SUSE-CU-2023:2962-1: Security update of rancher/elemental-teal/5.4

sle-security-updates at sle-security-updates at
Thu Sep 14 07:03:02 UTC 2023

SUSE Container Update Advisory: rancher/elemental-teal/5.4
Container Advisory ID : SUSE-CU-2023:2962-1
Container Tags        : rancher/elemental-teal/5.4:1.2.2 , rancher/elemental-teal/5.4:1.2.2-2.6 , rancher/elemental-teal/5.4:latest
Container Release     : 2.6
Severity              : important
Type                  : security
References            : 1168481 1187364 1187364 1187365 1187366 1187366 1187367 1187367
                        1197093 1198773 1198773 1200441 1200441 1200441 1200441 1201519
                        1201551 1201551 1204844 1206346 1206346 1207004 1208074 1208364
                        1208510 1208737 1208962 1209307 1209495 1209884 1209888 1210004
                        1210298 1211079 1211124 1211418 1211419 1211578 CVE-2021-3592
                        CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3594 CVE-2021-3595
                        CVE-2021-3595 CVE-2023-0778 CVE-2023-25809 CVE-2023-2602 CVE-2023-2603
                        CVE-2023-27561 CVE-2023-28642 

The container rancher/elemental-teal/5.4 was updated. The following patches have been included in this update:

Advisory ID: SUSE-SU-2022:1465-1
Released:    Fri Apr 29 11:36:02 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
Advisory ID: SUSE-SU-2022:1730-1
Released:    Wed May 18 16:56:21 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
Advisory ID: SUSE-SU-2022:2941-1
Released:    Tue Aug 30 10:51:09 2022
Summary:     Security update for libslirp
Type:        security
Severity:    moderate
References:  1187365,1201551,CVE-2021-3593
This update for libslirp fixes the following issues:

- CVE-2021-3593: Fixed invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365).

Non-security fixes:

- Fix the version header (bsc#1201551)

Advisory ID: SUSE-SU-2023:1814-1
Released:    Tue Apr 11 14:40:34 2023
Summary:     Security update for podman
Type:        security
Severity:    important
References:  1197093,1208364,1208510,1209495,CVE-2023-0778
This update for podman fixes the following issues:

Update to version 4.4.4:

  * libpod: always use direct mapping
  * macos pkginstaller: do not fail when podman-mac-helper fails
  * podman-mac-helper: install: do not error if already installed

- podman.spec: Bump required version for libcontainers-common (bsc#1209495)

Update to version 4.4.3:

  * compat: /auth: parse server address correctly
  * vendor at v0.51.1
  * pkginstaller: bump Qemu to version 7.2.0
  * podman machine: Adjust Chrony makestep config
  * [v4.4] fix --health-on-failure=restart in transient unit
  * podman logs passthrough driver support --cgroups=split
  * journald logs: simplify entry parsing
  * podman logs: read journald with passthrough
  * journald: remove initializeJournal()
  * netavark: only use aardvark ip as nameserver
  * compat API: network create return 409 for duplicate
  * fix 'podman logs --since --follow' flake
  * system service --log-level=trace: support hijack
  * podman-mac-helper: exit 1 on error
  * bump to v0.8.0
  * Fix package restore
  * Quadlet - use the default runtime

Update to version 4.4.2:

  * Revert 'CI: Temporarily disable all AWS EC2-based tasks'
  * kube play: only enforce passthrough in Quadlet
  * Emergency fix for man pages: check for broken includes
  * CI: Temporarily disable all AWS EC2-based tasks
  * quadlet system tests: add useful defaults, logging
  * volume,container: chroot to source before exporting content
  * install sigproxy before start/attach
  * Update to c/image 5.24.1
  * events + container inspect test: RHEL fixes

- podman.spec: add `crun` requirement for quadlet
- podman.spec: set PREFIX at build stage (bsc#1208510)

- CVE-2023-0778: Fixed symlink exchange attack in podman export volume  (bsc#1208364)

Update to version 4.4.1:

  * kube play: do not teardown unconditionally on error
  * Resolve symlink path for qemu directory if possible
  * events: document journald identifiers
  * Quadlet: exit 0 when there are no files to process
  * Cleanup podman-systemd.unit file
  * Install podman-systemd.unit  man page, make quadlet discoverable
  * Add missing return after errors
  * oci: bind mount /sys with --userns=(auto|pod:)
  * docs: specify order preference for FROM
  * Cirrus: Fix & remove GraphQL API tests
  * test: adapt test to work on cgroupv1
  * make hack/markdown-preprocess parallel-safe
  * Fix default handling of pids-limit
  * system tests: fix volume exec/noexec test

Update to version 4.4.0:

