SUSE-SU-2023:0326-1: important: Security update for podman

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Feb 9 11:28:06 UTC 2023


   SUSE Security Update: Security update for podman
______________________________________________________________________________

Announcement ID:    SUSE-SU-2023:0326-1
Rating:             important
References:         #1181640 #1181961 #1193166 #1193273 #1197672 
                    #1199790 #1202809 PED-2771 
Cross-References:   CVE-2021-20199 CVE-2021-20206 CVE-2021-4024
                    CVE-2021-41190 CVE-2022-27649 CVE-2022-2989
                   
CVSS scores:
                    CVE-2021-20199 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2021-20199 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
                    CVE-2021-20206 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-20206 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-4024 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
                    CVE-2021-4024 (SUSE): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
                    CVE-2021-41190 (NVD) : 3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
                    CVE-2021-41190 (SUSE): 5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
                    CVE-2022-27649 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-27649 (SUSE): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
                    CVE-2022-2989 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
                    CVE-2022-2989 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Products:
                    SUSE Enterprise Storage 7.1
                    SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS
                    SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS
                    SUSE Linux Enterprise Micro 5.1
                    SUSE Linux Enterprise Micro 5.2
                    SUSE Linux Enterprise Server 15-SP3-LTSS
                    SUSE Linux Enterprise Server for SAP 15-SP3
                    openSUSE Leap Micro 5.2
______________________________________________________________________________

   An update that solves 6 vulnerabilities, contains one
   feature and has one errata is now available.

Description:

   This update for podman fixes the following issues:

   podman was updated to version 4.3.1:

   4.3.1:

   * Bugfixes

   - Fixed a deadlock between the `podman ps` and `podman container inspect`
     commands

   * Misc

   - Updated the containers/image library to v5.23.1

   4.3.0:

