SUSE-CU-2023:3470-1: Security update of rancher/elemental-teal-iso/5.4
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri Oct 20 10:09:53 UTC 2023
SUSE Container Update Advisory: rancher/elemental-teal-iso/5.4
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3470-1
Container Tags : rancher/elemental-teal-iso/5.4:1.2.2 , rancher/elemental-teal-iso/5.4:1.2.2-3.2.1 , rancher/elemental-teal-iso/5.4:latest
Container Release : 3.2.1
Severity : critical
Type : security
References : 1029961 1041090 1048046 1049382 1051429 1089497 1096726 1102408
1103032 1113038 1113039 1113040 1114832 1116658 1118897 1118898
1118899 1120610 1120610 1121967 1123156 1123387 1124308 1130489
1130496 1130496 1131314 1131553 1135460 1136234 1136974 1137860
1141680 1143386 1149954 1152308 1155141 1155217 1160452 1160460
1164390 1167850 1168481 1170940 1171566 1171578 1172380 1172786
1173404 1173409 1173410 1173471 1174465 1175081 1175821 1175821
1176547 1177955 1178807 1178943 1178944 1179025 1179203 1179466
1179467 1179467 1181122 1181131 1181131 1181594 1181641 1181644
1181677 1181730 1181732 1181749 1181872 1181961 1182451 1182476
1182790 1182947 1182998 1183024 1183855 1184124 1184768 1184962
1185405 1185405 1186606 1187704 1188282 1189743 1190826 1191015
1191121 1191334 1191355 1191434 1192051 1193436 1193951 1194038
1194609 1194900 1197093 1199232 1199235 1199460 1199565 1200088
1200145 1200524 1200657 1200657 1202021 1202436 1202436 1202436
1202821 1202821 1203600 1205536 1207509 1207753 1208079 1208194
1208574 1208721 1209229 1209741 1210702 1210702 1210999 1211272
1211576 1211828 1212126 1212434 1213185 1213237 1213472 1213487
1213514 1213517 1213575 1213853 1213873 1214054 1214071 CVE-2018-14679
CVE-2018-14681 CVE-2018-14682 CVE-2018-15664 CVE-2018-16873 CVE-2018-16874
CVE-2018-16875 CVE-2018-18584 CVE-2018-18585 CVE-2018-18586 CVE-2018-20482
CVE-2018-20482 CVE-2019-1010305 CVE-2019-10152 CVE-2019-16884
CVE-2019-18466 CVE-2019-19921 CVE-2019-5736 CVE-2019-6778 CVE-2019-9923
CVE-2019-9923 CVE-2020-10756 CVE-2020-1983 CVE-2020-21913 CVE-2020-29129
CVE-2020-29130 CVE-2020-29130 CVE-2021-20193 CVE-2021-20193 CVE-2021-20206
CVE-2021-21284 CVE-2021-21285 CVE-2021-21334 CVE-2021-30465 CVE-2021-30465
CVE-2021-30560 CVE-2021-32760 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092
CVE-2021-41103 CVE-2021-43784 CVE-2022-1586 CVE-2022-1587 CVE-2022-29162
CVE-2022-31030 CVE-2022-41409 CVE-2022-48303 CVE-2023-31484 CVE-2023-32001
CVE-2023-3446 CVE-2023-34969 CVE-2023-36054 CVE-2023-3817
-----------------------------------------------------------------
The container rancher/elemental-teal-iso/5.4 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:495-1
Released: Tue Feb 26 16:42:35 2019
Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc
Type: security
Severity: important
References: 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:
Security issues fixed:
- CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
- CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
- CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container
breakout (bsc#1121967).
Other changes and fixes:
- Update shell completion to use Group: System/Shells.
- Add daemon.json file with rotation logs configuration (bsc#1114832)
- Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84.
See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
- Update go requirements to >= go1.10
- Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
- Remove the usage of 'cp -r' to reduce noise in the build logs.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:748-1
Released: Tue Mar 26 14:35:56 2019
Summary: Security update for libmspack
Type: security
Severity: moderate
References: 1113038,1113039,CVE-2018-18584,CVE-2018-18585
This update for libmspack fixes the following issues:
Security issues fixed:
- CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038)
- CVE-2018-18585: chmd_read_headers accepted a filename that has '\0' as its first or second character (such as the '/\0' name). (bsc#1113039)
- Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:926-1
Released: Wed Apr 10 16:33:12 2019
Summary: Security update for tar
Type: security
Severity: moderate
References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923
This update for tar fixes the following issues:
Security issues fixed:
- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2223-1
Released: Tue Aug 27 15:42:56 2019
Summary: Security update for podman, slirp4netns and libcontainers-common
Type: security
Severity: moderate
References: 1096726,1123156,1123387,1135460,1136974,1137860,1143386,CVE-2018-15664,CVE-2019-10152,CVE-2019-6778
This is a version update for podman to version 1.4.4 (bsc#1143386).
Additional changes by SUSE on top:
- Remove fuse-overlayfs because it's (currently) an unsatisfied dependency on
SLE (bsc#1143386)
- Update libpod.conf to use correct infra_command
- Update libpod.conf to use better versioned pause container
- Update libpod.conf to use official kubic pause container
- Update libpod.conf to match latest features set:
detach_keys, lock_type, runtime_supports_json
- Add podman-remote varlink client
Version update podman to v1.4.4:
- Features
- Podman now has greatly improved support for containers using multiple OCI
runtimes. Containers now remember if they were created with a different
runtime using --runtime and will always use that runtime
- The cached and delegated options for volume mounts are now allowed for
Docker compatability (#3340)
- The podman diff command now supports the --latest flag
- Bugfixes
- Fixed a bug where rootless Podman would attempt to use the entire root
configuration if no rootless configuration was present for the user,
breaking rootless Podman for new installations
- Fixed a bug where rootless Podman's pause process would block SIGTERM,
preventing graceful system shutdown and hanging until the system's init
send SIGKILL
- Fixed a bug where running Podman as root with sudo -E would not work after
running rootless Podman at least once
- Fixed a bug where options for tmpfs volumes added with the --tmpfs flag
were being ignored
- Fixed a bug where images with no layers could not properly be displayed
and removed by Podman
- Fixed a bug where locks were not properly freed on failure to create a
container or pod
- Fixed a bug where podman cp on a single file would create a directory at
the target and place the file in it (#3384)
- Fixed a bug where podman inspect --format '{{.Mounts}}' would print a
hexadecimal address instead of a container's mounts
- Fixed a bug where rootless Podman would not add an entry to container's
/etc/hosts files for their own hostname (#3405)
- Fixed a bug where podman ps --sync would segfault (#3411)
- Fixed a bug where podman generate kube would produce an invalid ports
configuration (#3408)
- Misc
- Updated containers/storage to v1.12.13
- Podman now performs much better on systems with heavy I/O load
- The --cgroup-manager flag to podman now shows the correct default setting
in help if the default was overridden by libpod.conf
- For backwards compatability, setting --log-driver=json-file in podman run
is now supported as an alias for --log-driver=k8s-file. This is considered
deprecated, and json-file will be moved to a new implementation in the
future ([#3363](https://github.com/containers/libpo\
d/issues/3363))
- Podman's default libpod.conf file now allows the crun OCI runtime to be
used if it is installed
Update podman to v1.4.2:
- Fixed a bug where Podman could not run containers using an older version of
Systemd as init
- Updated vendored Buildah to v1.9.0 to resolve a critical bug with
Dockerfile RUN instructions
- The error message for running podman kill on containers that are not
running has been improved
- Podman remote client can now log to a file if syslog is not available
- The podman exec command now sets its error code differently based on
whether the container does not exist, and the command in the container does
not exist
- The podman inspect command on containers now outputs Mounts JSON that matches
that of docker inspect, only including user-specified volumes and
differentiating bind mounts and named volumes
- The podman inspect command now reports the path to a container's OCI spec
with the OCIConfigPath key (only included when the container is initialized
or running)
- The podman run --mount command now supports the bind-nonrecursive option for
bind mounts
- Fixed a bug where podman play kube would fail to create containers due to an
unspecified log driver
- Fixed a bug where Podman would fail to build with musl libc
- Fixed a bug where rootless Podman using slirp4netns networking in an
environment with no nameservers on the host other than localhost would
result in nonfunctional networking
- Fixed a bug where podman import would not properly set environment
variables, discarding their values and retaining only keys
- Fixed a bug where Podman would fail to run when built with Apparmor support
but run on systems without the Apparmor kernel module loaded
- Remote Podman will now default the username it uses to log in to remote
systems to the username of the current user
- Podman now uses JSON logging with OCI runtimes that support it, allowing for
better error reporting
- Updated vendored containers/image to v2.0
- Update conmon to v0.3.0
- Support OOM Monitor under cgroup V2
- Add config binary and make target for configuring conmon with a go library
for importing values
Updated podman to version 1.4.0 (bsc#1137860) and (bsc#1135460)
- Podman checkpoint and podman restore commands can now be
used to migrate containers between Podman installations on
different systems.
- The podman cp now supports pause flag.
- The remote client now supports a configuration file for
pre-configuring connections to remote Podman installations
- CVE-2019-10152: Fixed an iproper dereference of symlinks of the
the podman cp command which introduced in version 1.1.0 (bsc#1136974).
- Fixed a bug where podman commit could improperly set environment variables
that contained = characters
- Fixed a bug where rootless podman would sometimes fail to start
containers with forwarded ports
- Fixed a bug where podman version on the remote client could
segfault
- Fixed a bug where podman container runlabel would use /proc/self/exe instead of
the path of the Podman command when printing the command being executed
- Fixed a bug where filtering images by label did not work
- Fixed a bug where specifying a bing mount or tmpfs mount over
an image volume would cause a container to be unable to start
- Fixed a bug where podman generate kube did not work with
containers with named volumes
- Fixed a bug where rootless podman would receive permission
denied errors accessing conmon.pid
- Fixed a bug where podman cp with a folder specified as target
would replace the folder, as opposed to copying into it
- Fixed a bug where rootless Podman commands could double-unlock
a lock, causing a crash
- Fixed a bug where podman incorrectly set tmpcopyup on /dev/
mounts, causing errors when using the Kata containers runtime
- Fixed a bug where podman exec would fail on older kernels
- Podman commit command is now usable with the Podman remote client
- Signature-policy flag has been deprecated
- Updated vendored containers/storage and containers/image libraries
with numerous bugfixes
- Updated vendored Buildah to v1.8.3
- Podman now requires Conmon v0.2.0
- The podman cp command is now aliased as podman container cp
- Rootless podman will now default init_path using root Podman's
configuration files (/etc/containers/libpod.conf and
/usr/share/containers/libpod.conf) if not overridden in the
rootless configuration
- Added fuse-overlayfs dependency to support overlay based rootless image
manipulations
- The podman cp command can now read input redirected to STDIN, and output to
STDOUT instead of a file, using - instead of an argument.