  * Emergency fix for RHEL8 gating tests
  * Do not mount /dev/tty into rootless containers
  * Fixes port collision issue on use of --publish-all
  * Fix usage of absolute windows paths with --image-path
  * fix #17244: use /etc/timezone where `timedatectl` is missing on Linux
  * podman-events: document verbose create events
  * Making gvproxy.exe optional for building Windows installer
  * Add gvproxy to Windows packages
  * Match VT device paths to be blocked from mounting exactly
  * Clean up more language for inclusiveness
  * Set runAsNonRoot=true in gen kube
  * quadlet: Add device support for .volume files
  * fix: running check error when podman is default in wsl
  * fix: don't output 'ago' when container is currently up and running
  * journald: podman logs only show logs for current user
  * journald: podman events only show events for current user
  * Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml)
  * DB: make loading container states optional
  * ps: do not sync container
  * Allow --device-cgroup-rule to be passed in by docker API
  * Create release notes for v4.4.0
  * Cirrus: Update operating branch
  * fix APIv2 python attach test flake
  * ps: query health check in batch mode
  * make example volume import, not import volume
  * Correct output when inspecting containers created with --ipc
  * Vendor containers/(storage, image, common, buildah)
  * Get correct username in pod when using --userns=keep-id
  * ps: get network data in batch mode
  * build(deps): bump from 1.25.0 to 1.26.0
  * add hack/perf for comparing two container engines
  * systems: retrofit dns options test to honor other search domains
  * ps: do not create copy of container config
  * libpod: set search domain independently of nameservers
  * libpod,netavark: correctly populate /etc/resolv.conf with custom dns server
  * podman: relay custom DNS servers to network stack
  * (fix) mount_program is in storage.options.overlay
  * Change example target to default in doc
  * network create: do not allow `default` as name
  * kube-play: add support for HostPID in podSpec
  * build(deps): bump
  * Let's see if #14653 is fixed or not
  * Add support for podman build --group-add
  * vendor in latests containers/(storage, common, build, image)
  * unskip network update test
  * do not install swagger by default
  * pasta: skip 'Local forwarder, IPv4' test
  * add testbindings Makefile target
  * update CI images to include pasta
  * [CI:DOCS] Add CNI deprecation notices to documentation
  * Cirrus: preserve podman-server logs
  * waitPidStop: reduce sleep time to 10ms
  * StopContainer: return if cleanup process changed state
  * StopSignal: add a comment
  * StopContainer: small refactor
  * waitPidStop: simplify code
  * e2e tests: reenable long-skipped build test
  * Add openssh-clients to podmanimage
  * Reworks Windows smoke test to tunnel through interactive session.
  * fix bud-multiple-platform-with-base-as-default-arg flake
  * Remove ReservedAnnotations from kube generate specification
  * e2e: update test/
  * e2e: use isRootless() instead of rootless.IsRootless()
  * Cleanup documentation on --userns=auto
  * Vendor in latest c/common
  * sig-proxy system test: bump timeout
  * build(deps): bump
  * rootless: rename auth-scripts to preexec-hooks
  * Docs: version-check updates
  * commit: use libimage code to parse changes
  * [CI:DOCS] Remove experimental mac tutorial
  * man: Document the interaction between --systemd and --privileged
  * Make rootless privileged containers share the same tty devices as rootfull ones
  * container kill: handle stopped/exited container
  * Vendor in latest containers/(image,ocicrypt)
  * add a comment to container removal
  * Vendor in latest containers/storage
  * Cirrus: Run machine tests on PR merge
  * fix flake in kube system test
  * kube play: complete container spec
  * E2E Tests: Use inspect instead of actual data to avoid UDP flake
  * Use containers/storage/pkg/regexp in place of regexp
  * Vendor in latest containers/storage
  * Cirrus: Support using updated/latest NV/AV in PRs
  * Limit replica count to 1 when deploying from kubernetes YAML
  * Set StoppedByUser earlier in the process of stopping
  * podman-play system test: refactor
  * network: add support for podman network update and --network-dns-server
  * service container: less verbose error logs
  * Quadlet Kube - add support for PublishPort key
  * e2e: fix systemd_activate_test
  * Compile regex on demand not in init
  * [docker compat] Don't overwrite the NetworkMode if containers.conf overrides netns.
  * E2E Test: Play Kube set deadline to connection to avoid hangs
  * Only prevent VTs to be mounted inside privileged systemd containers
  * e2e: fix play_kube_test
  * Updated error message for supported VolumeSource types
  * Introduce pkg retry logic in win installer task
  * logformatter: include base SHA, with history link
  * Network tests: ping, not
  * cobra: move engine shutdown to Execute
  * Updated options for QEMU on Windows hosts
  * Update Mac installer to use gvproxy v0.5.0
  * podman: podman rm -f doesn't leave processes
  * oci: check for valid PID before kill(pid, 0)
  * linux: add /sys/fs/cgroup if /sys is a bind mount
  * Quadlet: Add support for ConfigMap key in Kube section
  * remove service container _after_ pods
  * Kube Play - allow setting and overriding published host ports
  * oci: terminate all container processes on cleanup
  * Update win-sshproxy to 0.5.0 gvisor tag
  * Vendor in latest containers/common
  * Fix a potential defer logic error around locking
