(deps): update module github.com/containers/ocicrypt to v1.2.0
* podman events: fix error race
* chore(deps): update dependency setuptools to ~=70.2.0
* fix(deps): update module github.com/gorilla/schema to v1.4.1 [security]
* Update CI VM images
* pkg/machine/e2e: fix broken cleanup
* pkg/machine/e2e: use tmp file for connections
* test/system: fix podman --image-volume to allow tmpfs storage
* CI: mount tmpfs for container storage
* docs: --network remove missing leading sentence
* specgen: parse devices even with privileged set
* vendor: update c/storage
* Remove the unused machine volume-driver
* feat(quadlet): log option handling
* Error when machine memory exceeds system memory
* machine: Always use --log-file with gvproxy
* CI: Build-Each-Commit test: run only on PRs
* Small fixes for testing libkrun
* Podman machine resets all providers
* Clearly indicate names w/ URLencoded duplicates
* [skip-ci] Packit: split rhel and centos-stream jobs
* apple virtiofs: fix racy mount setup
* cirrus: fix broken macos artifacts URL
* libpod/container_top_linux.c: fix missing header
* refactor(build): improve err when file specified by -f does not exist
* Minor: Remove unhelpful comment
* Update module github.com/openshift/imagebuilder to v1.2.11
* Minor: Rename the OSX Cross task
* [skip-ci] Remove conditionals from changelog
* podman top: join the container userns
* Run linting in parallel with building
* Fix missing Makefile target dependency
* build API: accept platform comma separated
* [skip-ci] RPM: create podman-machine subpackage
* ExitWithError() - more upgrades from Exit()
* test/e2e: remove podman system service tests
* cirrus: reduce int tests timeout
* cirrus: remove redundant skip logic
* pkg/machine/apple: machine stop timeout
* CI: logformatter: link to correct PR base
* Update module github.com/crc-org/crc/v2 to v2.38.0
* ExitWithError(): continued
* test/system: Add test steps for journald log check in quadlet
* restore: fix missing network setup
* podman run use pod userns even with --pod-id-file
* macos-installer: bundle krunkit
* remote API: fix pod top error reporting
* libpod API: return proper error status code for pod start
* fix #22233
* added check for `registry.IsRemote()`. and correct error message.
* fix #20686
* pkg/machine/e2e: Remove unnecessary copy of machine image.
* libpod: intermediate mount if UID not mapped into the userns
* libpod: avoid chowning the rundir to root in the userns
* libpod: do not chmod bind mounts
* libpod: unlock the thread if possible
* CI Cleanup: Remove cgroups v1 support
* ExitWithError() - more upgrades from Exit()
* remote: fix incorrect CONTAINER_CONNECTION parsing
* container: pass KillSignal and StopTimeout to the systemd scope
* libpod: fix comment
* e2e: test container restore in pod by name
* docs: Adds all PushImage supported paramters to openapi docs.
* systests: kube: bump up a timeout
* cirrus.yml: add CI:ALL mode to force all tests
* cirrus.yml: implement skips based on source changes
* CI VMs: bump
* restore: fix container restore into pod
* sqlite_state: Fix RewriteVolumeConfig
* chore(deps): update dependency setuptools to ~=70.1.0
* Quadlet - use specifier for unescaped values for templated container name
* cirrus: check for system test leaks in nightly
* test/system: check for leaks in teardown suite
* test/system: speed up basic_{setup,teardown}()
* test/system: fix up many tests that do not cleanup
* test/system: fix podman --authfile=nonexistent-path
* Update module github.com/containernetworking/plugins to v1.5.1
* Update module github.com/checkpoint-restore/checkpointctl to v1.2.1
* Update module github.com/spf13/cobra to v1.8.1
* Update module github.com/gorilla/schema to v1.4.0
* pkg/machine/wsl: force terminate wsl instance
* pkg/machine/wsl: wrap command errors
* [CI:DOCS] Quadlet - add note about relative path resolution
* CI: do not install python packages at runtime
* Release workflow: Include candidate descriptor
* Minor: Fix indentation in GHA release workflow
* GHA: Send release notification mail
* GHA: Validate release version number
* Remove references to --pull=true and --pull=false
* ExitWithError, continued
* podman: add new hidden flag --pull-option
* [CI:DOCS] Fix typos in podman-build
* infra: mark storageSet when imagestore is changed
* [CI:DOCS] Add jnovy as reviewer and approver
* fix(deps): update module google.golang.org/protobuf to v1.34.2
* refactor(machine,wsl): improve operations of Windows API
* --squash --layers=false should be allowed
* fix(deps): update module github.com/checkpoint-restore/checkpointctl to v1.2.0
* update golangci-lint to v1.59.1
* Rename master to main in CONTRIBUTING.md
* podman 5, pasta and inter-container networking
* libpod: do not resuse networking on start
* machine/linux: Switch to virtiofs by default
* machine/linux: Support virtiofs mounts (retain 9p default)
* machine/linux: Use memory-backend-memfd by default
* ExitWithError() - continued
* Enable libkrun provider to open a debug console
* Add new targets on Windows makefile (winmake.ps1)
* fix(deps): update module github.com/docker/docker to v26.1.4+incompatible
* fix(deps): update module github.com/crc-org/crc/v2 to v2.37.1
* fix(deps): update module golang.org/x/tools to v0.22.0
* fix(deps): update module golang.org/x/net to v0.26.0
* libpod: fix 'podman kube generate' on FreeBSD
* fix(deps): update module golang.org/x/sys to v0.21.0
* libpod: do not leak systemd hc startup unit timer
* vendor latest c/common
* pkg/rootless: set _CONTAINERS_USERNS_CONFIGURED correctly
* run bats -T, to profile timing hogs
* test/system: speed up podman ps --external
* test/system: speed up podman network connect/disconnect
* test/system: speed up podman network reload
* test/system: speed up quadlet - pod simple
* test/system: speed up podman parallel build should not race
* test/system: speed up podman cp dir from host to container
* test/system: speed up podman build - workdir, cmd, env, label
* test/system: speed up podman --log-level recognizes log levels
* test/system: remove obsolete debug in net connect/disconnect test
* test/system: speed up quadlet - basic
* test/system: speed up user namespace preserved root ownership
* System tests: add `podman system check` tests
* Add `podman system check` for checking storage consistency
* fix(deps): update module github.com/crc-org/crc/v2 to v2.37.0
* fix(libpod): add newline character to the end of container's hostname file
* fix(deps): update module github.com/openshift/imagebuilder to v1.2.10
* fix(deps): update github.com/containers/image/v5 digest to aa93504
* Fix 5.1 release note re: runlabel
* test/e2e: use local skopeo not image
* fix(deps): update golang.org/x/exp digest to fd00a4e
* [CI:DOCS] Add contrib/podmanimage/stable path back in repo
* chore(deps): update dependency requests to ~=2.32.3
* fix(deps): update github.com/containers/image/v5 digest to 2343e81
* libpod: do not move podman with --cgroups=disabled
* Update release notes on Main to v5.1.0
* test: look at the file base name
* tests: simplify expected output
* Sigh, new VMs again
* Fail earlier when no containers exist in stats
* Add Hyper-V option in windows installer
* libpod: cleanup default cache on system reset
* vendor: update c/image
* test/system: speed up kube generate tmpfs on /tmp
* test/system: speed up podman kube play tests
* test/system: speed up podman shell completion test
* test/system: simplify test signal handling in containers
* test/system: speed up podman container rm ...
* test/system: speed up podman ps - basic tests
* test/system: speed up read-only from containers.conf
* test/system: speed up podman logs - multi ...