- The podman remote client now displays version information from both the
client and server in podman version
- The podman unshare command has been added, allowing easy entry into the
user namespace set up by rootless Podman (allowing the removal of files
created by rootless podman, among other things)
- Fixed a bug where Podman containers with the --rm flag were removing
created volumes when they were automatically removed
- Fixed a bug where container and pod locks were incorrectly marked as
released after a system reboot, causing errors on container and pod removal
- Fixed a bug where Podman pods could not be removed if any container in the
pod encountered an error during removal
- Fixed a bug where Podman pods run with the cgroupfs CGroup driver would encounter
a race condition during removal, potentially failing to remove the pod CGroup
- Fixed a bug where the podman container checkpoint and podman container
restore commands were not visible in the remote client
- Fixed a bug where podman remote ps --ns would not print the container's namespaces
- Fixed a bug where removing stopped containers with healthchecks could cause an error
- Fixed a bug where the default libpod.conf file was causing parsing errors
- Fixed a bug where pod locks were not being freed when pods were removed,
potentially leading to lock exhaustion
- Fixed a bug where 'podman run' with SD_NOTIFY set could, on short-running
containers, create an inconsistent state rendering the container unusable
- The remote Podman client now uses the Varlink bridge to establish remote
connections by default
- Fixed an issue with apparmor_parser (bsc#1123387)
- Update to libpod v1.4.0 (bsc#1137860):
- The podman checkpoint and podman restore commands can now be
used to migrate containers between Podman installations on
different systems
- The podman cp command now supports a pause flag to pause
containers while copying into them
- The remote client now supports a configuration file for
pre-configuring connections to remote Podman installations
- Fixed CVE-2019-10152 - The podman cp command improperly
dereferenced symlinks in host context
- Fixed a bug where podman commit could improperly set
environment variables that contained = characters
- Fixed a bug where rootless Podman would sometimes fail to start
containers with forwarded ports
- Fixed a bug where podman version on the remote client could
segfault
- Fixed a bug where podman container runlabel would use
/proc/self/exe instead of the path of the Podman command when
printing the command being executed
- Fixed a bug where filtering images by label did not work
- Fixed a bug where specifying a bing mount or tmpfs mount over
an image volume would cause a container to be unable to start
- Fixed a bug where podman generate kube did not work with
containers with named volumes
- Fixed a bug where rootless Podman would receive permission
denied errors accessing conmon.pid
- Fixed a bug where podman cp with a folder specified as target
would replace the folder, as opposed to copying into it
- Fixed a bug where rootless Podman commands could double-unlock
a lock, causing a crash
- Fixed a bug where Podman incorrectly set tmpcopyup on /dev/
mounts, causing errors when using the Kata containers runtime
- Fixed a bug where podman exec would fail on older kernels
- The podman commit command is now usable with the Podman remote
client
- The --signature-policy flag (used with several image-related
commands) has been deprecated
- The podman unshare command now defines two environment
variables in the spawned shell: CONTAINERS_RUNROOT and
CONTAINERS_GRAPHROOT, pointing to temporary and permanent
storage for rootless containers
- Updated vendored containers/storage and containers/image
libraries with numerous bugfixes
- Updated vendored Buildah to v1.8.3
- Podman now requires Conmon v0.2.0
- The podman cp command is now aliased as podman container cp
- Rootless Podman will now default init_path using root Podman's
configuration files (/etc/containers/libpod.conf and
/usr/share/containers/libpod.conf) if not overridden in the
rootless configuration
- Update to image v1.5.1
- Vendor in latest containers/storage
- docker/docker_client: Drop redundant Domain(ref.ref) call
- pkg/blobinfocache: Split implementations into subpackages
- copy: progress bar: show messages on completion
- docs: rename manpages to *.5.command
- add container-certs.d.md manpage
- pkg/docker/config: Bring auth tests from
docker/docker_client_test
- Don't allocate a sync.Mutex separately
Update to storage v1.12.10:
- Add function to parse out mount options from graphdriver
- Merge the disparate parts of all of the Unix-like lockfiles
- Fix unix-but-not-Linux compilation
- Return XDG_RUNTIME_DIR as RootlessRuntimeDir if set
- Cherry-pick moby/moby #39292 for CVE-2018-15664 fixes
- lockfile: add RecursiveLock() API
- Update generated files
- Fix crash on tesing of aufs code
- Let consumers know when Layers and Images came from read-only stores
- chown: do not change owner for the mountpoint
- locks: correctly mark updates to the layers list
- CreateContainer: don't worry about mapping layers unless necessary
- docs: fix manpage for containers-storage.conf
- docs: sort configuration options alphabetically
- docs: document OSTree file deduplication
- Add missing options to man page for containers-storage
- overlay: use the layer idmapping if present
- vfs: prefer layer custom idmappings
- layers: propagate down the idmapping settings
- Recreate symlink when not found
- docs: fix manpage for configuration file
- docs: add special handling for manpages in sect 5
- overlay: fix single-lower test
- Recreate symlink when not found
- overlay: propagate errors from mountProgram
- utils: root in a userns uses global conf file
- Fix handling of additional stores
- Correctly check permissions on rootless directory
- Fix possible integer overflow on 32bit builds
- Evaluate device path for lvm
- lockfile test: make concurrent RW test determinisitc
- lockfile test: make concurrent read tests deterministic
- drivers.DirCopy: fix filemode detection
- storage: move the logic to detect rootless into utils.go
- Don't set (struct flock).l_pid
- Improve documentation of getLockfile
- Rename getLockFile to createLockerForPath, and document it
- Add FILES section to containers-storage.5 man page
- add digest locks
- drivers/copy: add a non-cgo fallback
slirp4netns was updated to 0.3.0:
- CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() (bsc#1123156)
This update also includes:
- fuse3 and fuse-overlayfs to support rootless containers.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2810-1
Released: Tue Oct 29 14:56:44 2019
Summary: Security update for runc
Type: security
Severity: moderate
References: 1131314,1131553,1152308,CVE-2019-16884
This update for runc fixes the following issues:
Security issue fixed:
- CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)
Non-security issues fixed:
- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:697-1
Released: Mon Mar 16 13:17:10 2020
Summary: Security update for cni, cni-plugins, conmon, fuse-overlayfs, podman
Type: security
Severity: moderate
References: 1155217,1160460,1164390,CVE-2019-18466
This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues:
podman was updated to 1.8.0:
- CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the
host when copying a symlink in the container that included a
glob operator (#3829 bsc#1155217)
- The name of the cni-bridge in the default config changed from
'cni0' to 'podman-cni0' with podman-1.6.0. Add a %trigger to
rename the bridge in the system to the new default if it exists.
The trigger is only excuted when updating podman-cni-config
from something older than 1.6.0. This is mainly needed for SLE
where we're updating from 1.4.4 to 1.8.0 (bsc#1160460).
Update podman to v1.8.0 (bsc#1160460):
* Features
- The podman system service command has been added, providing a
preview of Podman's new Docker-compatible API. This API is
still very new, and not yet ready for production use, but is
available for early testing
- Rootless Podman now uses Rootlesskit for port forwarding,
which should greatly improve performance and capabilities
- The podman untag command has been added to remove tags from
images without deleting them
- The podman inspect command on images now displays previous
names they used
- The podman generate systemd command now supports a --new
option to generate service files that create and run new
containers instead of managing existing containers
- Support for --log-opt tag= to set logging tags has been added
to the journald log driver
- Added support for using Seccomp profiles embedded in images
for podman run and podman create via the new --seccomp-policy
CLI flag
- The podman play kube command now honors pull policy
* Bugfixes
- Fixed a bug where the podman cp command would not copy the
contents of directories when paths ending in /. were given
- Fixed a bug where the podman play kube command did not
properly locate Seccomp profiles specified relative to
localhost
- Fixed a bug where the podman info command for remote Podman
did not show registry information
- Fixed a bug where the podman exec command did not support
having input piped into it
- Fixed a bug where the podman cp command with rootless Podman
on CGroups v2 systems did not properly determine if the
container could be paused while copying
- Fixed a bug where the podman container prune --force command
could possible remove running containers if they were started
while the command was running
- Fixed a bug where Podman, when run as root, would not
properly configure slirp4netns networking when requested
- Fixed a bug where podman run --userns=keep-id did not work
when the user had a UID over 65535
- Fixed a bug where rootless podman run and podman create with
the --userns=keep-id option could change permissions on
/run/user/$UID and break KDE
- Fixed a bug where rootless Podman could not be run in a
systemd service on systems using CGroups v2
- Fixed a bug where podman inspect would show CPUShares as 0,
instead of the default (1024), when it was not explicitly set
- Fixed a bug where podman-remote push would segfault
- Fixed a bug where image healthchecks were not shown in the
output of podman inspect
- Fixed a bug where named volumes created with containers from
pre-1.6.3 releases of Podman would be autoremoved with their
containers if the --rm flag was given, even if they were
given names
- Fixed a bug where podman history was not computing image
sizes correctly
- Fixed a bug where Podman would not error on invalid values to
the --sort flag to podman images
- Fixed a bug where providing a name for the image made by
podman commit was mandatory, not optional as it should be
- Fixed a bug where the remote Podman client would append an
extra ' to %PATH
- Fixed a bug where the podman build command would sometimes
ignore the -f option and build the wrong Containerfile
- Fixed a bug where the podman ps --filter command would only
filter running containers, instead of all containers, if
--all was not passed
- Fixed a bug where the podman load command on compressed
images would leave an extra copy on disk
- Fixed a bug where the podman restart command would not
properly clean up the network, causing it to function
differently from podman stop; podman start
- Fixed a bug where setting the --memory-swap flag to podman
create and podman run to -1 (to indicate unlimited) was not
supported
* Misc
- Initial work on version 2 of the Podman remote API has been
merged, but is still in an alpha state and not ready for use.
Read more here
- Many formatting corrections have been made to the manpages
- The changes to address (#5009) may cause anonymous volumes
created by Podman versions 1.6.3 to 1.7.0 to not be removed
when their container is removed
- Updated vendored Buildah to v1.13.1
- Updated vendored containers/storage to v1.15.8
- Updated vendored containers/image to v5.2.0
- Add apparmor-abstractions as required runtime dependency to
have `tunables/global` available.
- fixed the --force flag for the 'container prune' command.