  * logformatter: nicer formatting for bats failures
  * logformatter: refactor verbose line-print
  * e2e tests: stop using UBI images
  * k8s-file: podman logs --until --follow exit after time
  * journald: podman logs --until --follow exit after time
  * journald: seek to time when --since is used
  * podman logs: journald fix --since and --follow
  * Preprocess files in UTF-8 mode
  * Vendor in latest containers/(common, image, storage)
  * Switch to C based msi hooks for win installer
  * hack/bats: improve usage message
  * hack/bats: add --remote option
  * hack/bats: fix root/rootless logic
  * Describe copy volume options
  * Support sig-proxy for podman-remote attach and start
  * libpod: fix race condition rm'ing stopping containers
  * e2e: fix run_volume_test
  * Add support for Windows ARM64
  * Add shared --compress to man pages
  * Add container error message to ContainerState
  * Man page checker: require canonical name in SEE ALSO
  * system df: improve json output code
  * kube play: fix the error logic with --quiet
  * System tests: quadlet network test
  * Fix: List container with volume filter
  * adding -dryrun flag
  * Quadlet Container: Add support for EnvironmentFile and EnvironmentHost
  * Kube Play: use passthrough as the default log-driver if service-container is set
  * System tests: add missing cleanup
  * System tests: fix unquoted question marks
  * Build and use a newer systemd image
  * Quadlet Network - Fix the name of the required network service
  * System Test Quadlet - Volume dependency test did not test the dependency
  * fix `podman system connection - tcp` flake
  * vendor: bump c/storage to a747b27
  * Fix instructions about setting storage driver on command-line
  * Test README - point users to hack/bats
  * System test: quadlet kube basic test
  * Fixed `podman update --pids-limit`
  * podman-remote,bindings: trim context path correctly when its emptydir
  * Quadlet Doc: Add section for .kube files
  * e2e: fix containers_conf_test
  * Allow '/' to prefix container names to match Docker
  * Remove references to qcow2
  * Fix typos in man page regarding transient storage mode.
  * make: Use PYTHON var for .install.pre-commit
  * Add containers.conf read-only flag support
  * Explain that relabeling/chowning of volumes can take along time
  * events: support 'die' filter
  * infra/abi: refactor ContainerRm
  * When in transient store mode, use rundir for bundlepath
  * quadlet: Support Type=oneshot container files
  * hacks/bats: keep QUADLET env var in test env
  * New system tests for conflicting options
  * Vendor in latest containers/(buildah, image, common)
  * Output Size and Reclaimable in human form for json output
  * podman service: close duplicated /dev/null fd
  * ginkgo tests: apply ginkgolinter fixes
  * Add support for hostPath and configMap subpath usage
  * export: use io.Writer instead of file
  * rootless: always create userns with euid != 0
  * rootless: inhibit copy mapping for euid != 0
  * pkg/domain/infra/abi: introduce `type containerWrapper`
  * vendor: bump to buildah ca578b290144 and use new cache API
  * quadlet: Handle booleans that have defaults better
  * quadlet: Rename parser.LookupBoolean to LookupBooleanWithDefault
  * Add podman-clean-transient.service service
  * Stop recording annotations set to false
  * Unify --noheading and -n to be consistent on all commands
  * pkg/domain/infra/abi: add `getContainers`
  * Update vendor of containters/(common, image)
  * specfile: Drop user-add depedency from quadlet subpackage.
  * quadlet: Default BINDIR to /usr/bin if tag not specified
  * Quadlet: add network support
  * Add comment for jsonMarshal command
  * Always allow pushing from containers-storage
  * libpod: move NetNS into state db instead of extra bucket
  * Add initial system tests for quadlets
  * quadlet: Add --user option
  * libpod: remove CNI word were no longer applicable
  * libpod: fix header length in http attach with logs
  * podman-kube@ template: use `podman kube`
  * build(deps): bump
  * wait: add --ignore option
  * qudlet: Respect $PODMAN env var for podman binary
  * e2e: Add assert-key-is-regex check to quadlet e2e testsuite
  * e2e: Add some assert to quadlet test to make sure testcases are sane
  * remove unmapped ports from inspect port bindings
  * update podman-network-create for clarity
  * Vendor in latest containers/common with default capabilities
  * pkg/rootless: Change error text ...
  * rootless: add cli validator
  * rootless: define LIBEXECPODMAN
  * doc: fix documentation for idmapped mounts
  * bump golangci-lint to v1.50.1
  * build(deps): bump from 1.24.1 to 1.24.2
  * [CI:DOCS] podman-mount: s/umount/unmount/
  * create/pull --help: list pull policies
  * Network Create: Add --ignore flag to support idempotent script
  * Make qemu security model none
  * libpod: use OCI idmappings for mounts
  * stop reporting errors removing containers that don't exist
  * test: added test from wait endpoint with to long label
  * quadlet: Default VolatileTmp to off
  * build(deps): bump from 0.5.10 to 0.5.11
  * docs/options/ipc: fix list syntax
  * Docs: Add dedicated DOWNLOAD doc w/ links to bins
  * Make a consistently-named windows installer
  * checkpoint restore: fix --ignore-static-ip/mac
  * add support for subpath in play kube for named volumes
  * build(deps): bump from 0.2.0 to 0.4.0
  * golangci-lint: remove three deprecated linters
  * parse-localbenchmarks: separate standard deviation
  * build(deps): bump from 0.2.0 to 0.3.0
  * podman play kube support container startup probe