* test/system: speed up podman run --name
* Debian: switch to crun
* test/system: speed up podman generate systemd - envar
* test/system: speed up podman-kube@.service template
* test/system: speed up kube play healthcheck initialDelaySeconds
* test/system: speed up exit-code propagation test
* test/system: speed up "podman run --timeout"
* test/system: fix slow kube play --wait with siginterrupt
* undo auto-formatting
* test/system: speed up podman events tests
* Quadlet: Add support for .build files
* test/system: speed up "podman auto-update using systemd"
* test/system: remove podman wait test
* tests: disable tests affected by a race condition
* update golangci-lint to v1.59.0
* kubernetes_support.md: Mark volumeMounts.subPath as supported
* working name of pod on start and stop
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.0
* Bump Buildah to v1.36.0
* fix(deps): update module github.com/burntsushi/toml to v1.4.0
* fix typo in Tutorials.rst
* Mac PM test: Require pre-installed rosetta
* test/e2e: fix new error message
* Add configuration for podmansh
* Update containers/common to latest main
* Only stop chowning volumes once they're not empty
* podman: fix --sdnotify=healthy with --rm
* libpod: wait another interval for healthcheck
* quadlet: Add a network requirement on .image units
* test, pasta: Ignore deprecated addresses in tests
* [CI:DOCS] performance: update network docs
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.18.0
* CI: disable minikube task
* [CI:DOCS] Fix windows action trigger
* chore(deps): update dependency setuptools to v70
* Check AppleHypervisor before accessing it
* fix(deps): update module github.com/containernetworking/plugins to v1.5.0
* [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.2
* add podman-clean-transient.service service to rootless
* [CI:DOCS] Update podman network docs
* fix incorrect host.containers.internal entry for rootless bridge mode
* vendor latest c/common main
* Add Rosetta support for Apple Silicon mac
* bump main to 5.2.0-dev
* Use a defined constant instead of a hard-coded magic value
* cirrus: use faster VM's for integration tests
* fix(deps): update github.com/containers/gvisor-tap-vsock digest to 01a1a0c
* [CI:DOCS] Fix Mac pkg link
* test: remove test_podman* scripts
* test/system: fix documentation
* Return StatusNotFound when multiple volumes matching occurs
* container_api: do not wait for healtchecks if stopped
* libpod: wait for healthy on main thread
* `podman events`: check for an error after we finish reading events
* remote API: restore v4 payload in container inspect
* Fix updating connection when SSH port conflict happens
* rootless: fix reexec to use /proc/self/exe
* ExitWithError() - enforce required exit status & stderr
* ExitWithError() - a few that I missed
* [skip-ci] Packit: use only one value for `packages` key for `trigger: commit` copr builds
* Revert "Temporarily disable rootless debian e2e testing"
* CI tests: enforce TMPDIR on tmpfs
* use new CI images with tmpfs /tmp
* run e2e test on tmpfs
* Update module github.com/crc-org/crc/v2 to v2.36.0
* [CI:DOCS] Use checkout@v4 in GH Actions
* ExitWithError() - rmi_test
* ExitWithError() - more r files
* ExitWithError() - s files
* ExitWithError() - more run_xxx tests
* Fix podman-remote support for `podman farm build`
* [CI:DOCS] Trigger windows installer action properly
* Revert "container stop: kill conmon"
* Ensure that containers do not get stuck in stopping
* [CI:DOCS] Improvements to make validatepr
* ExitWithError() - rest of the p files
* [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.1
* Graceful shutdown during podman kube down
* Remove duplicate call
* test/system: fix broken "podman volume globs" test
* Quadlet/Container: Add GroupAdd option
* Don't panic if a runtime was configured without paths
* update c/{buildah,common,image,storage} to latest main
* update golangci-lint to 1.58
* machine: Add LibKrun provider detection
* ExitWithError() - continue tightening
* fix(deps): update module google.golang.org/protobuf to v1.34.1
* test: improve test for powercap presence
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.3
* fix(deps): update module go.etcd.io/bbolt to v1.3.10
* fix(deps): update module golang.org/x/tools to v0.21.0
* [skip-ci] RPM: `bats` required only on Fedora
* fix(deps): update module golang.org/x/exp to v0.0.0-20240506185415-9bf2ced13842
* gpdate and remove parameter settings in `.golangci.yml`
* ExitWithError() - play_kube_test.go
* Temporarily disable rootless debian e2e testing
* fix(deps): update module golang.org/x/crypto to v0.23.0
* CI Docs: Clarify passthrough_envars() comments
* Skip machine tests if they don't need to be run
* Update CI VMs to F40, F39, D13
* ExitWithError() - v files
* Update module golang.org/x/term to v0.20.0
* machine: Add provider detection API
* util: specify a not empty pause dir for root too
* Add missing option 'healthy' to output of `podman run --help`
* [CI:DOCS] Add info on the quay.io images to the README.md
* Add a random suffix to healthcheck unit names
* test/e2e: remove toolbox image
* Also substitute $HOME in runlabel with user's homedir
* Update module github.com/cyphar/filepath-securejoin to v0.2.5
* Change tmpDir for macOS
* ExitWithError() - pod_xxx tests
* ExitWithError() -- run_test.go
* Update module golang.org/x/exp to v0.0.0-20240416160154-fe59bbe5cc7f
* Update module github.com/shirou/gopsutil/v3 to v3.24.4
* Update module github.com/docker/docker to v26.1.1+incompatible
* GHA: Attempt fix exceeded a secondary rate limit
* vendor ginkgo 2.17.2 into test/tools
* Fix machine volumes with long path and paths with dashes
* Update module google.golang.org/protobuf to v1.34.0
* Update module github.com/crc-org/crc/v2 to v2.35.0
* Update module github.com/onsi/gomega to v1.33.1
* test/e2e: podman unshare image mount fix tmpdir leak
* test/e2e: do not leak /tmp/private_file
* test/e2e: "persistentVolumeClaim with source" do not leak file
* e2e tests: use /var/tmp, not $TMPDIR, as workdirs
* Update dependency pytest to v8.1.2
* Remove unncessary lines at the end of specfile summary
* Clean machine pull cache
* Add krun support to podman machine
* Use custom image for make validatepr
* test/e2e: force systemd cgroup manager
* e2e and bindings tests: fix $PATH setup
* Makefile: remove useless HACK variable in e2e test
* test/e2e: fix volumes and suid/dev/exec options
* test/e2e: volumes and suid/dev/exec options works remote
* test/e2e: fix limits test
* Update module github.com/rootless-containers/rootlesskit/v2 to v2.1.0
* Correct option name `ip` -> `ip6`
* Add the ability to automount images as volumes via play
* Add support for image volume subpaths
* Bump Buildah to latest main
* Update Makefile to Go 1.22 for in-container
* ExitWithError() - yet more low-hanging fruit
* ExitWithError() - more low-hanging fruit
* ExitWithError() - low-hanging fruit
* chore: fix function names in comment
* Remove redundant Prerequisite before build section
* Remove PKG_CONFIG_PATH
* Add installation instructions for openSUSE
* Replace golang.org/x/exp/slices with slices from std
* Update to go 1.21
* fix(deps): update module github.com/docker/docker to v26.1.0+incompatible
* [CI:DOCS] Fix artifact action
* [skip-ci] Packit/rpm: remove el8 jobs and spec conditionals
* e2e tests: stop littering
* [CI:DOCS] format podman-pull example as code
* [CI:DOCS] Build & upload release artifacts with GitHub Actions
* libpod: getHealthCheckLog() remove unessesary check
* add containers.conf healthcheck_events support
* vendor latest c/common
* libpod: make healthcheck events more efficient
* libpod: wrap store setup error message
* [skip-ci] Packit: enable CentOS 10 Stream build jobs
* pkg/systemd: use fileutils.(Le|E)xists
* pkg/bindings: use fileutils.(Le|E)xists
* pkg/util: use fileutils.(Le|E)xists
* pkg/trust: use fileutils.(Le|E)xists
* pkg/specgen: use fileutils.(Le|E)xists
* pkg/rootless: use fileutils.(Le|E)xists