(https://github.com/containers/libpod/issues/4844)
Update podman to v1.7.0
* Features
- Added support for setting a static MAC address for containers
- Added support for creating macvlan networks with podman
network create, allowing Podman containers to be attached
directly to networks the host is connected to
- The podman image prune and podman container prune commands
now support the --filter flag to filter what will be pruned,
and now prompts for confirmation when run without --force
(#4410 and #4411)
- Podman now creates CGroup namespaces by default on systems
using CGroups v2 (#4363)
- Added the podman system reset command to remove all Podman
files and perform a factory reset of the Podman installation
- Added the --history flag to podman images to display previous
names used by images (#4566)
- Added the --ignore flag to podman rm and podman stop to not
error when requested containers no longer exist
- Added the --cidfile flag to podman rm and podman stop to read
the IDs of containers to be removed or stopped from a file
- The podman play kube command now honors Seccomp annotations
(#3111)
- The podman play kube command now honors RunAsUser,
RunAsGroup, and selinuxOptions
- The output format of the podman version command has been
changed to better match docker version when using the
--format flag
- Rootless Podman will no longer initialize containers/storage
twice, removing a potential deadlock preventing Podman
commands from running while an image was being pulled (#4591)
- Added tmpcopyup and notmpcopyup options to the --tmpfs and
--mount type=tmpfs flags to podman create and podman run to
control whether the content of directories are copied into
tmpfs filesystems mounted over them
- Added support for disabling detaching from containers by
setting empty detach keys via --detach-keys=''
- The podman build command now supports the --pull and
--pull-never flags to control when images are pulled during a
build
- The podman ps -p command now shows the name of the pod as
well as its ID (#4703)
- The podman inspect command on containers will now display the
command used to create the container
- The podman info command now displays information on registry
mirrors (#4553)
* Bugfixes
- Fixed a bug where Podman would use an incorrect runtime
directory as root, causing state to be deleted after root
logged out and making Podman in systemd services not function
properly
- Fixed a bug where the --change flag to podman import and
podman commit was not being parsed properly in many cases
- Fixed a bug where detach keys specified in libpod.conf were
not used by the podman attach and podman exec commands, which
always used the global default ctrl-p,ctrl-q key combination
(#4556)
- Fixed a bug where rootless Podman was not able to run podman
pod stats even on CGroups v2 enabled systems (#4634)
- Fixed a bug where rootless Podman would fail on kernels
without the renameat2 syscall (#4570)
- Fixed a bug where containers with chained network namespace
dependencies (IE, container A using --net container=B and
container B using --net container=C) would not properly mount
/etc/hosts and /etc/resolv.conf into the container (#4626)
- Fixed a bug where podman run with the --rm flag and without
-d could, when run in the background, throw a 'container does
not exist' error when attempting to remove the container
after it exited
- Fixed a bug where named volume locks were not properly
reacquired after a reboot, potentially leading to deadlocks
when trying to start containers using the volume (#4605 and
#4621)
- Fixed a bug where Podman could not completely remove
containers if sent SIGKILL during removal, leaving the
container name unusable without the podman rm --storage
command to complete removal (#3906)
- Fixed a bug where checkpointing containers started with --rm
was allowed when --export was not specified (the container,
and checkpoint, would be removed after checkpointing was
complete by --rm) (#3774)
- Fixed a bug where the podman pod prune command would fail if
containers were present in the pods and the --force flag was
not passed (#4346)
- Fixed a bug where containers could not set a static IP or
static MAC address if they joined a non-default CNI network
(#4500)
- Fixed a bug where podman system renumber would always throw
an error if a container was mounted when it was run
- Fixed a bug where podman container restore would fail with
containers using a user namespace
- Fixed a bug where rootless Podman would attempt to use the
journald events backend even on systems without systemd
installed
- Fixed a bug where podman history would sometimes not properly
identify the IDs of layers in an image (#3359)
- Fixed a bug where containers could not be restarted when
Conmon v2.0.3 or later was used
- Fixed a bug where Podman did not check image OS and
Architecture against the host when starting a container
- Fixed a bug where containers in pods did not function
properly with the Kata OCI runtime (#4353)
- Fixed a bug where `podman info --format '{{ json . }}' would
not produce JSON output (#4391)
- Fixed a bug where Podman would not verify if files passed to
--authfile existed (#4328)
- Fixed a bug where podman images --digest would not always
print digests when they were available
- Fixed a bug where rootless podman run could hang due to a
race with reading and writing events
- Fixed a bug where rootless Podman would print warning-level
logs despite not be instructed to do so (#4456)
- Fixed a bug where podman pull would attempt to fetch from
remote registries when pulling an unqualified image using the
docker-daemon transport (#4434)
- Fixed a bug where podman cp would not work if STDIN was a
pipe
- Fixed a bug where podman exec could stop accepting input if
anything was typed between the command being run and the exec
session starting (#4397)
- Fixed a bug where podman logs --tail 0 would print all lines
of a container's logs, instead of no lines (#4396)
- Fixed a bug where the timeout for slirp4netns was incorrectly
set, resulting in an extremely long timeout (#4344)
- Fixed a bug where the podman stats command would print CPU
utilizations figures incorrectly (#4409)
- Fixed a bug where the podman inspect --size command would not
print the size of the container's read/write layer if the
size was 0 (#4744)
- Fixed a bug where the podman kill command was not properly
validating signals before use (#4746)
- Fixed a bug where the --quiet and --format flags to podman ps
could not be used at the same time
- Fixed a bug where the podman stop command was not stopping
exec sessions when a container was created without a PID
namespace (--pid=host)
- Fixed a bug where the podman pod rm --force command was not
removing anonymous volumes for containers that were removed
- Fixed a bug where the podman checkpoint command would not
export all changes to the root filesystem of the container if
performed more than once on the same container (#4606)
- Fixed a bug where containers started with --rm would not be
automatically removed on being stopped if an exec session was
running inside the container (#4666)
* Misc
- The fixes to runtime directory path as root can cause strange
behavior if an upgrade is performed while containers are
running
- Updated vendored Buildah to v1.12.0
- Updated vendored containers/storage library to v1.15.4
- Updated vendored containers/image library to v5.1.0
- Kata Containers runtimes (kata-runtime, kata-qemu, and
kata-fc) are now present in the default libpod.conf, but will
not be available unless Kata containers is installed on the
system
- Podman previously did not allow the creation of containers
with a memory limit lower than 4MB. This restriction has been
removed, as the crun runtime can create containers with
significantly less memory
Update podman to v1.6.4
- Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher
- Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers
- Suppress spurious log messages when running rootless Podman
- Update vendored containers/storage to v1.13.6
- Fix a deadlock related to writing events
- Do not use the journald event logger when it is not available
Update podman to v1.6.2
* Features
- Added a --runtime flag to podman system migrate to allow the
OCI runtime for all containers to be reset, to ease transition
to the crun runtime on CGroups V2 systems until runc gains full
support
- The podman rm command can now remove containers in broken
states which previously could not be removed
- The podman info command, when run without root, now shows
information on UID and GID mappings in the rootless user
namespace
- Added podman build --squash-all flag, which squashes all layers
(including those of the base image) into one layer
- The --systemd flag to podman run and podman create now accepts
a string argument and allows a new value, always, which forces
systemd support without checking if the the container
entrypoint is systemd
* Bugfixes
- Fixed a bug where the podman top command did not work on
systems using CGroups V2 (#4192)
- Fixed a bug where rootless Podman could double-close a file,
leading to a panic
- Fixed a bug where rootless Podman could fail to retrieve some
containers while refreshing the state
- Fixed a bug where podman start --attach --sig-proxy=false would
still proxy signals into the container
- Fixed a bug where Podman would unconditionally use a
non-default path for authentication credentials (auth.json),
breaking podman login integration with skopeo and other tools
using the containers/image library
- Fixed a bug where podman ps --format=json and podman images
--format=json would display null when no results were returned,
instead of valid JSON
- Fixed a bug where podman build --squash was incorrectly
squashing all layers into one, instead of only new layers
- Fixed a bug where rootless Podman would allow volumes with
options to be mounted (mounting volumes requires root),
creating an inconsistent state where volumes reported as
mounted but were not (#4248)
- Fixed a bug where volumes which failed to unmount could not be
removed (#4247)
- Fixed a bug where Podman incorrectly handled some errors
relating to unmounted or missing containers in
containers/storage
- Fixed a bug where podman stats was broken on systems running
CGroups V2 when run rootless (#4268)
- Fixed a bug where the podman start command would print the
short container ID, instead of the full ID
- Fixed a bug where containers created with an OCI runtime that
is no longer available (uninstalled or removed from the config
file) would not appear in podman ps and could not be removed
via podman rm
- Fixed a bug where containers restored via podman container
restore --import would retain the CGroup path of the original
container, even if their container ID changed; thus, multiple
containers created from the same checkpoint would all share the
same CGroup
* Misc
- The default PID limit for containers is now set to 4096. It can
be adjusted back to the old default (unlimited) by passing
--pids-limit 0 to podman create and podman run
- The podman start --attach command now automatically attaches
STDIN if the container was created with -i
- The podman network create command now validates network names
using the same regular expression as container and pod names
- The --systemd flag to podman run and podman create will now
only enable systemd mode when the binary being run inside the
container is /sbin/init, /usr/sbin/init, or ends in systemd
(previously detected any path ending in init or systemd)
- Updated vendored Buildah to 1.11.3
- Updated vendored containers/storage to 1.13.5
- Updated vendored containers/image to 4.0.1
Update podman to v1.6.1
* Features
- The podman network create, podman network rm, podman network
inspect, and podman network ls commands have been added to
manage CNI networks used by Podman
- The podman volume create command can now create and mount
volumes with options, allowing volumes backed by NFS, tmpfs,
and many other filesystems
- Podman can now run containers without CGroups for better
integration with systemd by using the --cgroups=disabled flag
with podman create and podman run. This is presently only
supported with the crun OCI runtime
- The podman volume rm and podman volume inspect commands can now
refer to volumes by an unambiguous partial name, in addition to
full name (e.g. podman volume rm myvol to remove a volume named
myvolume) (#3891)
- The podman run and podman create commands now support the
--pull flag to allow forced re-pulling of images (#3734)
- Mounting volumes into a container using --volume, --mount, and
--tmpfs now allows the suid, dev, and exec mount options (the
inverse of nosuid, nodev, noexec) (#3819)
- Mounting volumes into a container using --mount now allows the
relabel=Z and relabel=z options to relabel mounts.