   * Features

   - A new command, `podman generate spec`, has been added, which creates a
     JSON struct based on a given container that can be used with the Podman
     REST API to create containers.
   - A new command, `podman update`, has been added,which makes changes to
     the resource limits of existing containers. Please note that these
     changes do not persist if the container is restarted
   - A new command, `podman kube down`, has been added, which removes pods
     and containers created by the given Kubernetes YAML (functionality is
     identical to `podman kube play --down`, but it now has its own command).
   - The `podman kube play` command now supports Kubernetes secrets using
     Podman's secrets backend.
   - Systemd-managed pods created by the `podman kube play` command now
     integrate with sd-notify, using the `io.containers.sdnotify` annotation
     (or `io.containers.sdnotify/$name` for specific containers).
   - Systemd-managed pods created by `podman kube play` can now be
     auto-updated, using the `io.containers.auto-update` annotation (or
     `io.containers.auto-update/$name` for specific containers).
   - The `podman kube play` command can now read YAML from URLs, e.g. `podman
     kube play https://example.com/demo.yml`
   - The `podman kube play` command now supports the `emptyDir` volume type
   - The `podman kube play` command now supports the `HostUsers` field in the
     pod spec.
   - The `podman play kube` command now supports `binaryData` in ConfigMaps.
   - The `podman pod create` command can now set additional resource limits
     for pods using the new `--memory-swap`, `--cpuset-mems`,
     `--device-read-bps`, `--device-write-bps`, `--blkio-weight`,
     `--blkio-weight-device`, and `--cpu-shares` options.
   - The `podman machine init` command now supports a new option,
     `--username`, to set the username that will be used to connect to the VM
     as a non-root user
   - The `podman volume create` command's `-o timeout=` option can now set a
     timeout of 0, indicating volume plugin operations will never time out.
   - Added support for a new volume driver, `image`, which allows volumes to
     be created that are backed by images.
   - The `podman run` and `podman create` commands support a new option,
     `--env-merge`, allowing environment variables to be specified relative
     to other environment variables in the image (e.g. `podman run
     --env-merge "PATH=$PATH:/my/app" ...`)
   - The `podman run` and `podman create` commands support a new option,
     `--on-failure`, to allow action to be taken when a container fails
     health checks, with the following supported actions: `none` (take no
     action, the default), `kill` (kill the container), `restart` (restart
     the container), and `stop` (stop the container).
   - The `--keep-id` option to `podman create` and `podman run` now supports
     new options, `uid` and `gid`, to set the UID and GID of the user in the
     container that will be mapped to the user running Podman (e.g.
     `--userns=keep-id:uid=11` will made the user running Podman to UID 11 in
     the container)
   - The `podman generate systemd` command now supports a new option,
     `--env`/`-e`, to set environment variables in the generated unit file
   - The `podman pause` and `podman unpause` commands now support the
     `--latest`, `--cidfile`, and `--filter` options.
   - The `podman restart` command now supports the `--cidfile` and `--filter`
     options.
   - The `podman rm` command now supports the `--filter` option to select
     which containers will be removed.
   - The `podman rmi` command now supports a new option, `--no-prune`, to
     prevent the removal of dangling parents of removed images.
   - The `--dns-opt` option to `podman create`, `podman run`, and `podman pod
     create` has received a new alias, `--dns-option`, to improve Docker
     compatibility.
   - The `podman` command now features a new global flag, `--debug`/`-D`,
     which enables debug-level logging (identical to `--log-level=debug`),
     improving Docker compatibility.
   - The `podman` command now features a new global flag, `--config`. This
     flag is ignored, and is only included for Docker compatibility
   - The `podman manifest create` command now accepts a new option,
     `--amend`/`-a`.
   - The `podman manifest create`, `podman manifest add` and `podman manifest
     push` commands now accept a new option, `--insecure` (identical to
     `--tls-verify=false`), improving Docker compatibility.
   - The `podman secret create` command's `--driver` and `--format` options
     now have new aliases, `-d` for `--driver` and `-f` for `--format`.
   - The `podman secret create` command now supports a new option,
     `--label`/`-l`, to add labels to created secrets.
   - The `podman secret ls` command now accepts the `--quiet`/`-q` option.
   - The `podman secret inspect` command now accepts a new option,
     `--pretty`, to print output in human-readable format.
   - The `podman stats` command now accepts the `--no-trunc` option.
   - The `podman save` command now accepts the `--signature-policy` option
   - The `podman pod inspect` command now allows multiple arguments to be
     passed. If so, it will return a JSON array of the inspected pods
   - A series of new hidden commands have been added under `podman context`
     as aliases to existing `podman system connection` commands, to improve
     Docker compatibility.
   - The remote Podman client now supports proxying signals for attach
     sessions when the `--sig-proxy` option is set

   ### Changes

   - Duplicate volume mounts are now allowed with the `-v` option to `podman
     run`, `podman create`, and `podman pod create`, so long as source,
     destination, and options all match
   - The `podman generate kube` and `podman play kube` commands have been
     renamed to `podman kube generate` and `podman kube play` to group
     Kubernetes-related commands. Aliases have been added to ensure the old
     command names still function.
   - A number of Podman commands (`podman init`, `podman container
     checkpoint`, `podman container restore`, `podman container cleanup`) now
     print the user-inputted name of the container, instead of its full ID,
     on success.
   - When an unsupported option (e.g. resource limit) is specified for a
     rootless container on a cgroups v1 system, a warning message is now
     printed that the limit will not be honored.
   - The installer for the Windows Podman client has been improved.
   - The `--cpu-rt-period` and `--cpu-rt-runtime` options to `podman run` and
     `podman create` now print a warning and are ignored on cgroups v2
     systems (cgroups v2 having dropped support for these controllers)
   - Privileged containers running systemd will no longer mount `/dev/tty*`
     devices other than `/dev/tty` itself into the container
   - Events for containers that are part of a pod now include the ID of the
     pod in the event.
   - SSH functionality for `podman machine` commands has seen a thorough
     rework, addressing many issues about authentication.
   - The `--network` option to `podman kube play` now allows passing `host`
     to set the pod to use host networking, even if the YAML does not request
     this.
   - The `podman inspect` command on containers now includes the digest of
     the image used to create the container.
   - Pods created by `podman play kube` are now, by default, placed into a
     network named `podman-kube`. If the `podman-kube` network does not
     exist, it will be created. This ensures pods can connect to each other
     by their names, as the network has DNS enabled.