* pkg/machine: use fileutils.(Le|E)xists
* pkg/domain: use fileutils.(Le|E)xists
* pkg/api: use fileutils.(Le|E)xists
* libpod: use fileutils.(Le|E)xists
* cmd: use fileutils.(Le|E)xists
* vendor: update containers/{buildah,common,image,storage}
* fix(deps): update module github.com/docker/docker to v26.0.2+incompatible [security]
* fix podman-pod-restart.1.md typo
* [skip-ci] Packit: switch to EPEL instead of centos-stream+epel-next
* fix(deps): update module github.com/onsi/gomega to v1.33.0
* Add more annnotation information to podman kupe play man page
* test/compose: remove compose v1 code
* CI: remove compose v1 tests
* fix: close resource file
* [CI:DOCS] Fix windows installer action
* fix(deps): update module tags.cncf.io/container-device-interface to v0.7.2
* add `list` as an alias to list networks
* Add support for updating restart policy
* Add Compat API for Update
* Make `podman update` changes persistent
* Emergency fix (well, skip) for failing bud tests
* fix swagger doc for manifest create
* [CI:DOCS] options/network: fix markdown lists
* Makefile: do not hardcode `GOOS` in `podman-remote-static` target
* chore(deps): update module golang.org/x/crypto to v0.17.0 [security]
* chore(deps): update dependency setuptools to ~=69.5.0
* Fix some comments
* swagger fix infinitive recursion on some types
* install swagger from source
* Revert "Swap out javascript engine"
* podman exec CID without command should exit 125
* (minor) prefetch systemd image before use
* Update go-swagger version
* Swap out javascript engine
* fix(deps): update module github.com/docker/docker to v26.0.1+incompatible
* Add os, arch, and ismanifest to libpod image list
* [CI:DOCS]Initial PR validation
* fix(deps): update github.com/containers/gvisor-tap-vsock digest to d744d71
* vendor ginkgo 2.17.1 into test/tools
* fix "concurrent map writes" in network ls compat endpoint
* chore(deps): update dependency pytest to v8
* e2e: redefine ExitWithError() to require exit code
* docs: fix missleading run/create --expose description
* podman ps: show exposed ports under PORTS as well
* rootless: drop function ReadMappingsProc
* fix(deps): update module github.com/vbauerster/mpb/v8 to v8.7.3
* New CI VMs, to give us pasta 2024-04-05
* Add big warning to GHA workflow
* GHA: Fix intermittent workflow error
* fix(deps): update module golang.org/x/tools to v0.20.0
* e2e tests: remove requirement for fuse-overlayfs
* docs: update Quadlet volume Options desc
* fix(deps): update module golang.org/x/sync to v0.7.0
* Fix relabeling failures with Z/z volumes on Mac
* fix(deps): update module golang.org/x/net to v0.24.0
* Makefile: fix annoying errors in docs generation
* chore: fix function names in comment
* Bump tags.cncf.io/container-device-interface to v0.7.1
* fix(deps): update module golang.org/x/crypto to v0.22.0
* Detect unhandled reboots and require user intervention
* podman --runroot: remove 50 char length restriction
* update github.com/rootless-containers/rootlesskit to v2
* Update module github.com/gorilla/schema to v1.3.0
* Update dependency requests-mock to ~=1.12.1
* Update module github.com/crc-org/crc/v2 to v2.34.1
* rm --force work for more than one arg
* [CI:DOCS] Update kube docs
* fix(deps): update module github.com/shirou/gopsutil/v3 to v3.24.3
* [CI:DOCS] Add GitHub action to update version on Podman.io
* [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.2
* Windows: clean up temporary perl install
* pkg/util: FindDeviceNodes() ignore ENOENT errors
* [CI:DOCS] build deps: make-validate needs docs
* test/system: add rootless-netns test for setup errors
* vendor latest c/common main
* container: do not chown to dest target with U
* [CI:DOCS] golangci-lint: update deprecated flags
* systests: conditionalize slirp4netns tests
* CI: systests: instrument flaky tests
* s3fs docs
* test: do not skip tests under rootless
* Add note about host networking to Kube PublishPort option
* Inject additional build tags from the environment
* libpod: use original IDs if idmap is provided
* Switch back to checking out the same branch the action script runs in
* docs/podman-login: Give an example of writing the persistent path
* CI: Bump VMs to 2024-03-28
* [skip-ci] Update dawidd6/action-send-mail action to v3.12.0
* fix(deps): update module github.com/openshift/imagebuilder to v1.2.7
* Fix reference to deprecated types.Info
* Use logformatter for podman_machine_windows_task
* applehv: Print vfkit logs in --log-level debug
* [CI:DOCS]Add Mario to reviewers list
* [CI:DOCS] Document CI-maintenance job addition
* Add golang 1.21 update warning
* Add rootless network command to `podman info`
* libpod: don't warn about cgroupsv1 on FreeBSD
* hyperv: error if not admin
* Properly parse stderr when updating container status
* [skip-ci] Packit: specify fedora-latest in propose-downstream
* Use built-in ssh impl for all non-pty operations
* Add support for annotations
* hyperv: fix machine rm -r
* [skip-ci] Packit: Enable CentOS Stream 10 update job
* 5.0 release note fix typo in cgroupv1 env var
* fix remote build isolation on client side
* chore: remove repetitive words
* Dont save remote context in temp file but stream and extract
* fix remote build isolation when server runs as root
* util: use private propagation with bind
* util: add some tests for ProcessOptions
* util: refactor ProcessOptions into an internal function
* util: rename files to snake case
* Add LoongArch support for libpod
* fix(deps): update github.com/containers/common digest to bc5f97c
* [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.1
* fix(deps): update module github.com/docker/docker to v25.0.5+incompatible [security]
* fix(deps): update module github.com/onsi/gomega to v1.32.0
* [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.0
* Update module github.com/cpuguy83/go-md2man/v2 to v2.0.4
* Fix type-o
* Use correct extension in suite
* minikube: instrument tests, to allow debugging failures
* libpod: restart always reconfigure the netns
* use new c/common pasta2 setup logic to fix dns
* utils: drop conversion float->string->float
* utils: do not generate duplicate range
* logformatter: handle Windows logs
* utils: add test for the new function
* utils: move rootless code to a new function
* xref-helpmsgs-manpages: cross-check Commands.rst
* test/system: Add support for multipath routes in pasta networking tests
* [skip-ci] rpm: use macro supported vendoring
* Adjust to the standard location of gvforwarder used in new images
* Makefile: add target `podman-remote-static`
* Switch to 5.x WSL machine os stream using new automation
* Cleanup build scratch dir if remote end disconnects while passing the context
* bump main to 5.1.0-dev
* Use faster gzip for compression for 3x speedup for sending large contexts to remote
* pkg/machine: make checkExclusiveActiveVM race free
* pkg/machine/wsl: remove unused CheckExclusiveActiveVM()
* pkg/machine: CheckExclusiveActiveVM should also check for starting
* pkg/machine: refresh config after we hold lock
* Update dependency setuptools to ~=69.2.0
* [skip-ci] rpm: update containers-common dep on f40+
* fix invalid HTTP header values when hijacking a connection
* Add doc to build podman on windows without MSYS
* Removing CRI-O related annotations
* fix(deps): update module github.com/containers/ocicrypt to v1.1.10
* Pass the restart policy to the individual containers
* kube play: always pull when both imagePullPolicy and tag are missing
Patchnames
SUSE-SLE-Micro-6.1-76
