<div class="container">
<h1>Security update for podman</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2023:1814-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1197093">#1197093</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1208364">#1208364</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1208510">#1208510</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1209495">#1209495</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-0778.html">CVE-2023-0778</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-0778</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.0</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-0778</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Containers Module 15-SP4</li>
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">openSUSE Leap Micro 5.3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Micro 5.3</li>
<li class="list-group-item">SUSE Linux Enterprise Micro 5.4</li>
<li class="list-group-item">SUSE Linux Enterprise Micro for Rancher 5.3</li>
<li class="list-group-item">SUSE Linux Enterprise Micro for Rancher 5.4</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Manager Proxy 4.3</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.3</li>
<li class="list-group-item">SUSE Manager Server 4.3</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability and has three fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for podman fixes the following issues:</p>
<p>Update to version 4.4.4:</p>
<ul>
<li>libpod: always use direct mapping</li>
<li>macos pkginstaller: do not fail when podman-mac-helper fails</li>
<li>
<p>podman-mac-helper: install: do not error if already installed</p>
</li>
<li>
<p>podman.spec: Bump required version for libcontainers-common (bsc#1209495)</p>
</li>
</ul>
<p>Update to version 4.4.3:</p>
<ul>
<li>compat: /auth: parse server address correctly</li>
<li>vendor github.com/containers/common@v0.51.1</li>
<li>pkginstaller: bump Qemu to version 7.2.0</li>
<li>podman machine: Adjust Chrony makestep config</li>
<li>[v4.4] fix --health-on-failure=restart in transient unit</li>
<li>podman logs passthrough driver support --cgroups=split</li>
<li>journald logs: simplify entry parsing</li>
<li>podman logs: read journald with passthrough</li>
<li>journald: remove initializeJournal()</li>
<li>netavark: only use aardvark ip as nameserver</li>
<li>compat API: network create return 409 for duplicate</li>
<li>fix "podman logs --since --follow" flake</li>
<li>system service --log-level=trace: support hijack</li>
<li>podman-mac-helper: exit 1 on error</li>
<li>bump golang.org/x/net to v0.8.0</li>
<li>Fix package restore</li>
<li>Quadlet - use the default runtime</li>
</ul>
<p>Update to version 4.4.2:</p>
<ul>
<li>Revert "CI: Temporarily disable all AWS EC2-based tasks"</li>
<li>kube play: only enforce passthrough in Quadlet</li>
<li>Emergency fix for man pages: check for broken includes</li>
<li>CI: Temporarily disable all AWS EC2-based tasks</li>
<li>quadlet system tests: add useful defaults, logging</li>
<li>volume,container: chroot to source before exporting content</li>
<li>install sigproxy before start/attach</li>
<li>Update to c/image 5.24.1</li>
<li>
<p>events + container inspect test: RHEL fixes</p>
</li>
<li>
<p>podman.spec: add <code>crun</code> requirement for quadlet</p>
</li>
<li>
<p>podman.spec: set PREFIX at build stage (bsc#1208510)</p>
</li>
<li>
<p>CVE-2023-0778: Fixed symlink exchange attack in podman export volume (bsc#1208364)</p>
</li>
</ul>
<p>Update to version 4.4.1:</p>
<ul>
<li>kube play: do not teardown unconditionally on error</li>
<li>Resolve symlink path for qemu directory if possible</li>
<li>events: document journald identifiers</li>
<li>Quadlet: exit 0 when there are no files to process</li>
<li>Cleanup podman-systemd.unit file</li>
<li>Install podman-systemd.unit man page, make quadlet discoverable</li>
<li>Add missing return after errors</li>
<li>oci: bind mount /sys with --userns=(auto|pod:)</li>
<li>docs: specify order preference for FROM</li>
<li>Cirrus: Fix & remove GraphQL API tests</li>