- The podman push command now supports the --digestfile option to
save a file containing the pushed digest
- Pods can now have their hostname set via podman pod create
--hostname or providing Pod YAML with a hostname set to podman
play kube (#3732)
- The podman image sign command now supports the --cert-dir flag
- The podman run and podman create commands now support the
--security-opt label=filetype:$LABEL flag to set the SELinux
label for container files
- The remote Podman client now supports healthchecks
* Bugfixes
- Fixed a bug where remote podman pull would panic if a Varlink
connection was not available (#4013)
- Fixed a bug where podman exec would not properly set terminal
size when creating a new exec session (#3903)
- Fixed a bug where podman exec would not clean up socket
symlinks on the host (#3962)
- Fixed a bug where Podman could not run systemd in containers
that created a CGroup namespace
- Fixed a bug where podman prune -a would attempt to prune images
used by Buildah and CRI-O, causing errors (#3983)
- Fixed a bug where improper permissions on the ~/.config
directory could cause rootless Podman to use an incorrect
directory for storing some files
- Fixed a bug where the bash completions for podman import threw
errors
- Fixed a bug where Podman volumes created with podman volume
create would not copy the contents of their mountpoint the
first time they were mounted into a container (#3945)
- Fixed a bug where rootless Podman could not run podman exec
when the container was not run inside a CGroup owned by the
user (#3937)
- Fixed a bug where podman play kube would panic when given Pod
YAML without a securityContext (#3956)
- Fixed a bug where Podman would place files incorrectly when
storage.conf configuration items were set to the empty string
(#3952)
- Fixed a bug where podman build did not correctly inherit
Podman's CGroup configuration, causing crashed on CGroups V2
systems (#3938)
- Fixed a bug where remote podman run --rm would exit before the
container was completely removed, allowing race conditions when
removing container resources (#3870)
- Fixed a bug where rootless Podman would not properly handle
changes to /etc/subuid and /etc/subgid after a container was
launched
- Fixed a bug where rootless Podman could not include some
devices in a container using the --device flag (#3905)
- Fixed a bug where the commit Varlink API would segfault if
provided incorrect arguments (#3897)
- Fixed a bug where temporary files were not properly cleaned up
after a build using remote Podman (#3869)
- Fixed a bug where podman remote cp crashed instead of reporting
it was not yet supported (#3861)
- Fixed a bug where podman exec would run as the wrong user when
execing into a container was started from an image with
Dockerfile USER (or a user specified via podman run --user)
(#3838)
- Fixed a bug where images pulled using the oci: transport would
be improperly named
- Fixed a bug where podman varlink would hang when managed by
systemd due to SD_NOTIFY support conflicting with Varlink
(#3572)
- Fixed a bug where mounts to the same destination would
sometimes not trigger a conflict, causing a race as to which
was actually mounted
- Fixed a bug where podman exec --preserve-fds caused Podman to
hang (#4020)
- Fixed a bug where removing an unmounted container that was
unmounted might sometimes not properly clean up the container
(#4033)
- Fixed a bug where the Varlink server would freeze when run in a
systemd unit file (#4005)
- Fixed a bug where Podman would not properly set the $HOME
environment variable when the OCI runtime did not set it
- Fixed a bug where rootless Podman would incorrectly print
warning messages when an OCI runtime was not found (#4012)
- Fixed a bug where named volumes would conflict with, instead of
overriding, tmpfs filesystems added by the --read-only-tmpfs
flag to podman create and podman run
- Fixed a bug where podman cp would incorrectly make the target
directory when copying to a symlink which pointed to a
nonexistent directory (#3894)
- Fixed a bug where remote Podman would incorrectly read STDIN
when the -i flag was not set (#4095)
- Fixed a bug where podman play kube would create an empty pod
when given an unsupported YAML type (#4093)
- Fixed a bug where podman import --change improperly parsed CMD
(#4000)
- Fixed a bug where rootless Podman on systems using CGroups V2
would not function with the cgroupfs CGroups manager
- Fixed a bug where rootless Podman could not correctly identify
the DBus session address, causing containers to fail to start
(#4162)
- Fixed a bug where rootless Podman with slirp4netns networking
would fail to start containers due to mount leaks
* Misc
- Significant changes were made to Podman volumes in this
release. If you have pre-existing volumes, it is strongly
recommended to run podman system renumber after upgrading.
- Version 0.8.1 or greater of the CNI Plugins is now required for
Podman
- Version 2.0.1 or greater of Conmon is strongly recommended
- Updated vendored Buildah to v1.11.2
- Updated vendored containers/storage library to v1.13.4
- Improved error messages when trying to create a pod with no
name via podman play kube
- Improved error messages when trying to run podman pause or
podman stats on a rootless container on a system without
CGroups V2 enabled
- TMPDIR has been set to /var/tmp by default to better handle
large temporary files
- podman wait has been optimized to detect stopped containers
more rapidly
- Podman containers now include a ContainerManager annotation
indicating they were created by libpod
- The podman info command now includes information about
slirp4netns and fuse-overlayfs if they are available
- Podman no longer sets a default size of 65kb for tmpfs
filesystems
- The default Podman CNI network has been renamed in an attempt
to prevent conflicts with CRI-O when both are run on the same
system. This should only take effect on system restart
- The output of podman volume inspect has been more closely
matched to docker volume inspect
- Add katacontainers as a recommended package, and include it as an
additional OCI runtime in the configuration.
Update podman to v1.5.1
* Features
- The hostname of pods is now set to the pod's name
* Bugfixes
- Fixed a bug where podman run and podman create did not honor the --authfile
option (#3730)
- Fixed a bug where containers restored with podman container restore
--import would incorrectly duplicate the Conmon PID file of the original container
- Fixed a bug where podman build ignored the default OCI runtime configured
in libpod.conf
- Fixed a bug where podman run --rm (or force-removing any running container
with podman rm --force) were not retrieving the correct exit code (#3795)
- Fixed a bug where Podman would exit with an error if any configured hooks
directory was not present
- Fixed a bug where podman inspect and podman commit would not use the
correct CMD for containers run with podman play kube
- Fixed a bug created pods when using rootless Podman and CGroups V2 (#3801)
- Fixed a bug where the podman events command with the --since or --until
options could take a very long time to complete
* Misc
- Rootless Podman will now inherit OCI runtime configuration from the root
configuration (#3781)
- Podman now properly sets a user agent while contacting registries (#3788)
- Add zsh completion for podman commands
Update podman to v1.5.0
* Features
- Podman containers can now join the user namespaces of other
containers with --userns=container:$ID, or a user namespace at
an arbitary path with --userns=ns:$PATH
- Rootless Podman can experimentally squash all UIDs and GIDs in
an image to a single UID and GID (which does not require use of
the newuidmap and newgidmap executables) by passing
--storage-opt ignore_chown_errors
- The podman generate kube command now produces YAML for any bind
mounts the container has created (#2303)
- The podman container restore command now features a new flag,
--ignore-static-ip, that can be used with --import to import a
single container with a static IP multiple times on the same
host
- Added the ability for podman events to output JSON by
specifying --format=json
- If the OCI runtime or conmon binary cannot be found at the
paths specified in libpod.conf, Podman will now also search for
them in the calling user's path
- Added the ability to use podman import with URLs (#3609)
- The podman ps command now supports filtering names using
regular expressions (#3394)
- Rootless Podman containers with --privileged set will now mount
in all host devices that the user can access
- The podman create and podman run commands now support the
--env-host flag to forward all environment variables from the
host into the container
- Rootless Podman now supports healthchecks (#3523)
- The format of the HostConfig portion of the output of podman
inspect on containers has been improved and synced with Docker
- Podman containers now support CGroup namespaces, and can create
them by passing --cgroupns=private to podman run or podman
create
- The podman create and podman run commands now support the
--ulimit=host flag, which uses any ulimits currently set on the
host for the container
- The podman rm and podman rmi commands now use different exit
codes to indicate 'no such container' and 'container is
running' errors
- Support for CGroups V2 through the crun OCI runtime has been
greatly improved, allowing resource limits to be set for
rootless containers when the CGroups V2 hierarchy is in use
* Bugfixes
- Fixed a bug where a race condition could cause podman restart
to fail to start containers with ports
- Fixed a bug where containers restored from a checkpoint would
not properly report the time they were started at
- Fixed a bug where podman search would return at most 25
results, even when the maximum number of results was set higher
- Fixed a bug where podman play kube would not honor capabilities
set in imported YAML (#3689)
- Fixed a bug where podman run --env, when passed a single key
(to use the value from the host), would set the environment
variable in the container even if it was not set on the host
(#3648)
- Fixed a bug where podman commit --changes would not properly
set environment variables
- Fixed a bug where Podman could segfault while working with
images with no history
- Fixed a bug where podman volume rm could remove arbitrary
volumes if given an ambiguous name (#3635)
- Fixed a bug where podman exec invocations leaked memory by not
cleaning up files in tmpfs
- Fixed a bug where the --dns and --net=container flags to podman
run and podman create were not mutually exclusive (#3553)
- Fixed a bug where rootless Podman would be unable to run
containers when less than 5 UIDs were available
- Fixed a bug where containers in pods could not be removed
without removing the entire pod (#3556)
- Fixed a bug where Podman would not properly clean up all CGroup
controllers for created cgroups when using the cgroupfs CGroup
driver
- Fixed a bug where Podman containers did not properly clean up
files in tmpfs, resulting in a memory leak as containers
stopped
- Fixed a bug where healthchecks from images would not use
default settings for interval, retries, timeout, and start
period when they were not provided by the image (#3525)
- Fixed a bug where healthchecks using the HEALTHCHECK CMD format
where not properly supported (#3507)
- Fixed a bug where volume mounts using relative source paths
would not be properly resolved (#3504)
- Fixed a bug where podman run did not use authorization
credentials when a custom path was specified (#3524)
- Fixed a bug where containers checkpointed with podman container
checkpoint did not properly set their finished time
- Fixed a bug where running podman inspect on any container not
created with podman run or podman create (for example, pod
infra containers) would result in a segfault (#3500)
- Fixed a bug where healthcheck flags for podman create and
podman run were incorrectly named (#3455)
- Fixed a bug where Podman commands would fail to find targets if
a partial ID was specified that was ambiguous between a
container and pod (#3487)
- Fixed a bug where restored containers would not have the
correct SELinux label
- Fixed a bug where Varlink endpoints were not working properly
if more was not correctly specified
- Fixed a bug where the Varlink PullImage endpoint would crash if
an error occurred (#3715)
- Fixed a bug where the --mount flag to podman create and podman
run did not allow boolean arguments for its ro and rw options
(#2980)
- Fixed a bug where pods did not properly share the UTS
namespace, resulting in incorrect behavior from some utilities
which rely on hostname (#3547)
- Fixed a bug where Podman would unconditionally append
ENTRYPOINT to CMD during podman commit (and when reporting CMD
in podman inspect) (#3708)
- Fixed a bug where podman events with the journald events
backend would incorrectly print 6 previous events when only new
events were requested (#3616)
- Fixed a bug where podman port would exit prematurely when a
port number was specified (#3747)
- Fixed a bug where passing . as an argument to the --dns-search
flag to podman create and podman run was not properly clearing
DNS search domains in the container
* Misc
- Updated vendored Buildah to v1.10.1
- Updated vendored containers/image to v3.0.2
- Updated vendored containers/storage to v1.13.1
- Podman now requires conmon v2.0.0 or higher
- The podman info command now displays the events logger being in
use
- The podman inspect command on containers now includes the ID of
the pod a container has joined and the PID of the container's
conmon process
- The -v short flag for podman --version has been re-added
- Error messages from podman pull should be significantly clearer
- The podman exec command is now available in the remote client
- The podman-v1.5.0.tar.gz file attached is podman packaged for
MacOS. It can be installed using Homebrew.
- Update libpod.conf to support latest path discovery feature for
`runc` and `conmon` binaries.
conmon was included in version 2.0.10. (bsc#1160460, bsc#1164390, jsc#ECO-1048, jsc#SLE-11485, jsc#SLE-11331):
fuse-overlayfs was updated to v0.7.6 (bsc#1160460)
- do not look in lower layers for the ino if there is no origin
xattr set
- attempt to use the file path if the operation on the fd fails
with ENXIO
- do not expose internal xattrs through listxattr and getxattr
- fix fallocate for deleted files.
- ignore O_DIRECT. It causes issues with libfuse not using an
aligned buffer, causing write(2) to fail with EINVAL.
- on copyup, do not copy the opaque xattr.
- fix a wrong lookup for whiteout files, that could happen on a
double unlink.