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for podman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for podman fixes the following issues:\n\n- CVE-2023-45288: Fixed closing connection when receiving too many headers (bsc#1236507).\n- CVE-2024-11218: Fixed container breakout by using --jobs=2 and a race condition when building a malicious Containerfile (bsc#1236270).\n- CVE-2025-22869: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239330).\n- CVE-2025-27144: Fixed Go JOSE\u0027s Parsing Vulnerable to Denial of Service (bsc#1237641).\n- CVE-2024-9407: Fixed Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction (bsc#1231208).\n- CVE-2024-3727: Fixed digest type (bsc#1224112).\n- CVE-2024-1753: Fixed full container escape at build time (bsc#1221677). \n\nOther fixes:\n- Updated to version 5.2.5:\n * RPM: remove dup Provides\n * Packit: constrain koji and bodhi jobs to fedora package to avoid dupes\n * Validate the bind-propagation option to `--mount`\n * Updated Buildah to v1.37.4\n * vendor: updated c/common to v0.60.4\n * pkg/specgen: allow pasta when running inside userns\n * libpod: convert owner IDs only with :idmap\n * allow exposed sctp ports\n * libpod: setupNetNS() correctly mount netns\n * vendor: updated c/common to v0.60.3\n * [skip-ci] Packit: split out ELN jobs and reuse fedora downstream targets\n * [skip-ci] Packit: Enable sidetags for bodhi updates\n * Updated gvisor-tap-vsock to 0.7.5\n * CI: podman-machine: do not use cache registry\n * [CI:DOCS] Add v5.2.2 lib updates to RELEASE_NOTES.md\n * Update RELEASE_NOTES for v5.2.2\n * [v5.2] Bump Buildah to v1.37.2, c/common v0.60.2, c/image v5.32.2\n * [v5.2] golangci-lint: make darwin linting happy\n * [v5.2] golangci-lint: make windows linting happy\n * [v5.2] test/e2e: remove kernel version check\n * [v5.2] golangci-lint: remove most skip dirs\n * [v5.2] set !remote build tags where needed\n * [v5.2] update golangci-lint to 1.60.1\n * Packit: update targets for propose-downstream\n * Create volume path before state initialization\n * Update Cirrus DEST_BRANCH\n * Bump to v5.2.2-dev\n * Bump to v5.2.1\n * Update release notes for v5.2.1\n * [v5.2] Add zstd:chunked test fix\n * [v5.2] Bump Buildah to v1.37.1, c/common v0.60.1, c/image v5.32.1\n * libpod: reset state error on init\n * libpod: do not save expected stop errors in ctr state\n * libpod: fix broken saveContainerError()\n * Bump to v5.2.1-dev\n * Bump to v5.2.0\n * Never skip checkout step in release workflow\n * Bump to v5.2.0-dev\n * Bump to v5.2.0-rc3\n * Update release notes for v5.2.0-rc3\n * Tweak versions in register_images.go\n * fix network cleanup flake in play kube\n * WIP: Fixes for vendoring Buildah\n * Add --compat-volumes option to build and farm build\n * Bump Buildah, c/storage, c/image, c/common\n * libpod: bind ports before network setup\n * pkg/api: do not leak config pointers into specgen\n * build: Update gvisor-tap-vsock to 0.7.4\n * test/system: fix borken pasta interface name checks\n * test/system: fix bridge host.containers.internal test\n * CI: system tests: instrument to allow failure analysis\n * Use uploaded .zip for Windows action\n * RPM: podman-iptables.conf only on Fedora\n * Bump to v5.2.0-dev\n * Bump to v5.2.0-rc2\n * Update release notes for v5.2.0-rc2\n * test/e2e: fix ncat tests\n * libpod: add hidden env to set sqlite timeout\n * Add support for StopSignal in quadlet .container files\n * podman pod stats: fix race when ctr process exits\n * Update module github.com/vbauerster/mpb/v8 to v8.7.4\n * libpod: correctly capture healthcheck output\n * Bump bundled krunkit to 0.1.2\n * podman stats: fix race when ctr process exists\n * nc -p considered harmful\n * podman pod stats: fix pod rm race\n * podman ps: fix racy pod name query\n * system connection remove: use Args function to validate\n * pkg/machine/compression: skip decompress bar for empty file\n * nc -p considered harmful\n * podman system df: fix fix ErrNoSuchCtr/Volume race\n * podman auto-update: fix ErrNoSuchCtr race\n * Fix name for builder in farm connection\n * 700-play.bats: use unique pod/container/image/volume names\n * safename: consistent within same test, and, dashes\n * 700-kube.bats: refactor $PODMAN_TMPDIR/test.yaml\n * 700-play.bats: eliminate $testYaml\n * 700-play.bats: refactor clumsy yamlfile creation\n * 700-play.bats: move _write_test_yaml up near top\n * chore(deps): update dependency setuptools to v71\n * Expand drop-in search paths * top-level (pod.d) * truncated (unit-.container.d)\n * Remove references and checks for --gpus\n * Do not crash on invalid filters\n * fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.2.0\n * Bump to v5.2.0-dev\n * Bump to v5.2.0-rc1\n * Keep the volume-driver flag deprecated\n * Vendor in latest containers(common, storage,image, buildah)\n * System tests: safe container/image/volume/etc names\n * Implement disable default mounts via command line\n * test: drop unmount for overlay\n * test: gracefully terminate server\n * libpod: shutdown Stop waits for handlers completion\n * libpod: cleanup store at shutdown\n * Add NetworkAlias= support to quadlet\n * cmd: call shutdown handler stop function\n * fix race conditions in start/attach logic\n * swagger: exlude new docker network types\n * vendor: bump c/storage\n * update to docker 27\n * contrib: use a distinct --pull-option= for each flag\n * Update warning message when using external compose provider\n * Update module github.com/cyphar/filepath-securejoin to v0.3.0\n * Ignore result of EvalSymlinks on ENOENT\n * test/upgrade: fix tests when netavark uses nftables\n * test/system: fix network reload test with nftables\n * test/e2e: rework some --expose tests\n * test: remove publish tests from e2e\n * CI: test nftables driver on fedora\n * CI: use local registry, part 3 of 3: for developers\n * CI: use local registry, part 2 of 3: fix tests\n * CI: use local registry, part 1 of 3: setup\n * CI: test composefs on rawhide\n * chore(deps): update module google.golang.org/grpc to v1.64.1 [security]\n * chore(deps): update dependency setuptools to ~=70.3.0\n * Improve container filenname ambiguity.\n * containers/attach: Note bug around goroutine leak\n * Drop minikube CI test\n * add libkrun test docs\n * fix(deps): update module tags.cncf.io/container-device-interface to v0.8.0\n * cirrus: check for header files in source code check\n * pkg/machine/e2e: run debug command only for macos\n * create runtime\u0027s worker queue before queuing any job\n * test/system: fix pasta host.containers.internal test\n * Visual Studio BuildTools as a MinGW alternative\n * SetupRootless(): only reexec when needed\n * pkg/rootless: simplify reexec for container code\n * cirrus: add missing test/tools to danger files\n * fix(deps): update module golang.org/x/tools to v0.23.0\n * Windows Installer: switch to wix5\n * fix(deps): update module golang.org/x/net to v0.27.0\n * pkg/machine/e2e: print tests timings at the end\n * pkg/machine/e2e: run debug commands after init\n * pkg/machine/e2e: improve timeout handling\n * libpod: first delete container then cidfile\n * fix(deps): update module golang.org/x/term to v0.22.0\n * System test fixes\n * cirrus.yml: automatic skips based on source\n * fix(deps): update module github.com/containers/ocicrypt to v1.2.0\n * podman events: fix error race\n * chore(deps): update dependency setuptools to ~=70.2.0\n * fix(deps): update module github.com/gorilla/schema to v1.4.1 [security]\n * Update CI VM images\n * pkg/machine/e2e: fix broken cleanup\n * pkg/machine/e2e: use tmp file for connections\n * test/system: fix podman --image-volume to allow tmpfs storage\n * CI: mount tmpfs for container storage\n * docs: --network remove missing leading sentence\n * specgen: parse devices even with privileged set\n * vendor: update c/storage\n * Remove the unused machine volume-driver\n * feat(quadlet): log option handling\n * Error when machine memory exceeds system memory\n * machine: Always use --log-file with gvproxy\n * CI: Build-Each-Commit test: run only on PRs\n * Small fixes for testing libkrun\n * Podman machine resets all providers\n * Clearly indicate names w/ URLencoded duplicates\n * [skip-ci] Packit: split rhel and centos-stream jobs\n * apple virtiofs: fix racy mount setup\n * cirrus: fix broken macos artifacts URL\n * libpod/container_top_linux.c: fix missing header\n * refactor(build): improve err when file specified by -f does not exist\n * Minor: Remove unhelpful comment\n * Update module github.com/openshift/imagebuilder to v1.2.11\n * Minor: Rename the OSX Cross task\n * [skip-ci] Remove conditionals from changelog\n * podman top: join the container userns\n * Run linting in parallel with building\n * Fix missing Makefile target dependency\n * build API: accept platform comma separated\n * [skip-ci] RPM: create podman-machine subpackage\n * ExitWithError() - more upgrades from Exit()\n * test/e2e: remove podman system service tests\n * cirrus: reduce int tests timeout\n * cirrus: remove redundant skip logic\n * pkg/machine/apple: machine stop timeout\n * CI: logformatter: link to correct PR base\n * Update module github.com/crc-org/crc/v2 to v2.38.0\n * ExitWithError(): continued\n * test/system: Add test steps for journald log check in quadlet\n * restore: fix missing network setup\n * podman run use pod userns even with --pod-id-file\n * macos-installer: bundle krunkit\n * remote API: fix pod top error reporting\n * libpod API: return proper error status code for pod start\n * fix #22233\n * added check for `registry.IsRemote()`. and correct error message.