   Update to version 4.2.0:

   * Features

   - Podman now supports the Gitlab Runner (using the Docker executor),
     allowing its use in Gitlab CI/CD pipelines.
   - A new command has been added, podman pod clone, to create a copy of an
     existing pod. It supports several options, including --start to start
     the new pod, --destroy to remove the original pod, and --name to change
     the name of the new pod
   - A new command has been added, podman volume reload, to sync changes in
     state between Podman's database and any configured volume plugins
   - A new command has been added, podman machine info, which displays
     information about the host and the versions of various machine
     components.
   - Pods created by podman play kube can now be managed by systemd unit
     files. This can be done via a new systemd service, podman-kube at .service
     - e.g. systemctl --user start podman-play-kube@$(systemd-escape
     my.yaml).service will run the Kubernetes pod or deployment contained in
     my.yaml under systemd.
   - The podman play kube command now honors the RunAsUser, RunAsGroup, and
     SupplementalGroups setting from the Kubernetes pod's security context.
   - The podman play kube command now supports volumes with the BlockDevice
     and CharDevice types
   - The podman play kube command now features a new flag, --userns, to set
     the user namespace of created pods. Two values are allowed at present:
     host and auto
   - The podman play kube command now supports setting the type of created
     init containers via the io.podman.annotations.init.container.type
     annotation.
   - Pods now have include an exit policy (configurable via the --exit-policy
     option to podman pod create), which determines what will happen to the
     pod's infra container when the entire pod stops. The default, continue,
     acts as Podman currently does, while a new option, stop, stops the infra
     container after the last container in the pod stops, and is used by
     default for pods from podman play kube
   - The podman pod create command now allows the pod's name to be specified
     as an argument, instead of using the --name option - for example, podman
     pod create mypod instead of the prior podman pod create --name mypod.
     Please note that the --name option is not deprecated and will continue
     to work.
   - The podman pod create command's --share option now supports adding
     namespaces to the set by prefacing them with + (as opposed to specifying
     all namespaces that should be shared)
   - The podman pod create command has a new option, --shm-size, to specify
     the size of the /dev/shm mount that will be shared if the pod shares its
     UTS namespace (#14609).
   - The podman pod create command has a new option, --uts, to configure the
     UTS namespace that will be shared by containers in the pod.
   - The podman pod create command now supports setting pod-level resource
     limits via the --cpus, --cpuset-cpus, and --memory options. These will
     set a limit for all containers in the pod, while individual containers
     within the pod are allowed to set further limits. Look forward to more
     options for resource limits in our next release!
   - The podman create and podman run commands now include the -c short
     option for the --cpu-shares option.
   - The podman create and podman run commands can now create containers from
     a manifest list (and not an image) as long as the --platform option is
     specified (#14773).
   - The podman build command now supports a new option, --cpp-flag, to
     specify options for the C preprocessor when using Containerfile.in files
     that require preprocessing.
   - The podman build command now supports a new option, --build-context,
     allowing the user to specify an additional build context.
   - The podman machine inspect command now prints the location of the VM's
     Podman API socket on the host (#14231).
   - The podman machine init command on Windows now fetches an image with
     packages pre-installed (#14698).
   - Unused, cached Podman machine VM images are now cleaned up
     automatically. Note that because Podman now caches in a different
     directory, this will not clean up old images pulled before this change
     (#14697).
   - The default for the --image-volume option to podman run and podman
     create can now have its default set through the image_volume_mode
     setting in containers.conf (#14230).
   - Overlay volumes now support two new options, workdir and upperdir, to
     allow multiple overlay volumes from different containers to reuse the
     same workdir or upperdir (#14427).
   - The podman volume create command now supports two new options, copy and
     nocopy, to control whether contents from the overmounted folder in a
     container will be copied into the newly-created named volume (copy-up).
   - Volumes created using a volume plugin can now specify a timeout for all
     operations that contact the volume plugin (replacing the standard 5
     second timeout) via the --opt o=timeout= option to podman volume create
     (BZ 2080458).
   - The podman volume ls command's --filter name= option now supports
     regular expression matching for volume names (#14583).
   - When used with a podman machine VM, volumes now support specification of
     the 9p security model using the security_model option to podman create
     -v and podman run -v.
   - The remote Podman client's podman push command now supports the
     --remove-signatures option (#14558).
   - The remote Podman client now supports the podman image scp command.
   - The podman image scp command now supports tagging the transferred image
     with a new name.
   - The podman network ls command supports a new filter, --filter dangling=,
     to list networks not presently used by any containers (#14595).
   - The --condition option to podman wait can now be specified multiple
     times to wait on any one of multiple conditions.
   - The podman events command now includes the -f short option for the
     --filter option.
   - The podman pull command now includes the -a short option for the
     --all-tags option.
   - The podman stop command now includes a new flag, --filter, to filter
     which containers will be stopped (e.g. podman stop --all --filter
     label=COM.MY.APP).
   - The Podman global option --url now has two aliases: -H and --host.
   - The podman network create command now supports a new option with the
     default bridge driver, --opt isolate=, which isolates the network by
     blocking any traffic from it to any other network with the isolate
     option enabled. This option is enabled by default for networks created
     using the Docker-compatible API.
   - Added the ability to create sigstore signatures in podman push and
     podman manifest push.
   - Added an option to read image signing passphrase from a file.