- fix possible segmentation fault in direct_fsync()
- use the data store to create missing whiteouts
- after a rename, force a directory reload
- introduce inodes cache
- correctly read inode for unix sockets
- avoid hash map lookup when possible
- use st_dev for the ino key
- check whether writeback is supported
- set_attrs: don't require write to S_IFREG
- ioctl: do not reuse fi->fh for directories
- fix skip whiteout deletion optimization
- store the new mode after chmod
- support fuse writeback cache and enable it by default
- add option to disable fsync
- add option to disable xattrs
- add option to skip ino number check in lower layers
- fix fd validity check
- fix memory leak
- fix read after free
- fix type for flistxattr return
- fix warnings reported by lgtm.com
- enable parallel dirops
cni was updated to 0.7.1:
- Set correct CNI version for 99-loopback.conf
Update to version 0.7.1 (bsc#1160460):
* Library changes:
+ invoke : ensure custom envs of CNIArgs are prepended to process envs
+ add GetNetworkListCachedResult to CNI interface
+ delegate : allow delegation funcs override CNI_COMMAND env automatically in heritance
* Documentation & Convention changes:
+ Update cnitool documentation for spec v0.4.0
+ Add cni-route-override to CNI plugin list
Update to version 0.7.0:
* Spec changes:
+ Use more RFC2119 style language in specification (must, should...)
+ add notes about ADD/DEL ordering
+ Make the container ID required and unique.
+ remove the version parameter from ADD and DEL commands.
+ Network interface name matters
+ be explicit about optional and required structure members
+ add CHECK method
+ Add a well-known error for 'try again'
+ SPEC.md: clarify meaning of 'routes'
* Library changes:
+ pkg/types: Makes IPAM concrete type
+ libcni: return error if Type is empty
+ skel: VERSION shouldn't block on stdin
+ non-pointer instances of types.Route now correctly marshal to JSON
+ libcni: add ValidateNetwork and ValidateNetworkList functions
+ pkg/skel: return error if JSON config has no network name
+ skel: add support for plugin version string
+ libcni: make exec handling an interface for better downstream testing
+ libcni: api now takes a Context to allow operations to be timed out or cancelled
+ types/version: add helper to parse PrevResult
+ skel: only print about message, not errors
+ skel,invoke,libcni: implementation of CHECK method
+ cnitool: Honor interface name supplied via CNI_IFNAME environment variable.
+ cnitool: validate correct number of args
+ Don't copy gw from IP4.Gateway to Route.GW When converting from 0.2.0
+ add PrintTo method to Result interface
+ Return a better error when the plugin returns none
- Install sleep binary into CNI plugin directory
cni-plugins was updated to 0.8.4:
Update to version 0.8.4 (bsc#1160460):
* add support for mips64le
* Add missing cniVersion in README example
* bump go-iptables module to v0.4.5
* iptables: add idempotent functions
* portmap doesn't fail if chain doesn't exist
* fix portmap port forward flakiness
* Add Bruce Ma and Piotr Skarmuk as owners
Update to version 0.8.3:
* Enhancements:
* static: prioritize the input sources for IPs (#400).
* tuning: send gratuitous ARP in case of MAC address update (#403).
* bandwidth: use uint64 for Bandwidth value (#389).
* ptp: only override DNS conf if DNS settings provided (#388).
* loopback: When prevResults are not supplied to loopback plugin, create results to return (#383).
* loopback support CNI CHECK and result cache (#374).
* Better input validation:
* vlan: add MTU validation to loadNetConf (#405).
* macvlan: add MTU validation to loadNetConf (#404).
* bridge: check vlan id when loading net conf (#394).
* Bugfixes:
* bugfix: defer after err check, or it may panic (#391).
* portmap: Fix dual-stack support (#379).
* firewall: don't return error in DEL if prevResult is not found (#390).
* bump up libcni back to v0.7.1 (#377).
* Docs:
* contributing doc: revise test script name to run (#396).
* contributing doc: describe cnitool installation (#397).
Update plugins to v0.8.2
+ New features:
* Support 'args' in static and tuning
* Add Loopback DSR support, allow l2tunnel networks
to be used with the l2bridge plugin
* host-local: return error if same ADD request is seen twice
* bandwidth: fix collisions
* Support ips capability in static and mac capability in tuning
* pkg/veth: Make host-side veth name configurable
+ Bug fixes:
* Fix: failed to set bridge addr: could not add IP address to 'cni0': file exists
* host-device: revert name setting to make retries idempotent (#357).
* Vendor update go-iptables. Vendor update go-iptables to
obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10
* Update go.mod & go.sub
* Remove link Down/Up in MAC address change to prevent route flush (#364).
* pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall
error message is 'invalid argument' not 'file exists'
* bump containernetworking/cni to v0.7.1
Updated plugins to v0.8.1:
+ Bugs:
* bridge: fix ipMasq setup to use correct source address
* fix compilation error on 386
* bandwidth: get bandwidth interface in host ns through
container interface
+ Improvements:
* host-device: add pciBusID property
Updated plugins to v0.8.0:
+ New plugins:
* bandwidth - limit incoming and outgoing bandwidth
* firewall - add containers to firewall rules
* sbr - convert container routes to source-based routes
* static - assign a fixed IP address
* win-bridge, win-overlay: Windows plugins
+ Plugin features / changelog:
* CHECK Support
* macvlan:
- Allow to configure empty ipam for macvlan
- Make master config optional
* bridge:
- Add vlan tag to the bridge cni plugin
- Allow the user to assign VLAN tag
- L2 bridge Implementation.
* dhcp:
- Include Subnet Mask option parameter in DHCPREQUEST
- Add systemd unit file to activate socket with systemd
- Add container ifName to the dhcp clientID, making the
clientID value
* flannel:
- Pass through runtimeConfig to delegate
* host-local:
- host-local: add ifname to file tracking IP address used
* host-device:
- Support the IPAM in the host-device
- Handle empty netns in DEL for loopback and host-device
* tuning:
- adds 'ip link' command related feature into tuning
+ Bug fixes & minor changes
* Correctly DEL on ipam failure for all plugins
* Fix bug on ip revert if cmdAdd fails on macvlan and host-device
* host-device: Ensure device is down before rename
* Fix -hostprefix option
* some DHCP servers expect to request for explicit router options
* bridge: release IP in case of error
* change source of ipmasq rule from ipn to ip
from version v0.7.5:
+ This release takes a minor change to the portmap plugin:
* Portmap: append, rather than prepend, entry rules
+ This fixes a potential issue where firewall rules may
be bypassed by port mapping
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:821-1
Released: Tue Mar 31 13:05:59 2020
Summary: Recommended update for podman, slirp4netns
Type: recommended
Severity: moderate
References: 1167850
This update for podman, slirp4netns fixes the following issues:
slirp4netns was updated to 0.4.4 (bsc#1167850):
* libslirp: Update to v4.2.0:
* New API function slirp_add_unix: add a forward rule to a Unix
socket.
* New API function slirp_remove_guestfwd: remove a forward rule
previously added by slirp_add_exec, slirp_add_unix or
slirp_add_guestfwd
* New SlirpConfig.outbound_addr{,6} fields to bind output
socket to a specific address
* socket: do not fallback on host loopback if get_dns_addr()
failed or the address is in slirp network
* ncsi: fix checksum OOB memory access
* tcp_emu(): fix OOB accesses
* tftp: restrict relative path access
* state: fix loading of guestfwd state
Update to 0.4.3:
* api: raise an error if the socket path is too long
* libslirp: update to v4.1.0: Including the fix for libslirp
sends RST to app in response to arriving FIN when containerized
socket is shutdown() with SHUT_WR
* Fix create_sandbox error
Update to 0.4.2:
* Do not propagate mounts to the parent ns in sandbox
Update to 0.4.1:
* Support specifying netns path (slirp4netns --netns-type=path PATH
TAPNAME)
* Support specifying --userns-path
* Vendor https://gitlab.freedesktop.org/slirp/libslirp (QEMU v4.1+)
* Bring up loopback device when --configure is specified
* Support sandboxing by creating a mount namespace
(--enable-sandbox)
* Support seccomp (--enable-seccomp)
- Add new build dependencies libcap-devel and libseccomp-devel
Update to 0.3.3:
* Fix use-after-free in libslirp
Update to 0.3.2:
* Fix heap overflow in `ip_reass` on big packet input
Update to 0.3.1:
* Fix use-after-free
Changes in podman:
- Fixed dependency on slirp4netns. We need at least 0.4.0 now (bsc#1167850)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:944-1
Released: Tue Apr 7 15:49:33 2020
Summary: Security update for runc
Type: security
Severity: moderate
References: 1149954,1160452,CVE-2019-19921
This update for runc fixes the following issues:
runc was updated to v1.0.0~rc10
- CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
- Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1197-1
Released: Wed May 6 13:52:04 2020
Summary: Security update for slirp4netns
Type: security
Severity: important
References: 1170940,CVE-2020-1983
This update for slirp4netns fixes the following issues:
Security issue fixed:
- CVE-2020-1983: Fixed a use-after-free in ip_reass (bsc#1170940).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1493-1
Released: Wed May 27 18:55:51 2020
Summary: Security update for libmspack
Type: security
Severity: low
References: 1130489,1141680,CVE-2019-1010305
This update for libmspack fixes the following issues:
Security issue fixed:
- CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file
which could have led to information disclosure (bsc#1141680).
Other issue addressed:
- Enable build-time tests (bsc#1130489)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1915-1
Released: Wed Jul 15 09:34:15 2020
Summary: Security update for slirp4netns
Type: security
Severity: important
References: 1172380,CVE-2020-10756
This update for slirp4netns fixes the following issues:
- Update to 0.4.7 (bsc#1172380)
* libslirp: update to v4.3.1 (Fix CVE-2020-10756)
* Fix config_from_options() to correctly enable ipv6
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2080-1
Released: Wed Jul 29 20:09:09 2020
Summary: Recommended update for libtool
Type: recommended
Severity: moderate
References: 1171566
This update for libtool provides missing the libltdl 32bit library. (bsc#1171566)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2965-1
Released: Tue Oct 20 13:27:21 2020
Summary: Recommended update for cni, cni-plugins
Type: recommended
Severity: moderate
References: 1172786
This update ships cni and cni-plugins to the Public Cloud Module of SUSE Linux Enterprise 15 SP2.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:927-1
Released: Tue Mar 23 14:07:06 2021
Summary: Recommended update for libreoffice
Type: recommended
Severity: moderate
References: 1041090,1049382,1116658,1136234,1155141,1173404,1173409,1173410,1173471,1174465,1176547,1177955,1178807,1178943,1178944,1179025,1179203,1181122,1181644,1181872,1182790
This update for libreoffice provides the upgrade from version 6.4.5.2 to 7.1.1.2 (jsc#ECO-3150, bsc#1182790)
libreoffice:
- Image shown with different aspect ratio (bsc#1176547)
- Text changes are reproducibly lost on PPTX with SmartArt (bsc#1181644)
- Adjust to new Box2D and enable KDE on SUSE Linux Enterprise 15-SP3 or newer (jsc#ECO-3375)
- Wrong bullet points in Impress (bsc#1174465)
- SmartArt: text wrongly aligned, background boxes not quite right (bsc#1177955)
- Update the SUSE color palette to reflect the new SUSE branding. (bsc#1181122, bsc#1173471)
- SUSE Mint
- SUSE Midnight Blue
- SUSE Waterhole Blue
- SUSE Persimmon
- Fix a crash opening a PPTX. (bsc#1179025)
- Fix text box from PowerPoint renders vertically instead of horizontally (bsc#1178807)
- Shadow effects for table completely missing (bsc#1178944, bsc#1178943)
- Disable firebird integration for the time being (bsc#1179203)
- Fixes hang on Writer on scrolling/saving of a document (bsc#1136234)
- Wrong rendering of bulleted lists in PPTX document (bsc#1155141)
- Sidebar: paragraph widget: numeric fields become inactive/unaccessible after saving (bsc#1173404)
- Crash of Writer opening any document having 'invalid' python file in home directory (bsc#1116658)
libixion:
Update to 0.16.1:
- fixed a build issue on 32-bit linux platforms, caused by slicing of integer string ID values.