\n * fix #20686\n * pkg/machine/e2e: Remove unnecessary copy of machine image.\n * libpod: intermediate mount if UID not mapped into the userns\n * libpod: avoid chowning the rundir to root in the userns\n * libpod: do not chmod bind mounts\n * libpod: unlock the thread if possible\n * CI Cleanup: Remove cgroups v1 support\n * ExitWithError() - more upgrades from Exit()\n * remote: fix incorrect CONTAINER_CONNECTION parsing\n * container: pass KillSignal and StopTimeout to the systemd scope\n * libpod: fix comment\n * e2e: test container restore in pod by name\n * docs: Adds all PushImage supported paramters to openapi docs.\n * systests: kube: bump up a timeout\n * cirrus.yml: add CI:ALL mode to force all tests\n * cirrus.yml: implement skips based on source changes\n * CI VMs: bump\n * restore: fix container restore into pod\n * sqlite_state: Fix RewriteVolumeConfig\n * chore(deps): update dependency setuptools to ~=70.1.0\n * Quadlet - use specifier for unescaped values for templated container name\n * cirrus: check for system test leaks in nightly\n * test/system: check for leaks in teardown suite\n * test/system: speed up basic_{setup,teardown}()\n * test/system: fix up many tests that do not cleanup\n * test/system: fix podman --authfile=nonexistent-path\n * Update module github.com/containernetworking/plugins to v1.5.1\n * Update module github.com/checkpoint-restore/checkpointctl to v1.2.1\n * Update module github.com/spf13/cobra to v1.8.1\n * Update module github.com/gorilla/schema to v1.4.0\n * pkg/machine/wsl: force terminate wsl instance\n * pkg/machine/wsl: wrap command errors\n * [CI:DOCS] Quadlet - add note about relative path resolution\n * CI: do not install python packages at runtime\n * Release workflow: Include candidate descriptor\n * Minor: Fix indentation in GHA release workflow\n * GHA: Send release notification mail\n * GHA: Validate release version number\n * Remove references to --pull=true and --pull=false\n * ExitWithError, continued\n * podman: add new hidden flag --pull-option\n * [CI:DOCS] Fix typos in podman-build\n * infra: mark storageSet when imagestore is changed\n * [CI:DOCS] Add jnovy as reviewer and approver\n * fix(deps): update module google.golang.org/protobuf to v1.34.2\n * refactor(machine,wsl): improve operations of Windows API\n * --squash --layers=false should be allowed\n * fix(deps): update module github.com/checkpoint-restore/checkpointctl to v1.2.0\n * update golangci-lint to v1.59.1\n * Rename master to main in CONTRIBUTING.md\n * podman 5, pasta and inter-container networking\n * libpod: do not resuse networking on start\n * machine/linux: Switch to virtiofs by default\n * machine/linux: Support virtiofs mounts (retain 9p default)\n * machine/linux: Use memory-backend-memfd by default\n * ExitWithError() - continued\n * Enable libkrun provider to open a debug console\n * Add new targets on Windows makefile (winmake.ps1)\n * fix(deps): update module github.com/docker/docker to v26.1.4+incompatible\n * fix(deps): update module github.com/crc-org/crc/v2 to v2.37.1\n * fix(deps): update module golang.org/x/tools to v0.22.0\n * fix(deps): update module golang.org/x/net to v0.26.0\n * libpod: fix \u0027podman kube generate\u0027 on FreeBSD\n * fix(deps): update module golang.org/x/sys to v0.21.0\n * libpod: do not leak systemd hc startup unit timer\n * vendor latest c/common\n * pkg/rootless: set _CONTAINERS_USERNS_CONFIGURED correctly\n * run bats -T, to profile timing hogs\n * test/system: speed up podman ps --external\n * test/system: speed up podman network connect/disconnect\n * test/system: speed up podman network reload\n * test/system: speed up quadlet - pod simple\n * test/system: speed up podman parallel build should not race\n * test/system: speed up podman cp dir from host to container\n * test/system: speed up podman build - workdir, cmd, env, label\n * test/system: speed up podman --log-level recognizes log levels\n * test/system: remove obsolete debug in net connect/disconnect test\n * test/system: speed up quadlet - basic\n * test/system: speed up user namespace preserved root ownership\n * System tests: add `podman system check` tests\n * Add `podman system check` for checking storage consistency\n * fix(deps): update module github.com/crc-org/crc/v2 to v2.37.0\n * fix(libpod): add newline character to the end of container\u0027s hostname file\n * fix(deps): update module github.com/openshift/imagebuilder to v1.2.10\n * fix(deps): update github.com/containers/image/v5 digest to aa93504\n * Fix 5.1 release note re: runlabel\n * test/e2e: use local skopeo not image\n * fix(deps): update golang.org/x/exp digest to fd00a4e\n * [CI:DOCS] Add contrib/podmanimage/stable path back in repo\n * chore(deps): update dependency requests to ~=2.32.3\n * fix(deps): update github.com/containers/image/v5 digest to 2343e81\n * libpod: do not move podman with --cgroups=disabled\n * Update release notes on Main to v5.1.0\n * test: look at the file base name\n * tests: simplify expected output\n * Sigh, new VMs again\n * Fail earlier when no containers exist in stats\n * Add Hyper-V option in windows installer\n * libpod: cleanup default cache on system reset\n * vendor: update c/image\n * test/system: speed up kube generate tmpfs on /tmp\n * test/system: speed up podman kube play tests\n * test/system: speed up podman shell completion test\n * test/system: simplify test signal handling in containers\n * test/system: speed up podman container rm ...\n * test/system: speed up podman ps - basic tests\n * test/system: speed up read-only from containers.conf\n * test/system: speed up podman logs - multi ...