  * Add podman buildx version support
  * Cirrus: Collect benchmarks on machine instances
  * Cirrus: Remove escape codes from log files
  * [CI:DOCS] Clarify secret target behavior
  * Fix typo on network docs
  * podman-remote build add --volume support
  * remote: allow --http-proxy for remote clients
  * Cleanup kube play workloads if error happens
  * health check: ignore dependencies of transient systemd units/timers
  * fix: event read from syslog
  * Fixes secret (un)marshaling for kube play.
  * Remove 'you' from man pages
  * build(deps): bump from 0.3.0 to 0.4.0 in /test/tools
  * [CI:DOCS] test/ run tests with podman-remote
  * e2e: keeps the http_proxy value
  * Makefile: Add podman-mac-helper to darwin client zip
  * test/e2e: enable 'podman run with ipam none driver' for nv
  * [skip-ci] GHA/Cirrus-cron: Fix execution order
  * kube sdnotify: run proxies for the lifespan of the service
  * Update containers common package
  * podman manpage: Use man-page links instead of file names
  * e2e: fix e2e tests in proxy environment
  * Fix test
  * disable healthchecks automatically on non systemd systems
  * Quadlet Kube: Add support for userns flag
  * [CI:DOCS] Add warning about --opts,o with mount's -o
  * Add podman system prune --external
  * Add some tests for transient store
  * runtime: In transient_store mode, move bolt_state.db to rundir
  * runtime: Handle the transient store options
  * libpod: Move the creation of TmpDir to an earlier time
  * network create: support '-o parent=XXX' for ipvlan
  * compat API: allow MacAddress on container config
  * Quadlet Kube: Add support for relative path for YAML file
  * notify k8s system test: move sending message into exec
  * runtime: do not chown idmapped volumes
  * quadlet: Drop ExecStartPre=rm %t/%N.cid
  * Quadlet Kube: Set SyslogIdentifier if was not set
  * Add a FreeBSD cross build to the cirrus alt build task
  * Add completion for --init-ctr
  * Fix handling of readonly containers when defined in kube.yaml
  * Build cross-compilation fixes
  * libpod: Track healthcheck API changes in healthcheck_unsupported.go
  * quadlet: Use same default capability set as podman run
  * quadlet: Drop --pull=never
  * quadlet: Change default of ReadOnly to no
  * quadlet: Change RunInit default to no
  * quadlet: Change NoNewPrivileges default to false
  * test: podman run with checkpoint image
  * Enable 'podman run' for checkpoint images
  * test: Add tests for checkpoint images
  * CI setup: simplify environment passthrough code
  * Init containers should not be restarted
  * Update c/storage after
  * Set the latest release explicitly
  * add friendly comment
  * fix an overriding logic and load config problem
  * Update the issue templates
  * Update vendor of containers/(image, buildah)
  * [CI:DOCS] Skip windows-smoke when not useful
  * [CI:DOCS] Remove broken gate-container docs
  * OWNERS: add Jason T. Greene
  * hack/podmansnoop: print arguments
  * Improve atomicity of VM state persistence on Windows
  * [CI:BUILD] copr: enable podman-restart.service on rpm installation
  * macos: pkg: Use -arm64 suffix instead of -aarch64
  * linux: Add -linux suffix to podman-remote-static binaries
  * linux: Build amd64 and arm64 podman-remote-static binaries
  * container create: add inspect data to event
  * Allow manual override of install location
  * Run codespell on code
  * Add missing parameters for checkpoint/restore endpoint
  * Add support for startup healthchecks
  * Add information on metrics to the `network create` docs
  * Introduce podman machine os commands
  * Document that ignoreRootFS depends on export/import
  * Document ignoreVolumes in checkpoint/restore endpoint
  * Remove leaveRunning from swagger restore endpoint
  * libpod: Add checks to avoid nil pointer dereference if network setup fails
  * Address golangci-lint issues
  * Documenting Hyper-V QEMU acceleration settings
  * Kube Play: fix the handling of the optional field of SecretVolumeSource
  * Update Vendor of containers/(common, image, buildah)
  * Fix swapped NetInput/-Output stats
  * libpod: Use O_CLOEXEC for descriptors returned by (*Container).openDirectory
  * chore: Fix MD for Troubleshooting Guide link in GitHub Issue Template
  * test/tools: rebuild when files are changed
  * ginkgo tests: apply ginkgolinter fixes
  * ginkgo: restructure install work flow
  * Fix manpage emphasis
  * specgen: support CDI devices from containers.conf
  * vendor: update containers/common
  * pkg/trust: Take the default policy path from c/common/pkg/config
  * Add validate-in-container target
  * Adding encryption decryption feature
  * container restart: clean up healthcheck state
  * Add support for podman-remote manifest annotate
  * Quadlet: Add support for .kube files
  * Update vendor of containers/(buildah, common, storage, image)
  * specgen: honor user namespace value
  * [CI:DOCS] Migrate OSX Cross to M1
  * quadlet: Rework uid/gid remapping
  * GHA: Fix cirrus re-run workflow for other repos.
  * ssh system test: skip until it becomes a test
  * shell completion: fix hard coded network drivers
  * libpod: Report network setup errors properly on FreeBSD
  * E2E Tests: change the registry for the search test to avoid authentication
  * pkginstaller: install podman-mac-helper by default
  * Fix language. Mostly spelling a -> an
  * podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd environment.
  * [CI:DOCS] Fix spelling and typos
  * Modify man page of '--pids-limit' option to correct a default value.
  * Update docs/source/markdown/
  * Update pkg/bindings/connection.go