- worked around floating point rounding errors which prevented two theoretically-equal numeric values from being
evaluated as equal in test code.
- added new function to allow printing of single formula tokens.
- added method for setting cached results on formula cells in model_context.
- changed the model_context design to ensure that all sheets are of the same size.
- added an accessor method to formula_model_access interface (and implicitly in model_context) that directly returns
a string value from cell.
- added cell_access class for querying of cell states without knowing its type ahead of time.
- added document class which provides a layer on top of model_context, to abstract away the handling of formula
calculations.
- deprecated model_context::erase_cell() in favor of empty_cell().
- added support for 3D references - references that contain multiple sheets.
- added support for the exponent (^) and concatenation (&) operators.
- fixed incorrect handling of range references containing whole columns such as A:A.
- added support for unordered range references - range references whose start row or column is greater than
their end position counterparts, such as A3:A1.
- fixed a bug that prevented nested formula functions from working properly.
- implemented Calc A1 style reference resolver.
- formula results now directly store the string values when the results are of string type.
They previously stored string ID values after interning the original strings.
- Removed build-time dependency on spdlog.
libmwaw:
Update to 0.3.17:
- add a parser for Jazz(Lotus) writer and spreasheet files. The writer parser can only be called if the file
still contains its resource fork
- add a parser for Canvas 3 and 3.5 files
- AppleWorks parser: try to retrieve more Windows presentation
- add a parser for Drawing Table files
- add a parser for Canvas 2 files
- API: add new reserved enums in MWAWDocument.hxx `MWAW_T_RESERVED10..MWAW_T_RESERVED29`
and add a new define in libmwaw.hxx `MWAW_INTERFACE_VERSION` to check if these enums are defined
- remove the QuarkXPress parser (must be in libqxp)
- retrieve the annotation in MsWord 5 document
- try to better understand RagTime 5-6 document
libnumbertext:
Update to 1.0.6
liborcus:
Update to 0.16.1
- Add upstream changes to fix build with GCC 11 (bsc#1181872)
libstaroffice:
Update to 0.0.7:
- fix `text:sender-lastname` when creating meta-data
libwps:
Update to 0.4.11:
- XYWrite: add a parser to .fil v2 and v4 files
- wks,wk1: correct some problems when retrieving cell's reference.
glfw:
New package provided on version 3.3.2:
- See also: https://www.glfw.org/changelog.html
- Sort list of input files to geany for reproducible builds (bsc#1049382, bsc#1041090)
* Require pkgconfig(gl) for the devel package to supply needed include GL/gl.h
* glfwFocusWindow could terminate on older WMs or without a WM
* Creating an undecorated window could fail with BadMatch
* Querying a disconnected monitor could segfault
* Video modes with a duplicate screen area were discarded
* The CMake files did not check for the XInput headers
* Key names were not updated when the keyboard layout changed
* Decorations could not be enabled after window creation
* Content scale fallback value could be inconsistent
* Disabled cursor mode was interrupted by indicator windows
* Monitor physical dimensions could be reported as zero mm
* Window position events were not emitted during resizing
* Added on-demand loading of Vulkan and context creation API libraries
* [X11] Bugfix: Window size limits were ignored if the minimum or maximum size was
set to `GLFW_DONT_CARE`
* [X11] Bugfix: Input focus was set before window was visible,
causing BadMatch on some non-reparenting WMs
* [X11] Bugfix: glfwGetWindowPos and glfwSetWindowPos operated on
the window frame instead of the client area
* [WGL] Added reporting of errors from `WGL_ARB_create_context` extension
* [EGL] Added lib prefix matching between EGL and OpenGL ES library binaries
* [EGL] Bugfix: Dynamically loaded entry points were not verified
- Made build of geany-tags optional.
Box2D:
New package provided on version 2.4.1:
* Extended distance joint to have a minimum and maximum limit.
* `B2_USER_SETTINGS` and `b2_user_settings.h` can control user
data, length units, and maximum polygon vertices.
* Default user data is now uintptr_t instead of void*
* b2FixtureDef::restitutionThreshold lets you set the
restitution velocity threshold per fixture.
* Collision
* Chain and edge shape must now be one-sided to eliminate ghost
collisions
* Broad-phase optimizations
* Added b2ShapeCast for linear shape casting
* Dynamics
* Joint limits are now predictive and not stateful
* Experimental 2D cloth (rope)
* b2Body::SetActive -> b2Body::SetEnabled
* Better support for running multiple worlds
* Handle zero density better
* The body behaves like a static body
* The body is drawn with a red color
* Added translation limit to wheel joint
* World dump now writes to box2d_dump.inl
* Static bodies are never awake
* All joints with spring-dampers now use stiffness and damping
* Added utility functions to convert frequency and damping
ratio to stiffness and damping
* Polygon creation now computes the convex hull.
* The convex hull code will merge vertices closer than dm_linearSlop.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:974-1
Released: Mon Mar 29 19:31:27 2021
Summary: Security update for tar
Type: security
Severity: low
References: 1181131,CVE-2021-20193
This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1954-1
Released: Fri Jun 11 10:45:09 2021
Summary: Security update for containerd, docker, runc
Type: security
Severity: important
References: 1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183855,1184768,1184962,1185405,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334,CVE-2021-30465
This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)
* Switch version to use -ce suffix rather than _ce to avoid confusing other
tools (bsc#1182476).
* CVE-2021-21284: Fixed a potential privilege escalation when the root user in
the remapped namespace has access to the host filesystem (bsc#1181732)
* CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest
crashes the dockerd daemon (bsc#1181730).
* btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)
runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962).
* Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
* Fixed /dev/null is not available (bsc#1168481).
* CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).
containerd was updated to v1.4.4
* CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
* Handle a requirement from docker (bsc#1181594).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2193-1
Released: Mon Jun 28 18:38:43 2021
Summary: Recommended update for tar
Type: recommended
Severity: moderate
References: 1184124
This update for tar fixes the following issues:
- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2802-1
Released: Fri Aug 20 10:47:08 2021
Summary: Security update for libmspack
Type: security
Severity: moderate
References: 1103032,CVE-2018-14679,CVE-2018-14681,CVE-2018-14682
This update for libmspack fixes the following issues:
- CVE-2018-14681: Bad KWAJ file header extensions could cause a one or two byte overwrite. (bsc#1103032)
- CVE-2018-14682: There is an off-by-one error in the TOLOWER() macro for CHM decompression. (bsc#1103032)
- CVE-2018-14679: There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service. (bsc#1103032)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2895-1
Released: Tue Aug 31 19:40:32 2021
Summary: Recommended update for unixODBC
Type: recommended
Severity: moderate
References:
This update for unixODBC fixes the following issues:
- ECO: Update unixODBC to 2.3.9 in SLE 15. (jsc#SLE-18004)
- Fix incorrect permission for documentation files.
- Update requires and baselibs for new libodbc2.
- Employ shared library packaging guideline: new subpacakge libodbc2.
- Update to 2.3.9:
* Remove '#define UNIXODBC_SOURCE' from unixodbc_conf.h
- Update to 2.3.8:
* Add configure support for editline
* SQLDriversW was ignoring user config
* SQLDataSources Fix termination character
* Fix for pooling seg fault
* Make calling SQLSetStmtAttrW call the W function in the driver is its there
* Try and fix race condition clearing system odbc.ini file
* Remove trailing space from isql/iusql SQL
* When setting connection attributes set before connect also check if the W entry poins can be used
* Try calling the W error functions first if available in the driver
* Add iconvperdriver configure option to allow calling unicode_setup in SQLAllocHandle
* iconv handles was being lost when reusing pooled connection
* Catch null copy in iniPropertyInsert
* Fix a few leaks
- Update to 2.3.7:
* Fix for pkg-config file update on no linux platforms
* Add W entry for GUI work
* Various fixes for SQLBrowseConnect/W, SQLGetConnectAttr/W,and SQLSetConnectAttr/W
* Fix buffer overflows in SQLConnect/W and refine behaviour of SQLGet/WritePrivateProfileString
* SQLBrowseConnect/W allow disconnecting a started browse session after error
* Add --with-stats-ftok-name configure option to allow the selection of a file name
used to generate the IPC id when collecting stats. Default is the system odbc.ini file
* Improve diag record handling with the behavior of Windows DM and export SQLCancelHandle
* bug fix when SQLGetPrivateProfileString() is called to get a list of sections or a list of keys
* Connection pooling: Fix liveness check for Unicode drivers
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2962-1
Released: Mon Sep 6 18:23:01 2021
Summary: Recommended update for runc
Type: recommended
Severity: critical
References: 1189743
This update for runc fixes the following issues:
- Fixed an issue when toolbox container fails to start. (bsc#1189743)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3506-1
Released: Mon Oct 25 10:20:22 2021
Summary: Security update for containerd, docker, runc
Type: security
Severity: important
References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md.
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355
- CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)
- Install systemd service file as well (bsc#1190826)
Update to runc v1.0.2. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.2
* Fixed a failure to set CPU quota period in some cases on cgroup v1.
* Fixed the inability to start a container with the 'adding seccomp filter
rule for syscall ...' error, caused by redundant seccomp rules (i.e. those
that has action equal to the default one). Such redundant rules are now
skipped.
* Made release builds reproducible from now on.
* Fixed a rare debug log race in runc init, which can result in occasional
harmful 'failed to decode ...' errors from runc run or exec.
* Fixed the check in cgroup v1 systemd manager if a container needs to be
frozen before Set, and add a setting to skip such freeze unconditionally.
The previous fix for that issue, done in runc 1.0.1, was not working.
Update to runc v1.0.1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.1
* Fixed occasional runc exec/run failure ('interrupted system call') on an
Azure volume.
* Fixed 'unable to find groups ... token too long' error with /etc/group
containing lines longer than 64K characters.
* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
frozen. This is a regression in 1.0.0, not affecting runc itself but some
of libcontainer users (e.g Kubernetes).
* cgroupv2: bpf: Ignore inaccessible existing programs in case of
permission error when handling replacement of existing bpf cgroup
programs. This fixes a regression in 1.0.0, where some SELinux
policies would block runc from being able to run entirely.
* cgroup/systemd/v2: don't freeze cgroup on Set.