\n * test/system: speed up podman run --name\n * Debian: switch to crun\n * test/system: speed up podman generate systemd - envar\n * test/system: speed up podman-kube@.service template\n * test/system: speed up kube play healthcheck initialDelaySeconds\n * test/system: speed up exit-code propagation test\n * test/system: speed up \"podman run --timeout\"\n * test/system: fix slow kube play --wait with siginterrupt\n * undo auto-formatting\n * test/system: speed up podman events tests\n * Quadlet: Add support for .build files\n * test/system: speed up \"podman auto-update using systemd\"\n * test/system: remove podman wait test\n * tests: disable tests affected by a race condition\n * update golangci-lint to v1.59.0\n * kubernetes_support.md: Mark volumeMounts.subPath as supported\n * working name of pod on start and stop\n * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.0\n * Bump Buildah to v1.36.0\n * fix(deps): update module github.com/burntsushi/toml to v1.4.0\n * fix typo in Tutorials.rst\n * Mac PM test: Require pre-installed rosetta\n * test/e2e: fix new error message\n * Add configuration for podmansh\n * Update containers/common to latest main\n * Only stop chowning volumes once they\u0027re not empty\n * podman: fix --sdnotify=healthy with --rm\n * libpod: wait another interval for healthcheck\n * quadlet: Add a network requirement on .image units\n * test, pasta: Ignore deprecated addresses in tests\n * [CI:DOCS] performance: update network docs\n * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.18.0\n * CI: disable minikube task\n * [CI:DOCS] Fix windows action trigger\n * chore(deps): update dependency setuptools to v70\n * Check AppleHypervisor before accessing it\n * fix(deps): update module github.com/containernetworking/plugins to v1.5.0\n * [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.2\n * add podman-clean-transient.service service to rootless\n * [CI:DOCS] Update podman network docs\n * fix incorrect host.containers.internal entry for rootless bridge mode\n * vendor latest c/common main\n * Add Rosetta support for Apple Silicon mac\n * bump main to 5.2.0-dev\n * Use a defined constant instead of a hard-coded magic value\n * cirrus: use faster VM\u0027s for integration tests\n * fix(deps): update github.com/containers/gvisor-tap-vsock digest to 01a1a0c\n * [CI:DOCS] Fix Mac pkg link\n * test: remove test_podman* scripts\n * test/system: fix documentation\n * Return StatusNotFound when multiple volumes matching occurs\n * container_api: do not wait for healtchecks if stopped\n * libpod: wait for healthy on main thread\n * `podman events`: check for an error after we finish reading events\n * remote API: restore v4 payload in container inspect\n * Fix updating connection when SSH port conflict happens\n * rootless: fix reexec to use /proc/self/exe\n * ExitWithError() - enforce required exit status \u0026 stderr\n * ExitWithError() - a few that I missed\n * [skip-ci] Packit: use only one value for `packages` key for `trigger: commit` copr builds\n * Revert \"Temporarily disable rootless debian e2e testing\"\n * CI tests: enforce TMPDIR on tmpfs\n * use new CI images with tmpfs /tmp\n * run e2e test on tmpfs\n * Update module github.com/crc-org/crc/v2 to v2.36.0\n * [CI:DOCS] Use checkout@v4 in GH Actions\n * ExitWithError() - rmi_test\n * ExitWithError() - more r files\n * ExitWithError() - s files\n * ExitWithError() - more run_xxx tests\n * Fix podman-remote support for `podman farm build`\n * [CI:DOCS] Trigger windows installer action properly\n * Revert \"container stop: kill conmon\"\n * Ensure that containers do not get stuck in stopping\n * [CI:DOCS] Improvements to make validatepr\n * ExitWithError() - rest of the p files\n * [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.1\n * Graceful shutdown during podman kube down\n * Remove duplicate call\n * test/system: fix broken \"podman volume globs\" test\n * Quadlet/Container: Add GroupAdd option\n * Don\u0027t panic if a runtime was configured without paths\n * update c/{buildah,common,image,storage} to latest main\n * update golangci-lint to 1.58\n * machine: Add LibKrun provider detection\n * ExitWithError() - continue tightening\n * fix(deps): update module google.golang.org/protobuf to v1.34.1\n * test: improve test for powercap presence\n * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.3\n * fix(deps): update module go.etcd.io/bbolt to v1.3.10\n * fix(deps): update module golang.org/x/tools to v0.21.0\n * [skip-ci] RPM: `bats` required only on Fedora\n * fix(deps): update module golang.org/x/exp to v0.0.0-20240506185415-9bf2ced13842\n * gpdate and remove parameter settings in `.golangci.yml`\n * ExitWithError() - play_kube_test.go\n * Temporarily disable rootless debian e2e testing\n * fix(deps): update module golang.org/x/crypto to v0.23.0\n * CI Docs: Clarify passthrough_envars() comments\n * Skip machine tests if they don\u0027t need to be run\n * Update CI VMs to F40, F39, D13\n * ExitWithError() - v files\n * Update module golang.org/x/term to v0.20.0\n * machine: Add provider detection API\n * util: specify a not empty pause dir for root too\n * Add missing option \u0027healthy\u0027 to output of `podman run --help`\n * [CI:DOCS] Add info on the quay.io images to the README.md\n * Add a random suffix to healthcheck unit names\n * test/e2e: remove toolbox image\n * Also substitute $HOME in runlabel with user\u0027s homedir\n * Update module github.com/cyphar/filepath-securejoin to v0.2.5\n * Change tmpDir for macOS\n * ExitWithError() - pod_xxx tests\n * ExitWithError() -- run_test.go\n * Update module golang.org/x/exp to v0.0.0-20240416160154-fe59bbe5cc7f\n * Update module github.com/shirou/gopsutil/v3 to v3.24.4\n * Update module github.com/docker/docker to v26.1.1+incompatible\n * GHA: Attempt fix exceeded a secondary rate limit\n * vendor ginkgo 2.17.2 into test/tools\n * Fix machine volumes with long path and paths with dashes\n * Update module google.golang.org/protobuf to v1.34.0\n * Update module github.com/crc-org/crc/v2 to v2.35.0\n * Update module github.com/onsi/gomega to v1.33.1\n * test/e2e: podman unshare image mount fix tmpdir leak\n * test/e2e: do not leak /tmp/private_file\n * test/e2e: \"persistentVolumeClaim with source\" do not leak file\n * e2e tests: use /var/tmp, not $TMPDIR, as workdirs\n * Update dependency pytest to v8.1.2\n * Remove unncessary lines at the end of specfile summary\n * Clean machine pull cache\n * Add krun support to podman machine\n * Use custom image for make validatepr\n * test/e2e: force systemd cgroup manager\n * e2e and bindings tests: fix $PATH setup\n * Makefile: remove useless HACK variable in e2e test\n * test/e2e: fix volumes and suid/dev/exec options\n * test/e2e: volumes and suid/dev/exec options works remote\n * test/e2e: fix limits test\n * Update module github.com/rootless-containers/rootlesskit/v2 to v2.1.0\n * Correct option name `ip` -\u003e `ip6`\n * Add the ability to automount images as volumes via play\n * Add support for image volume subpaths\n * Bump Buildah to latest main\n * Update Makefile to Go 1.22 for in-container\n * ExitWithError() - yet more low-hanging fruit\n * ExitWithError() - more low-hanging fruit\n * ExitWithError() - low-hanging fruit\n * chore: fix function names in comment\n * Remove redundant Prerequisite before build section\n * Remove PKG_CONFIG_PATH\n * Add installation instructions for openSUSE\n * Replace golang.org/x/exp/slices with slices from std\n * Update to go 1.21\n * fix(deps): update module github.com/docker/docker to v26.1.0+incompatible\n * [CI:DOCS] Fix artifact action\n * [skip-ci] Packit/rpm: remove el8 jobs and spec conditionals\n * e2e tests: stop littering\n * [CI:DOCS] format podman-pull example as code\n * [CI:DOCS] Build \u0026 upload release artifacts with GitHub Actions\n * libpod: getHealthCheckLog() remove unessesary check\n * add containers.conf healthcheck_events support\n * vendor latest c/common\n * libpod: make healthcheck events more efficient\n * libpod: wrap store setup error message\n * [skip-ci] Packit: enable CentOS 10 Stream build jobs\n * pkg/systemd: use fileutils.(Le|E)xists\n * pkg/bindings: use fileutils.(Le|E)xists\n * pkg/util: use fileutils.(Le|E)xists\n * pkg/trust: use fileutils.(Le|E)xists\n * pkg/specgen: use fileutils.(Le|E)xists\n * pkg/rootless: use fileutils.(Le|E)xists\n * pkg/machine: use fileutils.(Le|E)xists\n * pkg/domain: use fileutils.(Le|E)xists\n * pkg/api: use fileutils.(Le|E)xists\n * libpod: use fileutils.(Le|E)xists\n * cmd: use fileutils.