   * Changes

   - Paused containers can now be killed with the podman kill command.
   - The podman system prune command now removes unused networks.
   - The --userns=keep-id and --userns=nomap options to the podman run and
     podman create commands are no longer allowed (instead of simply being
     ignored) with root Podman.
   - If the /run directory for a container is part of a volume, Podman will
     not create the /run/.containerenv file (#14577).
   - The podman machine stop command on macOS now waits for the machine to be
     completely stopped to exit (#14148).
   - All podman machine commands now only support being run as rootless,
     given that VMs only functioned when run rootless.
   - The podman unpause --all command will now only attempt to unpause
     containers that are paused, not all containers.
   - Init containers created with podman play kube now default to the once
     type (#14877).
   - Pods created with no shared namespaces will no longer create an infra
     container unless one is explicitly requested (#15048).
   - The podman create, podman run, and podman cp commands can now
     autocomplete paths in the image or container via the shell completion.
   - The libpod/common package has been removed as it's not used anywhere.
   - The --userns option to podman create and podman run is no longer
     accepted when an explicit UID or GID mapping is specified (#15233).


   * Misc

   - Podman will now check for nameservers in
     /run/NetworkManager/no-stub-resolv.conf if the /etc/resolv.conf file
     only contains a localhost server.
   - The podman build command now supports caching with builds that specify
     --squash-all by allowing the --layers flag to be used at the same time.
   - Podman Machine support for QEMU installations at non-default paths has
     been improved.
   - The podman machine ssh command no longer prints spurious warnings every
     time it is run.
   - When accessing the WSL prompt on Windows, the rootless user will be
     preferred.
   - The podman info command now includes a field for information on
     supported authentication plugins for improved Docker compatibility.
     Authentication plugins are not presently supported by Podman, so this
     field is always empty.
   - The podman system prune command now no longer prints the Deleted Images
     header if no images were pruned.
   - The podman system service command now automatically creates and moves to
     a sub-cgroup when running in the root cgroup (#14573).
   - Updated Buildah to v1.27.0 (fixes CVE-2022-21698 / bsc#1196338)
   - Updated the containers/image library to v5.22.0
   - Updated the containers/storage library to v1.42.0 (fixes bsc#1196751)
   - Updated the containers/common library to v0.49.1
   - Podman will automatically create a sub-cgroup and move itself into it
     when it detects that it is running inside a container (#14884).
   - Fixed an incorrect release note about regexp.
   - A new MacOS installer (via pkginstaller) is now supported.