  * Add more documentation on UID/GID Mappings with --userns=keep-id
  * support podman-remote to connect tcpURL with proxy
  * Removing the RawInput from the API output
  * fix port issues for CONTAINER_HOST
  * CI: Package versions: run in the 'main' step
  * build(deps): bump
  * pkg/domain: Make checkExecPreserveFDs platform-specific
  * e2e tests: fix restart race
  * Fix podman --noout to suppress all output
  * remove pod if creation has failed
  * pkg/rootless: Implement rootless.IsFdInherited on FreeBSD
  * Fix more podman-logs flakes
  * healthcheck system tests: try to fix flake
  * libpod: treat ESRCH from /proc/PID/cgroup as ENOENT
  * GHA: Configure workflows for reuse
  * compat,build: handle docker's preconfigured cacheTo,cacheFrom
  * docs: deprecate pasta network name
  * utils: Enable cgroup utils for FreeBSD
  * pkg/specgen: Disable kube play tests on FreeBSD
  * libpod/lock: Fix build and tests for SHM locks on FreeBSD
  * podman cp: fix copying with '.' suffix
  * pkginstaller: bump Qemu to version 7.1.0
  * specgen,wasm: switch to crun-wasm wherever applicable
  * vendor: bump c/common to v0.50.2-0.20221111184705-791b83e1cdf1
  * libpod: Make unit test for statToPercent Linux only
  * Update vendor of containers/storage
  * fix connection usage with containers.conf
  * Add --quiet and --no-info flags to podman machine start
  * Add hidden podman manifest inspect -v option
  * Add podman volume create -d short option for driver
  * Vendor in latest containers/(common,image,storage)
  * Add podman system events alias to podman events
  * Fix search_test to return correct version of alpine
  * GHA: Fix undefined secret env. var.
  * Release notes for 4.3.1
  * GHA: Fix make_email-body script reference
  * Add release keys to README
  * GHA: Fix typo setting output parameter
  * GHA: Fix typo.
  * New tool, docs/version-check
  * Formalize our compare-against-docker mechanism
  * Add restart-sec for container service files
  * test/tools: bump module to go 1.17
  * contrib/cirrus/ ignore test/tools/vendor
  * build(deps): bump from 0.1.12 to 0.2.0 in /test/tools
  * libpod: Add FreeBSD support in packageVersion
  * Allow podman manigest push --purge|-p as alias for --rm
  * [CI:DOCS] Add performance tutorial
  * [CI:DOCS] Fix build targets in
  * fix --format {{json .}} output to match docker
  * remote: fix manifest add --annotation
  * Skip test if `--events-backend` is necessary with podman-remote
  * kube play: update the handling of PersistentVolumeClaim
  * system tests: fix a system test in proxy environment
  * Use single unqualified search registry on Windows
  * test/system: Add, use tcp_port_probe() to check for listeners rather than binds
  * test/system: Add tests for pasta(1) connectivity
  * test/system: Move network-related helpers to
  * test/system: Use procfs to find bound ports, with optional address and protocol
  * test/system: Use port_is_free() from wait_for_port()
  * libpod: Add pasta networking mode
  * More log-flake work
  * Fix test flakes caused by improper podman-logs
  * fix incorrect systemd booted check
  * Cirrus: Add tests for GHA scripts
  * GHA: Update scripts to pass shellcheck
  * Cirrus: Shellcheck github-action scripts
  * Cirrus: shellcheck support for github-action scripts
  * GHA: Fix cirrus-cron scripts
  * Makefile: don't install to tmpfiles.d on FreeBSD
  * Make sure we can build and read each line of docker py's api client
  * Docker compat build api - make sure only one line appears per flush
  * Run codespell on code
  * Update vendor of containers/(image, storage, common)
  * Allow namespace path network option for pods.
  * Cirrus: Never skip running Windows Cross task
  * GHA: Auto. re-run failed cirrus-cron builds once
  * GHA: Migrate inline script to file
  * GHA: Simplify script reference
  * test/e2e: do not use apk in builds
  * remove container/pod id file along with container/pod
  * Cirrus: Synchronize windows image
  * Add --insecure,--tls-verify,--verbose flags to podman manifest inspect
  * runtime: add check for valid pod systemd cgroup
  * CI: set and verify DESIRED_NETWORK (netavark, cni)
  * [CI:DOCS] troubleshooting: document keep-id options
  * Man pages: refactor common options: --security-opt
  * Cirrus: Guarantee CNI testing w/o nv/av present
  * Cirrus: temp. disable all Ubuntu testing
  * Cirrus: Update to F37beta
  * buildah bud tests: better handling of remote
  * quadlet: Warn in generator if using short names
  * Add Windows Smoke Testing
  * Add podman kube apply command
  * docs: offer advice on installing test dependencies
  * Fix documentation on read-only-tmpfs
  * version bump to 4.4.0-dev
  * deps: bump go-criu to v6
  * Makefile: Add cross build targets for freebsd
  * pkg/machine: Make this build on FreeBSD/arm64
  * pkg/rctl: Remove unused cgo dependency
  * man pages: assorted underscore fixes
  * Upgrade GitHub actions packages from v2 to v3
  * vendor at 4b691ce
  * [CI:DOCS] fix --tmpdir typos
  * Do not report that /usr/share/containers/storage.conf has been edited.
  * Eval symlinks on XDG_RUNTIME_DIR
  * hack/podmansnoop
  * rootless: support keep-id with one mapping
  * rootless: add argument to GetConfiguredMappings
  * Update vendor containers/(common,storage,buildah,image)
  * Fix deadlock between 'podman ps' and 'container inspect' commands
  * Add information about where the libpod/boltdb database lives
  * Consolidate the dependencies for the IsTerminal() API
  * Ensure that StartAndAttach locks while sending signals
  * ginkgo testing: fix podman usernamespace join