(Le|E)xists\n * vendor: update containers/{buildah,common,image,storage}\n * fix(deps): update module github.com/docker/docker to v26.0.2+incompatible [security]\n * fix podman-pod-restart.1.md typo\n * [skip-ci] Packit: switch to EPEL instead of centos-stream+epel-next\n * fix(deps): update module github.com/onsi/gomega to v1.33.0\n * Add more annnotation information to podman kupe play man page\n * test/compose: remove compose v1 code\n * CI: remove compose v1 tests\n * fix: close resource file\n * [CI:DOCS] Fix windows installer action\n * fix(deps): update module tags.cncf.io/container-device-interface to v0.7.2\n * add `list` as an alias to list networks\n * Add support for updating restart policy\n * Add Compat API for Update\n * Make `podman update` changes persistent\n * Emergency fix (well, skip) for failing bud tests\n * fix swagger doc for manifest create\n * [CI:DOCS] options/network: fix markdown lists\n * Makefile: do not hardcode `GOOS` in `podman-remote-static` target\n * chore(deps): update module golang.org/x/crypto to v0.17.0 [security]\n * chore(deps): update dependency setuptools to ~=69.5.0\n * Fix some comments\n * swagger fix infinitive recursion on some types\n * install swagger from source\n * Revert \"Swap out javascript engine\"\n * podman exec CID without command should exit 125\n * (minor) prefetch systemd image before use\n * Update go-swagger version\n * Swap out javascript engine\n * fix(deps): update module github.com/docker/docker to v26.0.1+incompatible\n * Add os, arch, and ismanifest to libpod image list\n * [CI:DOCS]Initial PR validation\n * fix(deps): update github.com/containers/gvisor-tap-vsock digest to d744d71\n * vendor ginkgo 2.17.1 into test/tools\n * fix \"concurrent map writes\" in network ls compat endpoint\n * chore(deps): update dependency pytest to v8\n * e2e: redefine ExitWithError() to require exit code\n * docs: fix missleading run/create --expose description\n * podman ps: show exposed ports under PORTS as well\n * rootless: drop function ReadMappingsProc\n * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.7.3\n * New CI VMs, to give us pasta 2024-04-05\n * Add big warning to GHA workflow\n * GHA: Fix intermittent workflow error\n * fix(deps): update module golang.org/x/tools to v0.20.0\n * e2e tests: remove requirement for fuse-overlayfs\n * docs: update Quadlet volume Options desc\n * fix(deps): update module golang.org/x/sync to v0.7.0\n * Fix relabeling failures with Z/z volumes on Mac\n * fix(deps): update module golang.org/x/net to v0.24.0\n * Makefile: fix annoying errors in docs generation\n * chore: fix function names in comment\n * Bump tags.cncf.io/container-device-interface to v0.7.1\n * fix(deps): update module golang.org/x/crypto to v0.22.0\n * Detect unhandled reboots and require user intervention\n * podman --runroot: remove 50 char length restriction\n * update github.com/rootless-containers/rootlesskit to v2\n * Update module github.com/gorilla/schema to v1.3.0\n * Update dependency requests-mock to ~=1.12.1\n * Update module github.com/crc-org/crc/v2 to v2.34.1\n * rm --force work for more than one arg\n * [CI:DOCS] Update kube docs\n * fix(deps): update module github.com/shirou/gopsutil/v3 to v3.24.3\n * [CI:DOCS] Add GitHub action to update version on Podman.io\n * [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.2\n * Windows: clean up temporary perl install\n * pkg/util: FindDeviceNodes() ignore ENOENT errors\n * [CI:DOCS] build deps: make-validate needs docs\n * test/system: add rootless-netns test for setup errors\n * vendor latest c/common main\n * container: do not chown to dest target with U\n * [CI:DOCS] golangci-lint: update deprecated flags\n * systests: conditionalize slirp4netns tests\n * CI: systests: instrument flaky tests\n * s3fs docs\n * test: do not skip tests under rootless\n * Add note about host networking to Kube PublishPort option\n * Inject additional build tags from the environment\n * libpod: use original IDs if idmap is provided\n * Switch back to checking out the same branch the action script runs in\n * docs/podman-login: Give an example of writing the persistent path\n * CI: Bump VMs to 2024-03-28\n * [skip-ci] Update dawidd6/action-send-mail action to v3.12.0\n * fix(deps): update module github.com/openshift/imagebuilder to v1.2.7\n * Fix reference to deprecated types.Info\n * Use logformatter for podman_machine_windows_task\n * applehv: Print vfkit logs in --log-level debug\n * [CI:DOCS]Add Mario to reviewers list\n * [CI:DOCS] Document CI-maintenance job addition\n * Add golang 1.21 update warning\n * Add rootless network command to `podman info`\n * libpod: don\u0027t warn about cgroupsv1 on FreeBSD\n * hyperv: error if not admin\n * Properly parse stderr when updating container status\n * [skip-ci] Packit: specify fedora-latest in propose-downstream\n * Use built-in ssh impl for all non-pty operations\n * Add support for annotations\n * hyperv: fix machine rm -r\n * [skip-ci] Packit: Enable CentOS Stream 10 update job\n * 5.0 release note fix typo in cgroupv1 env var\n * fix remote build isolation on client side\n * chore: remove repetitive words\n * Dont save remote context in temp file but stream and extract\n * fix remote build isolation when server runs as root\n * util: use private propagation with bind\n * util: add some tests for ProcessOptions\n * util: refactor ProcessOptions into an internal function\n * util: rename files to snake case\n * Add LoongArch support for libpod\n * fix(deps): update github.com/containers/common digest to bc5f97c\n * [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.1\n * fix(deps): update module github.com/docker/docker to v25.0.5+incompatible [security]\n * fix(deps): update module github.com/onsi/gomega to v1.32.0\n * [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.0\n * Update module github.com/cpuguy83/go-md2man/v2 to v2.0.4\n * Fix type-o\n * Use correct extension in suite\n * minikube: instrument tests, to allow debugging failures\n * libpod: restart always reconfigure the netns\n * use new c/common pasta2 setup logic to fix dns\n * utils: drop conversion float-\u003estring-\u003efloat\n * utils: do not generate duplicate range\n * logformatter: handle Windows logs\n * utils: add test for the new function\n * utils: move rootless code to a new function\n * xref-helpmsgs-manpages: cross-check Commands.rst\n * test/system: Add support for multipath routes in pasta networking tests\n * [skip-ci] rpm: use macro supported vendoring\n * Adjust to the standard location of gvforwarder used in new images\n * Makefile: add target `podman-remote-static`\n * Switch to 5.x WSL machine os stream using new automation\n * Cleanup build scratch dir if remote end disconnects while passing the context\n * bump main to 5.1.0-dev\n * Use faster gzip for compression for 3x speedup for sending large contexts to remote\n * pkg/machine: make checkExclusiveActiveVM race free\n * pkg/machine/wsl: remove unused CheckExclusiveActiveVM()\n * pkg/machine: CheckExclusiveActiveVM should also check for starting\n * pkg/machine: refresh config after we hold lock\n * Update dependency setuptools to ~=69.2.0\n * [skip-ci] rpm: update containers-common dep on f40+\n * fix invalid HTTP header values when hijacking a connection\n * Add doc to build podman on windows without MSYS\n * Removing CRI-O related annotations\n * fix(deps): update module github.com/containers/ocicrypt to v1.1.10\n * Pass the restart policy to the individual containers\n * kube play: always pull when both imagePullPolicy and tag are missing\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-76",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20279-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:20279-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520279-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:20279-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021043.html"
},
{
"category": "self",
"summary": "SUSE Bug 1221677",
"url": "https://bugzilla.suse.com/1221677"
},
{
"category": "self",
"summary": "SUSE Bug 1224112",
"url": "https://bugzilla.suse.com/1224112"
},
{
"category": "self",
"summary": "SUSE Bug 1231208",
"url": "https://bugzilla.suse.com/1231208"
},
{
"category": "self",
"summary": "SUSE Bug 1236270",
"url": "https://bugzilla.suse.com/1236270"
},
{
"category": "self",
"summary": "SUSE Bug 1236507",
"url": "https://bugzilla.suse.com/1236507"
},
{
"category": "self",
"summary": "SUSE Bug 1237641",
"url": "https://bugzilla.suse.com/1237641"
},
{
"category": "self",