   Update to version 4.1.1:

   * The output of the podman load command now mirrors that of docker load.
   * Podman now supports Docker Compose v2.2 and higher. Please note that it
     may be necessary to disable the use of Buildkit by setting the
     environment variable DOCKER_BUILDKIT=0.
   * A new container command has been added, podman container clone. This
     command makes a copy of an existing container, with the ability to
     change some settings (e.g. resource limits) while doing so.
   * Podman now supports sending JSON events related to machines to a Unix
     socket named machine_events.*\.sock in XDG_RUNTIME_DIR/podman or to a
     socket whose path is set in the PODMAN_MACHINE_EVENTS_SOCK environment
     variable.
   * Two new volume commands have been added, podman volume mount and podman
     volume unmount. These allow for Podman-managed named volumes to be
     mounted and accessed from outside containers.
   * The podman container checkpoint and podman container restore options now
     support checkpointing to and restoring from OCI images. This allows
     checkpoints to be distributed via standard image registries.
   * The podman play kube command now supports environment variables that are
     specified using the fieldRef and resourceFieldRef sources.
   * The podman play kube command will now set default resource limits when
     the provided YAML does not include them.
   * The podman play kube command now supports a new option, --annotation, to
     add annotations to created containers.
   * The podman play kube --build command now supports a new option,
     --context-dir, which allows the user to specify the context directory to
     use when building the Containerfile.
   * The podman container commit command now supports a new option, --squash,
     which squashes the generated image into a single layer.
   * The podman pod logs command now supports two new options, --names, which
     identifies which container generated a log message by name, instead of
     ID and --color, which colors messages based on what container generated
     them.
   * The podman rmi command now supports a new option, --ignore, which will
     ignore errors caused by missing images.
   * The podman network create command now features a new option,
     --ipam-driver, to specify details about how IP addresses are assigned to
     containers in the network.
   * The podman machine list command now features a new option, --quiet, to
     print only the names of configured VMs and no other information.
   * The --ipc option to the podman create, podman run, and podman pod create
     commands now supports three new modes: none, private, and shareable. The
     default IPC mode is now shareable, indicating the the IPC namespace can
     be shared with other containers.
   * The --mount option to the podman create and podman run commands can now
     set options for created named volumes via the volume-opt parameter.
   * The --mount option to the podman create and podman run commands now
     allows parameters to be passed in CSV format.
   * The --userns option to the podman create and podman run commands now
     supports a new option, nomap, that (only for rootless containers) does
     not map the UID of the user that started the container into the
     container, increasing security.
   * The podman import command now supports three new options, --arch, --os,
     and --variant, to specify what system the imported image was built for.
   * The podman inspect command now includes information on the network
     configuration of containers that joined a pre-configured network
     namespace with the --net ns: option to podman run, podman create, and
     podman pod create.
   * The podman run and podman create commands now support a new option,
     --chrootdirs, which specifies additional locations where
     container-specific files managed by Podman (e.g. /etc/hosts,
     `/etc/resolv.conf, etc) will be mounted inside the container (#12961).
   * The podman run and podman create commands now support a new option,
     --passwd-entry, allowing entries to be added to the container's
     /etc/passwd file.
   * The podman images --format command now accepts two new format
     directives: {{.CreatedAt}} and {{.CreatedSince}}.
   * The podman volume create command's -o option now accepts a new argument,
     o=noquota, to disable XFS quotas entirely and avoid potential issues
     when Podman is run on an XFS filesystem with existing quotas defined.
   * The podman info command now includes additional information on the
     machine Podman is running on, including disk utilization on the drive
     Podman is storing containers and images on, and CPU utilization.
   * Fix CVE-2022-27191 / bsc#1197284

   - Require catatonit >= 0.1.7 for pause functionality needed by pods

   Update to version 4.0.3:

   * Security

     - This release fixes CVE-2022-27649, where containers run by Podman
       would have excess inheritable capabilities set.