  * Test runners: nuke podman from $PATH before tests
  * volumes: Fix idmap not working for volumes
  * FIXME: Temporary workaround for ubi8 CI breakage
  * System tests: teardown: clean up volumes
  * update api versions on
  * system tests: runlabel: use podman-under-test
  * system tests: podman network create: use random port
  * sig-proxy test: bump timeout
  * play kube: Allow the user to import the contents of a tar file into a volume
  * Clarify the docs on DropCapability
  * quadlet tests: Disable kmsg logging while testing
  * quadlet: Support multiple Network=
  * quadlet: Add support for Network=...
  * Fix manpage for podman run --network option
  * quadlet: Add support for AddDevice=
  * quadlet: Add support for setting seccomp profile
  * quadlet: Allow multiple elements on each Add/DropCaps line
  * quadlet: Embed the correct binary name in the generated comment
  * quadlet: Drop the SocketActivated key
  * quadlet: Switch log-driver to passthrough
  * quadlet: Change ReadOnly to default to enabled
  * quadlet tests: Run the tests even for (exected) failed tests
  * quadlet tests: Fix handling of stderr checks
  * Remove unused script file
  * notifyproxy: fix container watcher
  * container/pod id file: truncate instead of throwing an error
  * quadlet: Use the new podman create volume --ignore
  * Add podman volume create --ignore
  * logcollector: include aardvark-dns
  * build(deps): bump from 1.8.0 to 1.8.1
  * build(deps): bump from 1.2.0 to 1.2.1
  * docs: generate systemd: point to kube template
  * docs: kube play: mention restart policy
  * Fixes: 15858 (podman system reset --force destroy machine)
  * fix search flake
  * use cached containers.conf
  * adding regex support to the ancestor ps filter function
  * Fix `system df` issues with `-f` and `-v`
  * markdown-preprocess: cross-reference where opts are used
  * Default qemu flags for Windows amd64
  * build(deps): bump from 0.3.8 to 0.4.0
  * Update main to reflect v4.3.0 release
  * build(deps): bump
  * move quadlet packages into pkg/systemd
  * system df: fix image-size calculations
  * Add man page for quadlet
  * Fix small typo
  * testimage: add iproute2 & socat, for pasta networking
  * Set up minikube for k8s testing
  * Makefile: don't install systemd generator binaries on FreeBSD
  * [CI:BUILD] copr: podman rpm should depend on containers-common-extra
  * Podman image: Set default_sysctls to empty for rootless containers
  * Don't use
  * libpod: Add support for 'podman top' on FreeBSD
  * libpod: Factor out jail name construction from stats_freebsd.go
  * pkg/util: Add pid information descriptors for FreeBSD
  * Initial quadlet version integrated in golang
  * bump golangci-lint to v1.49.0
  * Update vendor containers/(common,image,storage)
  * Allow volume mount dups, iff source and dest dirs
  * rootless: fix return value handling
  * Change to correct break statements
  * vendor containers/psgo at v1.8.0
  * Clarify that MacOSX docs are client specific
  * libpod: Factor out the call to PidFdOpen from (*Container).WaitForExit
  * Add swagger install + allow version updates in CI
  * Cirrus: Fix windows clone race
  * build(deps): bump
  * kill: wait for the container
  * generate systemd: set --stop-timeout for stopping containers
  * hack/ print diff at the end
  * Fix markdown header typo
  * markdown-preprocess: add generic include mechanism
  * markdown-preprocess: almost complete OO rewrite
  * Update tests for changed error messages
  * Update c/image after
  * Man pages: refactor common options (misc)
  * Man pages: Refactor common options: --detach-keys
  * vendor containers/storage at main
  * Man pages: refactor common options: --attach
  * build(deps): bump from 1.5.4 to 1.6.0
  * KillContainer: improve error message
  * docs: add missing options
  * Man pages: refactor common options: --annotation (manifest)
  * build(deps): bump from 1.5.0 to 1.6.0
  * system tests: health-on-failure: fix broken logic
  * build(deps): bump from 0.3.7 to 0.3.8
  * build(deps): bump from 1.20.2 to 1.22.1
  * ContainerEngine.SetupRootless(): Avoid calling container.Config()
  * Container filters: Avoid use of ctr.Config()
  * Avoid unnecessary calls to Container.Spec()
  * Add and use Container.LinuxResource() helper
  * play kube: notifyproxy: listen before starting the pod
  * play kube: add support for configmap binaryData
  * Add and use libpod/Container.Terminal() helper
  * Revert 'Add checkpoint image tests'
  * Revert 'cmd/podman: add support for checkpoint images'
  * healthcheck: fix --on-failure=stop
  * Man pages: Add mention of behavior due to XDG_CONFIG_HOME
  * build(deps): bump from 1.1.5 to 1.1.6
  * Avoid unnecessary timeout of 250msec when waiting on container shutdown
  * health checks: make on-failure action retry aware
  * libpod: Remove 100msec delay during shutdown
  * libpod: Add support for 'podman pod' on FreeBSD
  * libpod: Factor out cgroup validation from (*Runtime).NewPod
  * libpod: Move runtime_pod_linux.go to runtime_pod_common.go
  * specgen/generate: Avoid a nil dereference in MakePod
  * libpod: Factor out cgroups handling from (*Pod).refresh
  * Adds a link to OSX docs in
  * Man pages: refactor common options: --os-version
  * Create full path to a directory when DirectoryOrCreate is used with play kube
  * Return error in podman system service if URI scheme is not unix/tcp
  * Man pages: refactor common options: --time
  * man pages: document some --format options: images
  * Clean up when stopping pods
  * Update vendor of containers/buildah v1.28.0
  * Proof of concept: nightly dependency treadmill