"summary": "SUSE Bug 1239330",
"url": "https://bugzilla.suse.com/1239330"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45288 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45288/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-11218 page",
"url": "https://www.suse.com/security/cve/CVE-2024-11218/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-1753 page",
"url": "https://www.suse.com/security/cve/CVE-2024-1753/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-3727 page",
"url": "https://www.suse.com/security/cve/CVE-2024-3727/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-9407 page",
"url": "https://www.suse.com/security/cve/CVE-2024-9407/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27144 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27144/"
}
],
"title": "Security update for podman",
"tracking": {
"current_release_date": "2025-04-22T13:50:03Z",
"generator": {
"date": "2025-04-22T13:50:03Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:20279-1",
"initial_release_date": "2025-04-22T13:50:03Z",
"revision_history": [
{
"date": "2025-04-22T13:50:03Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "podman-5.2.5-slfo.1.1_1.1.aarch64",
"product": {
"name": "podman-5.2.5-slfo.1.1_1.1.aarch64",
"product_id": "podman-5.2.5-slfo.1.1_1.1.aarch64"
}
},
{
"category": "product_version",
"name": "podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"product": {
"name": "podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"product_id": "podman-remote-5.2.5-slfo.1.1_1.1.aarch64"
}
},
{
"category": "product_version",
"name": "podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"product": {
"name": "podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"product_id": "podmansh-5.2.5-slfo.1.1_1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"product": {
"name": "podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"product_id": "podman-docker-5.2.5-slfo.1.1_1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-5.2.5-slfo.1.1_1.1.s390x",
"product": {
"name": "podman-5.2.5-slfo.1.1_1.1.s390x",
"product_id": "podman-5.2.5-slfo.1.1_1.1.s390x"
}
},
{
"category": "product_version",
"name": "podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"product": {
"name": "podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"product_id": "podman-remote-5.2.5-slfo.1.1_1.1.s390x"
}
},
{
"category": "product_version",
"name": "podmansh-5.2.5-slfo.1.1_1.1.s390x",
"product": {
"name": "podmansh-5.2.5-slfo.1.1_1.1.s390x",
"product_id": "podmansh-5.2.5-slfo.1.1_1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-5.2.5-slfo.1.1_1.1.x86_64",
"product": {
"name": "podman-5.2.5-slfo.1.1_1.1.x86_64",
"product_id": "podman-5.2.5-slfo.1.1_1.1.x86_64"
}
},
{
"category": "product_version",
"name": "podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"product": {
"name": "podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"product_id": "podman-remote-5.2.5-slfo.1.1_1.1.x86_64"
}
},
{
"category": "product_version",
"name": "podmansh-5.2.5-slfo.1.1_1.1.x86_64",
"product": {
"name": "podmansh-5.2.5-slfo.1.1_1.1.x86_64",
"product_id": "podmansh-5.2.5-slfo.1.1_1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.2.5-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64"
},
"product_reference": "podman-5.2.5-slfo.1.1_1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.2.5-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x"
},
"product_reference": "podman-5.2.5-slfo.1.1_1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.2.5-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64"
},
"product_reference": "podman-5.2.5-slfo.1.1_1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-5.2.5-slfo.1.1_1.1.noarch as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch"
},
"product_reference": "podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.2.5-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64"
},
"product_reference": "podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.2.5-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x"
},
"product_reference": "podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.2.5-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64"
},
"product_reference": "podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.2.5-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64"
},
"product_reference": "podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.2.5-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x"
},
"product_reference": "podmansh-5.2.5-slfo.1.1_1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.2.5-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
},
"product_reference": "podmansh-5.2.5-slfo.1.1_1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45288",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45288"
}
],
"notes": [
{
"category": "general",
"text": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45288",
"url": "https://www.suse.com/security/cve/CVE-2023-45288"
},
{
"category": "external",
"summary": "SUSE Bug 1221400 for CVE-2023-45288",
"url": "https://bugzilla.suse.com/1221400"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-04-22T13:50:03Z",
"details": "moderate"
}
],
"title": "CVE-2023-45288"
},
{
"cve": "CVE-2024-11218",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-11218"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-11218",
"url": "https://www.suse.com/security/cve/CVE-2024-11218"
},
{
"category": "external",
"summary": "SUSE Bug 1236269 for CVE-2024-11218",
"url": "https://bugzilla.suse.com/1236269"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-04-22T13:50:03Z",
"details": "important"
}
],
"title": "CVE-2024-11218"
},
{
"cve": "CVE-2024-1753",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-1753"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-1753",
"url": "https://www.suse.com/security/cve/CVE-2024-1753"
},
{
"category": "external",
"summary": "SUSE Bug 1221677 for CVE-2024-1753",
"url": "https://bugzilla.suse.com/1221677"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-04-22T13:50:03Z",
"details": "important"
}
],
"title": "CVE-2024-1753"
},
{
"cve": "CVE-2024-3727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-3727"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-3727",
"url": "https://www.suse.com/security/cve/CVE-2024-3727"
},
{
"category": "external",
"summary": "SUSE Bug 1224112 for CVE-2024-3727",
"url": "https://bugzilla.suse.com/1224112"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-04-22T13:50:03Z",
"details": "important"
}
],
"title": "CVE-2024-3727"
},
{
"cve": "CVE-2024-9407",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-9407"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-9407",
"url": "https://www.suse.com/security/cve/CVE-2024-9407"
},
{
"category": "external",
"summary": "SUSE Bug 1231208 for CVE-2024-9407",
"url": "https://bugzilla.suse.com/1231208"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-04-22T13:50:03Z",
"details": "moderate"
}
],
"title": "CVE-2024-9407"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-04-22T13:50:03Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-27144",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27144"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27144",
"url": "https://www.suse.com/security/cve/CVE-2025-27144"
},
{
"category": "external",
"summary": "SUSE Bug 1237608 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237608"
},
{
"category": "external",
"summary": "SUSE Bug 1237609 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237609"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podman-docker-5.2.5-slfo.1.1_1.1.noarch",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podman-remote-5.2.5-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:podmansh-5.2.5-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-04-22T13:50:03Z",
"details": "important"
}
],
"title": "CVE-2025-27144"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…