<li>test: adapt test to work on cgroupv1</li>
<li>make hack/markdown-preprocess parallel-safe</li>
<li>Fix default handling of pids-limit</li>
<li>system tests: fix volume exec/noexec test</li>
</ul>
<p>Update to version 4.4.0:</p>
<ul>
<li>Emergency fix for RHEL8 gating tests</li>
<li>Do not mount /dev/tty into rootless containers</li>
<li>Fixes port collision issue on use of --publish-all</li>
<li>Fix usage of absolute windows paths with --image-path</li>
<li>fix #17244: use /etc/timezone where <code>timedatectl</code> is missing on Linux</li>
<li>podman-events: document verbose create events</li>
<li>Making gvproxy.exe optional for building Windows installer</li>
<li>Add gvproxy to Windows packages</li>
<li>Match VT device paths to be blocked from mounting exactly</li>
<li>Clean up more language for inclusiveness</li>
<li>Set runAsNonRoot=true in gen kube</li>
<li>quadlet: Add device support for .volume files</li>
<li>fix: running check error when podman is default in wsl</li>
<li>fix: don't output "ago" when container is currently up and running</li>
<li>journald: podman logs only show logs for current user</li>
<li>journald: podman events only show events for current user</li>
<li>Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml)</li>
<li>DB: make loading container states optional</li>
<li>ps: do not sync container</li>
<li>Allow --device-cgroup-rule to be passed in by docker API</li>
<li>Create release notes for v4.4.0</li>
<li>Cirrus: Update operating branch</li>
<li>fix APIv2 python attach test flake</li>
<li>ps: query health check in batch mode</li>
<li>make example volume import, not import volume</li>
<li>Correct output when inspecting containers created with --ipc</li>
<li>Vendor containers/(storage, image, common, buildah)</li>
<li>Get correct username in pod when using --userns=keep-id</li>
<li>ps: get network data in batch mode</li>
<li>build(deps): bump github.com/onsi/gomega from 1.25.0 to 1.26.0</li>
<li>add hack/perf for comparing two container engines</li>
<li>systems: retrofit dns options test to honor other search domains</li>
<li>ps: do not create copy of container config</li>
<li>libpod: set search domain independently of nameservers</li>
<li>libpod,netavark: correctly populate /etc/resolv.conf with custom dns server</li>
<li>podman: relay custom DNS servers to network stack</li>
<li>(fix) mount_program is in storage.options.overlay</li>
<li>Change example target to default in doc</li>
<li>network create: do not allow <code>default</code> as name</li>
<li>kube-play: add support for HostPID in podSpec</li>
<li>build(deps): bump github.com/docker/docker</li>
<li>Let's see if #14653 is fixed or not</li>
<li>Add support for podman build --group-add</li>
<li>vendor in latests containers/(storage, common, build, image)</li>
<li>unskip network update test</li>
<li>do not install swagger by default</li>
<li>pasta: skip "Local forwarder, IPv4" test</li>
<li>add testbindings Makefile target</li>
<li>update CI images to include pasta</li>
<li>[CI:DOCS] Add CNI deprecation notices to documentation</li>
<li>Cirrus: preserve podman-server logs</li>
<li>waitPidStop: reduce sleep time to 10ms</li>
<li>StopContainer: return if cleanup process changed state</li>
<li>StopSignal: add a comment</li>
<li>StopContainer: small refactor</li>
<li>waitPidStop: simplify code</li>
<li>e2e tests: reenable long-skipped build test</li>
<li>Add openssh-clients to podmanimage</li>
<li>Reworks Windows smoke test to tunnel through interactive session.</li>
<li>fix bud-multiple-platform-with-base-as-default-arg flake</li>
<li>Remove ReservedAnnotations from kube generate specification</li>
<li>e2e: update test/README.md</li>
<li>e2e: use isRootless() instead of rootless.IsRootless()</li>
<li>Cleanup documentation on --userns=auto</li>
<li>Vendor in latest c/common</li>
<li>sig-proxy system test: bump timeout</li>
<li>build(deps): bump github.com/containernetworking/plugins</li>
<li>rootless: rename auth-scripts to preexec-hooks</li>
<li>Docs: version-check updates</li>
<li>commit: use libimage code to parse changes</li>
<li>[CI:DOCS] Remove experimental mac tutorial</li>