   * Changes

     - The podman machine rm --force command will now remove running machines
       as well (such machines are shut down first, then removed) (#13448).
     - When a podman machine VM is started that is using a too-old VM image,
       it will now start in a reduced functionality mode, and provide
       instructions on how to recreate it (previously, VMs were effectively
       unusable) (#13510).

     - Updated the containers/common library to v0.47.5

   - This release addresses CVE-2021-4024 / bsc#1193166, where the podman
     machine command opened the gvproxy API (used to forward ports to podman
     machine VMs) to the public internet on port 7777.
   - This release addresses CVE-2021-41190 / bsc#1193273, where incomplete
     specification of behavior regarding image manifests could lead to
     inconsistent decoding on different clients.

   Update to version 3.1.0: (bsc#1181961, CVE-2021-20206)

   - A fix for CVE-2021-20199 / bsc#1181640 is included. Podman between
     v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic
     forwarded into rootless containers by a forwarded port; this has been
     changed to address the issue.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap Micro 5.2:

      zypper in -t patch openSUSE-Leap-Micro-5.2-2023-326=1

   - SUSE Linux Enterprise Server for SAP 15-SP3:

      zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-326=1

   - SUSE Linux Enterprise Server 15-SP3-LTSS:

      zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-326=1

   - SUSE Linux Enterprise Micro 5.2:

      zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-326=1

   - SUSE Linux Enterprise Micro 5.1:

      zypper in -t patch SUSE-SUSE-MicroOS-5.1-2023-326=1

   - SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS:

      zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-326=1

   - SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS:

      zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-326=1

   - SUSE Enterprise Storage 7.1:

      zypper in -t patch SUSE-Storage-7.1-2023-326=1



Package List:

   - openSUSE Leap Micro 5.2 (aarch64 x86_64):

      podman-4.3.1-150300.9.15.1
      podman-debuginfo-4.3.1-150300.9.15.1

   - openSUSE Leap Micro 5.2 (noarch):

      podman-cni-config-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise Server for SAP 15-SP3 (ppc64le x86_64):

      podman-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise Server for SAP 15-SP3 (noarch):

      podman-cni-config-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise Server 15-SP3-LTSS (aarch64 ppc64le s390x x86_64):

      podman-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise Server 15-SP3-LTSS (noarch):

      podman-cni-config-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64):

      podman-4.3.1-150300.9.15.1
      podman-debuginfo-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise Micro 5.2 (noarch):

      podman-cni-config-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):

      podman-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise Micro 5.1 (noarch):

      podman-cni-config-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (aarch64 x86_64):

      podman-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (noarch):

      podman-cni-config-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (aarch64 x86_64):

      podman-4.3.1-150300.9.15.1

   - SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (noarch):

      podman-cni-config-4.3.1-150300.9.15.1

   - SUSE Enterprise Storage 7.1 (aarch64 x86_64):

      podman-4.3.1-150300.9.15.1
      podman-debuginfo-4.3.1-150300.9.15.1

   - SUSE Enterprise Storage 7.1 (noarch):

      podman-cni-config-4.3.1-150300.9.15.1


References:

   https://www.suse.com/security/cve/CVE-2021-20199.html
   https://www.suse.com/security/cve/CVE-2021-20206.html
   https://www.suse.com/security/cve/CVE-2021-4024.html
   https://www.suse.com/security/cve/CVE-2021-41190.html
   https://www.suse.com/security/cve/CVE-2022-27649.html
   https://www.suse.com/security/cve/CVE-2022-2989.html
   https://bugzilla.suse.com/1181640
   https://bugzilla.suse.com/1181961
   https://bugzilla.suse.com/1193166
   https://bugzilla.suse.com/1193273
   https://bugzilla.suse.com/1197672
   https://bugzilla.suse.com/1199790
   https://bugzilla.suse.com/1202809



More information about the sle-security-updates mailing list