- Make the priority for picking the storage driver configurable (bsc#1197093)

Advisory ID: SUSE-RU-2023:1913-1
Released:    Wed Apr 19 14:23:14 2023
Summary:     Recommended update for libslirp, slirp4netns
Type:        recommended
Severity:    moderate
References:  1201551
This update for libslirp and slirp4netns fixes the following issues:

libslirp was updated to version 4.7.0+44 (current git master):

* Fix vmstate regression
* Align outgoing packets
* Bump incoming packet alignment to 8 bytes
* vmstate: only enable when building under GNU C
* ncsitest: Fix build with msvc
* ncsi: Add Mellanox Get Mac Address handler
* slirp: Add out-of-band ethernet address
* ncsi: Add OEM command handler
* ncsi: Add basic test for Get Version ID response
* ncsi: Use response header for payload length
* ncsi: Pass command header to response handlers
* ncsi: Add Get Version ID command
* ncsi: Pass Slirp structure to response handlers
* slirp: Add manufacturer's ID

Release v4.7.0

* slirp: invoke client callback before creating timers
* pingtest: port to timer_new_opaque
* introduce timer_new_opaque callback
* introduce slirp_timer_new wrapper
* icmp6: make ndp_send_ra static
* socket: Handle ECONNABORTED from recv
* bootp: fix g_str_has_prefix warning/critical
* slirp: Don't duplicate packet in tcp_reass
* Rename insque/remque -> slirp_[ins|rem]que
* mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG
* Replace inet_ntoa() with safer inet_ntop()
* Add VMS_END marker
* bootp: add support for UEFI HTTP boot
* IPv6 DNS proxying support
* Add missing scope_id in caching
* socket: Move closesocket(so->s_aux) to sofree
* socket: Check so_type instead of so_tcpcb for Unix-to-inet translation
* socket: Add s_aux field to struct socket for storing auxilliary socket
* socket: Initialize so_type in socreate
* socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0
* Allow to disable internal DHCP server
* slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two
* CI: run integration tests with slirp4netns
* socket: Check address family for Unix-to-inet accept translation
* socket: Add debug args for tcpx_listen (inet and Unix sockets)
* socket: Restore original definition of fhost
* socket: Move <sys/un.h> include to socket.h
* Support Unix sockets in hostfwd
* resolv: fix IPv6 resolution on Darwin
* Use the exact sockaddr size in getnameinfo call
* Initialize sin6_scope_id to zero
* slirp_socketpair_with_oob: Connect pair through
* resolv: fix memory leak when using libresolv
* pingtest: Add a trivial ping test
* icmp: Support falling back on trying a SOCK_RAW socket

Update to version 4.6.1+7:

* Haiku: proper path to resolv.conf for DNS server
* Fix for Haiku
* dhcp: Always send DHCP_OPT_LEN bytes in options

Update to version 4.6.1:

* Fix 'DHCP broken in libslirp v4.6.0'

Update to version 4.6.0:

* udp: check upd_input buffer size
* tftp: introduce a header structure
* tftp: check tftp_input buffer size
* upd6: check udp6_input buffer size
* bootp: check bootp_input buffer size
* bootp: limit vendor-specific area to input packet memory buffer

Update to version 4.4.0:

* socket: consume empty packets
* slirp: check pkt_len before reading protocol header
* Add DNS resolving for iOS
* sosendoob: better document what urgc is used for
* TCPIPHDR_DELTA: Fix potential negative value
* udp, udp6, icmp, icmp6: Enable forwarding errors on Linux
* icmp, icmp6: Add icmp_forward_error and icmp6_forward_error
* udp, udp6, icmp: handle TTL value
* ip_stripoptions use memmove

slirp4netns was updated to 1.2.0:

* Add slirp4netns --target-type=bess /path/to/bess.sock for supporting UML (#281)
* Explicitly support DHCP (#270)
* Update parson to v1.1.3 (#273) kgabis/parson at 70dc239...2d7b3dd

Update to version 1.1.11:

* Add --macaddress option to specify the MAC address of the tap interface.
* Updated the man page.

Update to version 1.1.8:

Update to 1.0.0:

* --enable-sandbox is now out of experimental

Advisory ID: SUSE-SU-2023:2003-1
Released:    Tue Apr 25 18:05:42 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642
This update for runc fixes the following issues:

Update to runc v1.1.5:

Security fixes:

- CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
- CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
- CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).

Other fixes:

 - Fix the inability to use `/dev/null` when inside a container.
 - Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481).
 - Fix rare runc exec/enter unshare error on older kernels.
 - nsexec: Check for errors in `write_log()`.
 - Drop version-specific Go requirement.

Advisory ID: SUSE-SU-2023:2157-1
Released:    Wed May 10 13:21:20 2023
Summary:     Security update for conmon
Type:        security
Severity:    important
References:  1200441

This update of conmon fixes the following issues:

- rebuild the package with the go 19.9 secure release (bsc#1200441).

Advisory ID: SUSE-SU-2023:2256-1
Released:    Fri May 19 15:26:43 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1200441

This update of runc fixes the following issues:

- rebuild the package with the go 19.9 secure release (bsc#1200441).