<li>man: Document the interaction between --systemd and --privileged</li>
<li>Make rootless privileged containers share the same tty devices as rootfull ones</li>
<li>container kill: handle stopped/exited container</li>
<li>Vendor in latest containers/(image,ocicrypt)</li>
<li>add a comment to container removal</li>
<li>Vendor in latest containers/storage</li>
<li>Cirrus: Run machine tests on PR merge</li>
<li>fix flake in kube system test</li>
<li>kube play: complete container spec</li>
<li>E2E Tests: Use inspect instead of actual data to avoid UDP flake</li>
<li>Use containers/storage/pkg/regexp in place of regexp</li>
<li>Vendor in latest containers/storage</li>
<li>Cirrus: Support using updated/latest NV/AV in PRs</li>
<li>Limit replica count to 1 when deploying from kubernetes YAML</li>
<li>Set StoppedByUser earlier in the process of stopping</li>
<li>podman-play system test: refactor</li>
<li>network: add support for podman network update and --network-dns-server</li>
<li>service container: less verbose error logs</li>
<li>Quadlet Kube - add support for PublishPort key</li>
<li>e2e: fix systemd_activate_test</li>
<li>Compile regex on demand not in init</li>
<li>[docker compat] Don't overwrite the NetworkMode if containers.conf overrides netns.</li>
<li>E2E Test: Play Kube set deadline to connection to avoid hangs</li>
<li>Only prevent VTs to be mounted inside privileged systemd containers</li>
<li>e2e: fix play_kube_test</li>
<li>Updated error message for supported VolumeSource types</li>
<li>Introduce pkg retry logic in win installer task</li>
<li>logformatter: include base SHA, with history link</li>
<li>Network tests: ping redhat.com, not podman.io</li>
<li>cobra: move engine shutdown to Execute</li>
<li>Updated options for QEMU on Windows hosts</li>
<li>Update Mac installer to use gvproxy v0.5.0</li>
<li>podman: podman rm -f doesn't leave processes</li>
<li>oci: check for valid PID before kill(pid, 0)</li>
<li>linux: add /sys/fs/cgroup if /sys is a bind mount</li>
<li>Quadlet: Add support for ConfigMap key in Kube section</li>
<li>remove service container <em>after</em> pods</li>
<li>Kube Play - allow setting and overriding published host ports</li>
<li>oci: terminate all container processes on cleanup</li>
<li>Update win-sshproxy to 0.5.0 gvisor tag</li>
<li>Vendor in latest containers/common</li>
<li>Fix a potential defer logic error around locking</li>
<li>logformatter: nicer formatting for bats failures</li>
<li>logformatter: refactor verbose line-print</li>
<li>e2e tests: stop using UBI images</li>
<li>k8s-file: podman logs --until --follow exit after time</li>
<li>journald: podman logs --until --follow exit after time</li>
<li>journald: seek to time when --since is used</li>
<li>podman logs: journald fix --since and --follow</li>
<li>Preprocess files in UTF-8 mode</li>
<li>Vendor in latest containers/(common, image, storage)</li>
<li>Switch to C based msi hooks for win installer</li>
<li>hack/bats: improve usage message</li>
<li>hack/bats: add --remote option</li>
<li>hack/bats: fix root/rootless logic</li>
<li>Describe copy volume options</li>
<li>Support sig-proxy for podman-remote attach and start</li>
<li>libpod: fix race condition rm'ing stopping containers</li>
<li>e2e: fix run_volume_test</li>
<li>Add support for Windows ARM64</li>
<li>Add shared --compress to man pages</li>
<li>Add container error message to ContainerState</li>
<li>Man page checker: require canonical name in SEE ALSO</li>
<li>system df: improve json output code</li>
<li>kube play: fix the error logic with --quiet</li>
<li>System tests: quadlet network test</li>
<li>Fix: List container with volume filter</li>
<li>adding -dryrun flag</li>
<li>Quadlet Container: Add support for EnvironmentFile and EnvironmentHost</li>
<li>Kube Play: use passthrough as the default log-driver if service-container is set</li>
<li>System tests: add missing cleanup</li>
<li>System tests: fix unquoted question marks</li>
<li>Build and use a newer systemd image</li>
<li>Quadlet Network - Fix the name of the required network service</li>