* cgroup/systemd/v1: avoid unnecessary freeze on Set.
- fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704
Update to runc v1.0.0. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0
! The usage of relative paths for mountpoints will now produce a warning
(such configurations are outside of the spec, and in future runc will
produce an error when given such configurations).
* cgroupv2: devices: rework the filter generation to produce consistent
results with cgroupv1, and always clobber any existing eBPF
program(s) to fix runc update and avoid leaking eBPF programs
(resulting in errors when managing containers).
* cgroupv2: correctly convert 'number of IOs' statistics in a
cgroupv1-compatible way.
* cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
* cgroupv2: wait for freeze to finish before returning from the freezing
code, optimize the method for checking whether a cgroup is frozen.
* cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
* cgroups/systemd: fixed returning 'unit already exists' error from a systemd
cgroup manager (regression in rc94)
+ cgroupv2: support SkipDevices with systemd driver
+ cgroup/systemd: return, not ignore, stop unit error from Destroy
+ Make 'runc --version' output sane even when built with go get or
otherwise outside of our build scripts.
+ cgroups: set SkipDevices during runc update (so we don't modify
cgroups at all during runc update).
+ cgroup1: blkio: support BFQ weights.
+ cgroupv2: set per-device io weights if BFQ IO scheduler is available.
Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95
This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users). (bsc#1185405)
Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94
Breaking Changes:
* cgroupv1: kernel memory limits are now always ignored, as kmemcg has
been effectively deprecated by the kernel. Users should make use of regular
memory cgroup controls.
Regression Fixes:
* seccomp: fix 32-bit compilation errors
* runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
* runc start: fix 'chdir to cwd: permission denied' for some setups
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4171-1
Released: Thu Dec 23 09:55:13 2021
Summary: Security update for runc
Type: security
Severity: moderate
References: 1193436,CVE-2021-43784
This update for runc fixes the following issues:
Update to runc v1.0.3.
* CVE-2021-43784: Fixed a potential vulnerability related to the internal usage
of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
* Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
* Fixed inability to start when read-only /dev in set in spec.
* Fixed not removing sub-cgroups upon container delete, when rootless cgroup
v2 is used with older systemd.
* Fixed returning error from GetStats when hugetlb is unsupported (which
causes excessive logging for kubernetes).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:69-1
Released: Thu Jan 13 15:12:30 2022
Summary: Security update for libmspack
Type: security
Severity: low
References: 1113040,CVE-2018-18586
This update for libmspack fixes the following issues:
- CVE-2018-18586: Fixed directory traversal in chmextract by adding anti '../' and leading slash protection (bsc#1113040).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:943-1
Released: Thu Mar 24 12:52:54 2022
Summary: Security update for slirp4netns
Type: security
Severity: moderate
References: 1179467,CVE-2020-29130
This update for slirp4netns fixes the following issues:
- CVE-2020-29130: Fixed an invalid memory access while processing ARP packets (bsc#1179467).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1548-1
Released: Thu May 5 16:45:28 2022
Summary: Security update for tar
Type: security
Severity: moderate
References: 1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193
This update for tar fixes the following issues:
- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).
- Update to GNU tar 1.34:
* Fix extraction over pipe
* Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
* Fix extraction when . and .. are unreadable
* Gracefully handle duplicate symlinks when extracting
* Re-initialize supplementary groups when switching to user
privileges
- Update to GNU tar 1.33:
* POSIX extended format headers do not include PID by default
* --delay-directory-restore works for archives with reversed
member ordering
* Fix extraction of a symbolic link hardlinked to another
symbolic link
* Wildcards in exclude-vcs-ignore mode don't match slash
* Fix the --no-overwrite-dir option
* Fix handling of chained renames in incremental backups
* Link counting works for file names supplied with -T
* Accept only position-sensitive (file-selection) options in file
list files
- prepare usrmerge (bsc#1029961)
- Update to GNU 1.32
* Fix the use of --checkpoint without explicit --checkpoint-action
* Fix extraction with the -U option
* Fix iconv usage on BSD-based systems
* Fix possible NULL dereference (savannah bug #55369)
[bsc#1130496] [CVE-2019-9923]
* Improve the testsuite
- Update to GNU 1.31
* Fix heap-buffer-overrun with --one-top-level, bug introduced
with the addition of that option in 1.28
* Support for zstd compression
* New option '--zstd' instructs tar to use zstd as compression
program. When listing, extractng and comparing, zstd compressed
archives are recognized automatically. When '-a' option is in
effect, zstd compression is selected if the destination archive
name ends in '.zst' or '.tzst'.
* The -K option interacts properly with member names given in the
command line. Names of members to extract can be specified along
with the '-K NAME' option. In this case, tar will extract NAME
and those of named members that appear in the archive after it,
which is consistent with the semantics of the option. Previous
versions of tar extracted NAME, those of named members that
appeared before it, and everything after it.
* Fix CVE-2018-20482 - When creating archives with the --sparse
option, previous versions of tar would loop endlessly if a
sparse file had been truncated while being archived.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2341-1
Released: Fri Jul 8 16:09:12 2022
Summary: Security update for containerd, docker and runc
Type: security
Severity: important
References: 1192051,1199460,1199565,1200088,1200145,CVE-2022-29162,CVE-2022-31030
This update for containerd, docker and runc fixes the following issues:
containerd:
- CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145)
docker:
- Update to Docker 20.10.17-ce. See upstream changelog online at
https://docs.docker.com/engine/release-notes/#201017. (bsc#1200145)
runc:
Update to runc v1.1.3.
Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3.
* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
code (this was due to how s390x does syscall multiplexing).
* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
intended; this fix does not affect runc binary itself but is important for
libcontainer users such as Kubernetes.
* Inability to compile with recent clang due to an issue with duplicate
constants in libseccomp-golang.
* When using systemd cgroup driver, skip adding device paths that don't exist,
to stop systemd from emitting warnings about those paths.
* Socket activation was failing when more than 3 sockets were used.
* Various CI fixes.
* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
- Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565)
Update to runc v1.1.2.
Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.2.
Security issue fixed:
- CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. (bsc#1199460)
- `runc spec` no longer sets any inheritable capabilities in the created
example OCI spec (`config.json`) file.
Update to runc v1.1.1.
Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.1.
* runc run/start can now run a container with read-only /dev in OCI spec,
rather than error out. (#3355)
* runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
libcontainer systemd v2 manager no longer errors out if one of the files
listed in /sys/kernel/cgroup/delegate do not exist in container's
cgroup. (#3387, #3404)
* Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported'
error. (#3406)
* libcontainer/cgroups no longer panics in cgroup v1 managers if stat
of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)
Update to runc v1.1.0.
Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0.
- libcontainer will now refuse to build without the nsenter package being
correctly compiled (specifically this requires CGO to be enabled). This
should avoid folks accidentally creating broken runc binaries (and
incorrectly importing our internal libraries into their projects). (#3331)
Update to runc v1.1.0~rc1.
Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.
+ Add support for RDMA cgroup added in Linux 4.11.
* runc exec now produces exit code of 255 when the exec failed.
This may help in distinguishing between runc exec failures
(such as invalid options, non-running container or non-existent
binary etc.) and failures of the command being executed.
+ runc run: new --keep option to skip removal exited containers artefacts.
This might be useful to check the state (e.g. of cgroup controllers) after
the container hasexited.
+ seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
(the latter is just an alias for SCMP_ACT_KILL).
+ seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
users to create sophisticated seccomp filters where syscalls can be
efficiently emulated by privileged processes on the host.
+ checkpoint/restore: add an option (--lsm-mount-context) to set
a different LSM mount context on restore.
+ intelrdt: support ClosID parameter.
+ runc exec --cgroup: an option to specify a (non-top) in-container cgroup
to use for the process being executed.
+ cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
run/exec now adds the container to the appropriate cgroup under it).
+ sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
behaviour.
+ mounts: add support for bind-mounts which are inaccessible after switching
the user namespace. Note that this does not permit the container any
additional access to the host filesystem, it simply allows containers to
have bind-mounts configured for paths the user can access but have
restrictive access control settings for other users.
+ Add support for recursive mount attributes using mount_setattr(2). These
have the same names as the proposed mount(8) options -- just prepend r
to the option name (such as rro).
+ Add runc features subcommand to allow runc users to detect what features
runc has been built with. This includes critical information such as
supported mount flags, hook names, and so on. Note that the output of this
command is subject to change and will not be considered stable until runc
1.2 at the earliest. The runtime-spec specification for this feature is
being developed in opencontainers/runtime-spec#1130.
* system: improve performance of /proc/$pid/stat parsing.
* cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
the ownership of certain cgroup control files (as per
/sys/kernel/cgroup/delegate) to allow for proper deferral to the container
process.
* runc checkpoint/restore: fixed for containers with an external bind mount
which destination is a symlink.
* cgroup: improve openat2 handling for cgroup directory handle hardening.
runc delete -f now succeeds (rather than timing out) on a paused
container.
* runc run/start/exec now refuses a frozen cgroup (paused container in case of
exec). Users can disable this using --ignore-paused.
- Update version data embedded in binary to correctly include the git commit of the release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2360-1
Released: Tue Jul 12 12:01:39 2022
Summary: Security update for pcre2
Type: security
Severity: important
References: 1199232,CVE-2022-1586
This update for pcre2 fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2566-1
Released: Wed Jul 27 15:04:49 2022
Summary: Security update for pcre2
Type: security
Severity: important
References: 1199235,CVE-2022-1587
This update for pcre2 fixes the following issues:
- CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2735-1
Released: Wed Aug 10 04:31:41 2022
Summary: Recommended update for tar
Type: recommended
Severity: moderate
References: 1200657
This update for tar fixes the following issues:
- Fix race condition while creating intermediate subdirectories (bsc#1200657)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2844-1
Released: Thu Aug 18 14:41:25 2022
Summary: Recommended update for tar
Type: recommended
Severity: important
References: 1202436
This update for tar fixes the following issues:
- A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3142-1
Released: Wed Sep 7 09:54:18 2022
Summary: Security update for icu
Type: security
Severity: moderate
References: 1193951,CVE-2020-21913
This update for icu fixes the following issues:
- CVE-2020-21913: Fixed a memory safetey issue that could lead to use
after free (bsc#1193951).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3435-1
Released: Tue Sep 27 14:55:38 2022
Summary: Recommended update for runc
Type: recommended
Severity: important
References: 1202821
This update for runc fixes the following issues:
- Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the
cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd.