Advisory ID: SUSE-SU-2023:2324-1
Released:    Tue May 30 15:52:17 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1200441

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

Advisory ID: SUSE-SU-2023:2325-1
Released:    Tue May 30 15:57:30 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1200441

This update of cni fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

Advisory ID: SUSE-RU-2023:2527-1
Released:    Fri Jun 16 19:04:57 2023
Summary:     Recommended update for NetworkManager
Type:        recommended
Severity:    moderate
This update for NetworkManager fixes the following issues:

- Create /etc/NetworkManager/conf.d by default, allowing easy override for NetworkManager.conf file with drop-in
- Move default config file to /usr/lib/NetworkManager/NetworkManager.conf, as part of main package
- Ensure /usr/lib/NetworkManager/conf.d is part of the package

Advisory ID: SUSE-RU-2023:2657-1
Released:    Tue Jun 27 14:43:57 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    moderate
References:  1211124
This update for libcontainers-common fixes the following issues:

- New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
- Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
- Remove to default to the overlay driver instead of btrfs

Advisory ID: SUSE-RU-2023:2658-1
Released:    Tue Jun 27 14:46:15 2023
Summary:     Recommended update for containerd, docker, runc
Type:        recommended
Severity:    moderate
References:  1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:

- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed   
  even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)

Advisory ID: SUSE-SU-2023:2765-1
Released:    Mon Jul  3 20:28:14 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

Advisory ID: SUSE-RU-2023:2847-1
Released:    Mon Jul 17 08:40:42 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1210004
This update for audit fixes the following issues:

- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64

Advisory ID: SUSE-SU-2023:2868-1
Released:    Tue Jul 18 11:35:52 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1206346

This update of cni fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

Advisory ID: SUSE-SU-2023:2869-1
Released:    Tue Jul 18 11:39:26 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1206346

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

Advisory ID: SUSE-SU-2023:2989-1
Released:    Wed Jul 26 16:33:56 2023
Summary:     Security update for conmon
Type:        security
Severity:    important
References:  1208737,1209307
This update for conmon fixes the following issues:

  conmon was updated to version 2.1.7:

  - Bumped go version to 1.19 (bsc#1209307).


  - Fixed leaking symbolic links in the opt_socket_path directory.
  - Fixed cgroup oom issues (bsc#1208737).
  - Fixed OOM watcher for cgroupv2 `oom_kill` events.

Advisory ID: SUSE-RU-2023:3217-1
Released:    Mon Aug  7 16:51:10 2023
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1211079
This update for cryptsetup fixes the following issues:

- Handle system with low memory and no swap space (bsc#1211079)

Advisory ID: SUSE-RU-2023:3410-1
Released:    Thu Aug 24 06:56:32 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1201519,1204844
This update for audit fixes the following issues:

- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)

The following package changes have been done:

- libsemanage-conf-3.4-150400.1.8 added
- libsepol2-3.4-150400.1.11 added
- libsemanage2-3.4-150400.1.8 added
- conmon-2.1.7-150400.3.11.1 updated
- kernel-firmware-ath10k-20220509-150400.4.19.1 updated
- libqrtr-glib0-1.2.2-150400.1.3 updated
- kernel-firmware-amdgpu-20220509-150400.4.19.1 updated
- kernel-firmware-ath11k-20220509-150400.4.19.1 updated
- kernel-firmware-atheros-20220509-150400.4.19.1 updated
- kernel-firmware-bluetooth-20220509-150400.4.19.1 updated
- kernel-firmware-brcm-20220509-150400.4.19.1 updated
- kernel-firmware-dpaa2-20220509-150400.4.19.1 updated
- kernel-firmware-media-20220509-150400.4.19.1 updated
- kernel-firmware-mwifiex-20220509-150400.4.19.1 updated
- kernel-firmware-nfp-20220509-150400.4.19.1 updated
- kernel-firmware-nvidia-20220509-150400.4.19.1 updated
- kernel-firmware-prestera-20220509-150400.4.19.1 updated
- kernel-firmware-qcom-20220509-150400.4.19.1 updated
- kernel-firmware-radeon-20220509-150400.4.19.1 updated
- kernel-firmware-serial-20220509-150400.4.19.1 updated
- kernel-firmware-sound-20220509-150400.4.19.1 updated
- kernel-firmware-ti-20220509-150400.4.19.1 updated
- kernel-firmware-ueagle-20220509-150400.4.19.1 updated
- libcontainers-common-20230214-150400.3.8.1 updated
- libmbim-glib4-1.26.4-150400.1.2 updated
- libmm-glib0-1.18.10-150400.1.2 updated
- libslirp0-4.7.0+44-150300.15.2 added
- runc-1.1.7-150000.46.1 updated
- cni-0.7.1-150100.3.12.1 updated
- cni-plugins-0.8.6-150100.3.15.1 updated
- kernel-firmware-all-20220509-150400.4.19.1 updated
- cryptsetup-2.4.3-150400.3.3.1 updated
- libqmi-glib5-1.30.8-150400.1.2 updated
- slirp4netns-1.2.0-150300.8.5.2 updated
- podman-4.4.4-150400.4.16.1 updated
- ModemManager-1.18.10-150400.1.2 updated
- NetworkManager-wwan-1.38.2-150400.3.3.1 updated

More information about the sle-security-updates mailing list