- Fix 'permission denied' error from runc run on noexec fs
- Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3927-1
Released: Wed Nov 9 14:55:47 2022
Summary: Recommended update for runc
Type: recommended
Severity: moderate
References: 1202021,1202821
This update for runc fixes the following issues:
- Update to runc v1.1.4 (bsc#1202021)
- Fix failed exec after systemctl daemon-reload (bsc#1202821)
- Fix mounting via wrong proc
- Fix 'permission denied' error from runc run on noexec filesystem
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4312-1
Released: Fri Dec 2 11:16:47 2022
Summary: Recommended update for tar
Type: recommended
Severity: moderate
References: 1200657,1203600
This update for tar fixes the following issues:
- Fix unexpected inconsistency when making directory (bsc#1203600)
- Update race condition fix (bsc#1200657)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4592-1
Released: Tue Dec 20 16:51:35 2022
Summary: Security update for cni
Type: security
Severity: important
References: 1181961,CVE-2021-20206
This update for cni fixes the following issues:
- CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:179-1
Released: Thu Jan 26 21:54:30 2023
Summary: Recommended update for tar
Type: recommended
Severity: low
References: 1202436
This update for tar fixes the following issue:
- Fix hang when unpacking test tarball (bsc#1202436)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:463-1
Released: Mon Feb 20 16:33:39 2023
Summary: Security update for tar
Type: security
Severity: moderate
References: 1202436,1207753,CVE-2022-48303
This update for tar fixes the following issues:
- CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753).
Bug fixes:
- Fix hang when unpacking test tarball (bsc#1202436).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:557-1
Released: Tue Feb 28 09:29:15 2023
Summary: Security update for libxslt
Type: security
Severity: important
References: 1208574,CVE-2021-30560
This update for libxslt fixes the following issues:
- CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:870-1
Released: Wed Mar 22 09:44:13 2023
Summary: Security update for slirp4netns
Type: security
Severity: moderate
References: 1179466,1179467,CVE-2020-29129,CVE-2020-29130
This update for slirp4netns fixes the following issues:
- CVE-2020-29129: Fixed out-of-bounds access while processing NCSI packets (bsc#1179466).
- CVE-2020-29130: Fixed out-of-bounds access while processing ARP packets (bsc#1179467).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1774-1
Released: Wed Apr 5 13:13:19 2023
Summary: Recommended update for libcontainers-common
Type: recommended
Severity: moderate
References: 1171578,1175821,1182998,1197093,1200524,1205536,1207509
This update for libcontainers-common fixes the following issues:
- Add registry.suse.com to the unqualified-search-registries (bsc#1205536)
- New upstream release 20230214
- bump c/storage to 1.45.3
- bump c/image to 5.24.1
- bump c/common to 0.51.0
- containers.conf:
- add commented out options containers.read_only, engine.platform_to_oci_runtime,
engine.events_container_create_inspect_data, network.volume_plugin_timeout, engine.runtimes.youki, machine.provider
- remove deprecated setting containers.userns_size
- add youki to engine.runtime_supports_json
- shortnames.conf: pull in latest upstream version
- storage.conf: add commented out option storage.transient_store
- correct license to APACHE-2.0
- Changes introduced to c/storage's storage.conf which adds a driver_priority attribute would break consumers of
libcontainer-common as long as those packages are vendoring an older c/storage version. (bsc#1207509)
- storage.conf: Unset 'driver' and set 'driver_priority' to allow podman to use 'btrfs' if available and fallback to
'overlay' if not.
- .spec: rm %post script to set 'btrfs' as storage driver in storage.conf
- Remove registry.suse.com from search unqualified-search-registries
- add requires on util-linux-systemd for findmnt in profile script
- only set storage_driver env when no libpod exists
- add container-storage-driver.sh (bsc#1197093)
- postinstall script: slight cleanup, no functional change
- set detached sigstore attachments for the SUSE controlled registries
- Fix obvious typo in containers.conf
- Resync containers.conf / storage.conf with Fedora
- Create /etc/containers/registries.conf.d and add 000-shortnames.conf to it.
- Use $() again in %post, but with a space for POSIX compliance
- Add missing Requires(post): sed (bsc#1200524)
- Make %post compatible with dash
- Switch registries.conf to v2 format
- Reintroduce SLE specific mounts config, to avoid errors on non-SLE systems
- Require util-linux-systemd for %post scripts (bsc#1182998, jsc#SLE-12122, bsc#1175821)
- Update default registry (bsc#1171578)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1880-1
Released: Tue Apr 18 11:11:27 2023
Summary: Recommended update for systemd-rpm-macros
Type: recommended
Severity: low
References: 1208079
This update for systemd-rpm-macros fixes the following issue:
- Don't emit a warning when the flag file in /var/lib/systemd/migrated/ is not present as it's expected (bsc#1208079).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2307-1
Released: Mon May 29 10:29:49 2023
Summary: Recommended update for kbd
Type: recommended
Severity: low
References: 1210702
This update for kbd fixes the following issue:
- Add 'ara' vc keymap, 'ara' is slightly better than 'arabic' as it matches the name of its X11 layout counterpart. (bsc#1210702)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2482-1
Released: Mon Jun 12 07:19:53 2023
Summary: Recommended update for systemd-rpm-macros
Type: recommended
Severity: moderate
References: 1211272
This update for systemd-rpm-macros fixes the following issues:
- Adjust functions so they are disabled when called from a chroot (bsc#1211272)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2877-1
Released: Wed Jul 19 09:43:42 2023
Summary: Security update for dbus-1
Type: security
Severity: moderate
References: 1212126,CVE-2023-34969
This update for dbus-1 fixes the following issues:
- CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2882-1
Released: Wed Jul 19 11:49:39 2023
Summary: Security update for perl
Type: security
Severity: important
References: 1210999,CVE-2023-31484
This update for perl fixes the following issues:
- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2885-1
Released: Wed Jul 19 16:58:43 2023
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1208721,1209229,1211828
This update for glibc fixes the following issues:
- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bsc#1208721)
- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2891-1
Released: Wed Jul 19 21:14:33 2023
Summary: Security update for curl
Type: security
Severity: moderate
References: 1213237,CVE-2023-32001
This update for curl fixes the following issues:
- CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2918-1
Released: Thu Jul 20 12:00:17 2023
Summary: Recommended update for gpgme
Type: recommended
Severity: moderate
References: 1089497
This update for gpgme fixes the following issues:
gpgme:
- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)
libassuan:
- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2962-1
Released: Tue Jul 25 09:34:53 2023
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1213487,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:
- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3275-1
Released: Fri Aug 11 10:19:36 2023
Summary: Recommended update for apparmor
Type: recommended
Severity: moderate
References: 1213472
This update for apparmor fixes the following issues:
- Add pam_apparmor README (bsc#1213472)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3286-1
Released: Fri Aug 11 10:32:03 2023
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1194038,1194900
This update for util-linux fixes the following issues:
- Fix blkid for floppy drives (bsc#1194900)
- Fix rpmbuild %checks fail when @ in the directory path (bsc#1194038)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3327-1
Released: Wed Aug 16 08:45:25 2023
Summary: Security update for pcre2
Type: security
Severity: moderate
References: 1213514,CVE-2022-41409
This update for pcre2 fixes the following issues:
- CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3363-1
Released: Fri Aug 18 14:54:16 2023
Summary: Security update for krb5
Type: security
Severity: important
References: 1214054,CVE-2023-36054
This update for krb5 fixes the following issues:
- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3397-1
Released: Wed Aug 23 18:35:56 2023
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1213517,1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:
- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
- Don't pass zero length input to EVP_Cipher because s390x assembler optimized AES cannot handle zero size. (bsc#1213517)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3451-1
Released: Mon Aug 28 12:15:22 2023
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873
This update for systemd fixes the following issues:
- Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
- Decrease devlink priority for iso disks (bsc#1213185)
- Do not ignore mount point paths longer than 255 characters (bsc#1208194)
- Refuse hibernation if there's no possible way to resume (bsc#1186606)
- Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
- Drop some entries no longer needed by YaST (bsc#1194609)
- The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
- Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3486-1
Released: Tue Aug 29 14:25:23 2023
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1214071
This update for lvm2 fixes the following issues:
- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)
The following package changes have been done:
- kbd-legacy-2.4.0-150400.5.6.1 updated
- filesystem-15.0-150400.1.1 updated
- glibc-2.31-150300.52.2 updated
- perl-base-5.26.1-150300.17.14.1 updated
- libuuid1-2.37.2-150400.8.20.1 updated
- libudev1-249.16-150400.8.33.1 updated
- libsmartcols1-2.37.2-150400.8.20.1 updated
- libpcre2-8-0-10.39-150400.4.9.1 added
- libblkid1-2.37.2-150400.8.20.1 updated
- libaudit1-3.0.6-150400.4.13.1 updated
- libapparmor1-3.0.4-150400.5.6.1 updated
- libfdisk1-2.37.2-150400.8.20.1 updated
- libxtables12-1.8.7-1.1 added
- libmspack0-0.6-3.14.1 added
- libltdl7-2.4.6-3.4.1 added
- libassuan0-2.5.5-150000.4.5.2 updated
- file-5.32-7.14.1 added
- libmnl0-1.0.4-1.25 added
- libgdbm4-1.12-1.418 added
- libselinux1-3.4-150400.1.8 updated
- login_defs-4.8.1-150400.1.7 updated
- libsystemd0-249.16-150400.8.33.1 updated
- libmount1-2.37.2-150400.8.20.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.188.1 updated
- libxslt1-1.1.34-150400.3.3.1 added
- libdbus-1-3-1.12.2-150400.18.8.1 updated
- libicu65_1-ledata-65.1-150200.4.5.1 added
- xz-5.2.3-150000.4.7.1 added
- tar-1.34-150000.3.31.1 added
- which-2.21-2.20 added
- iproute2-5.14-150400.1.8 added
- glibc-locale-base-2.31-150300.52.2 updated
- gawk-4.2.1-150000.3.3.1 added
- systemd-rpm-macros-13-150000.7.33.1 updated
- libopenssl1_1-1.1.1l-150400.7.53.1 updated
- libcryptsetup12-2.4.3-150400.3.3.1 updated
- krb5-1.19.2-150400.3.6.1 updated
- libcurl4-8.0.1-150400.5.26.1 updated
- hostname-3.16-2.22 added
- shadow-4.8.1-150400.1.7 updated
- kbd-2.4.0-150400.5.6.1 updated
- dbus-1-1.12.2-150400.18.8.1 updated
- util-linux-2.37.2-150400.8.20.1 updated
- systemd-249.16-150400.8.33.1 updated
- util-linux-systemd-2.37.2-150400.8.20.1 added
- system-user-nobody-20170617-150400.22.33 added
- libcontainers-common-20230214-150400.3.5.2 added
- runc-1.1.4-150000.36.1 added
- slirp4netns-0.4.7-150100.3.18.1 added
- cni-0.7.1-150100.3.8.1 added
- libicu-suse65_1-65.1-150200.4.5.1 added
- container:rancher-elemental-teal-5.4-latest-- added
- container:bci-bci-busybox-15.4-- added
- container:bci-bci-busybox-latest-- removed
- container:rancher-elemental-builder-image-5.3-latest-- removed
- container:rancher-elemental-teal-5.3-latest-- removed
- libcryptsetup12-hmac-2.4.3-150400.1.110 removed
- libgcrypt20-hmac-1.9.4-150400.6.8.1 removed
- libopenssl1_1-hmac-1.1.1l-150400.7.45.1 removed
- libsemanage1-3.1-150400.1.65 removed
- libsepol1-3.1-150400.1.70 removed
- patterns-base-fips-20200124-150400.20.4.1 removed
- systemd-presets-branding-SMO-20220103-150400.2.1 removed
More information about the sle-security-updates
mailing list