<li>System Test Quadlet - Volume dependency test did not test the dependency</li>
<li>fix <code>podman system connection - tcp</code> flake</li>
<li>vendor: bump c/storage to a747b27</li>
<li>Fix instructions about setting storage driver on command-line</li>
<li>Test README - point users to hack/bats</li>
<li>System test: quadlet kube basic test</li>
<li>Fixed <code>podman update --pids-limit</code></li>
<li>podman-remote,bindings: trim context path correctly when its emptydir</li>
<li>Quadlet Doc: Add section for .kube files</li>
<li>e2e: fix containers_conf_test</li>
<li>Allow '/' to prefix container names to match Docker</li>
<li>Remove references to qcow2</li>
<li>Fix typos in man page regarding transient storage mode.</li>
<li>make: Use PYTHON var for .install.pre-commit</li>
<li>Add containers.conf read-only flag support</li>
<li>Explain that relabeling/chowning of volumes can take along time</li>
<li>events: support "die" filter</li>
<li>infra/abi: refactor ContainerRm</li>
<li>When in transient store mode, use rundir for bundlepath</li>
<li>quadlet: Support Type=oneshot container files</li>
<li>hacks/bats: keep QUADLET env var in test env</li>
<li>New system tests for conflicting options</li>
<li>Vendor in latest containers/(buildah, image, common)</li>
<li>Output Size and Reclaimable in human form for json output</li>
<li>podman service: close duplicated /dev/null fd</li>
<li>ginkgo tests: apply ginkgolinter fixes</li>
<li>Add support for hostPath and configMap subpath usage</li>
<li>export: use io.Writer instead of file</li>
<li>rootless: always create userns with euid != 0</li>
<li>rootless: inhibit copy mapping for euid != 0</li>
<li>pkg/domain/infra/abi: introduce <code>type containerWrapper</code></li>
<li>vendor: bump to buildah ca578b290144 and use new cache API</li>
<li>quadlet: Handle booleans that have defaults better</li>
<li>quadlet: Rename parser.LookupBoolean to LookupBooleanWithDefault</li>
<li>Add podman-clean-transient.service service</li>
<li>Stop recording annotations set to false</li>
<li>Unify --noheading and -n to be consistent on all commands</li>
<li>pkg/domain/infra/abi: add <code>getContainers</code></li>
<li>Update vendor of containters/(common, image)</li>
<li>specfile: Drop user-add depedency from quadlet subpackage.</li>
<li>quadlet: Default BINDIR to /usr/bin if tag not specified</li>
<li>Quadlet: add network support</li>
<li>Add comment for jsonMarshal command</li>
<li>Always allow pushing from containers-storage</li>
<li>libpod: move NetNS into state db instead of extra bucket</li>
<li>Add initial system tests for quadlets</li>
<li>quadlet: Add --user option</li>
<li>libpod: remove CNI word were no longer applicable</li>
<li>libpod: fix header length in http attach with logs</li>
<li>podman-kube@ template: use <code>podman kube</code></li>
<li>build(deps): bump github.com/docker/docker</li>
<li>wait: add --ignore option</li>
<li>qudlet: Respect $PODMAN env var for podman binary</li>
<li>e2e: Add assert-key-is-regex check to quadlet e2e testsuite</li>
<li>e2e: Add some assert to quadlet test to make sure testcases are sane</li>
<li>remove unmapped ports from inspect port bindings</li>
<li>update podman-network-create for clarity</li>
<li>Vendor in latest containers/common with default capabilities</li>
<li>pkg/rootless: Change error text ...</li>
<li>rootless: add cli validator</li>
<li>rootless: define LIBEXECPODMAN</li>
<li>doc: fix documentation for idmapped mounts</li>
<li>bump golangci-lint to v1.50.1</li>
<li>build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2</li>
<li>[CI:DOCS] podman-mount: s/umount/unmount/</li>
<li>create/pull --help: list pull policies</li>
<li>Network Create: Add --ignore flag to support idempotent script</li>
<li>Make qemu security model none</li>
<li>libpod: use OCI idmappings for mounts</li>
<li>stop reporting errors removing containers that don't exist</li>
<li>test: added test from wait endpoint with to long label</li>
<li>quadlet: Default VolatileTmp to off</li>
<li>build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.11</li>
<li>docs/options/ipc: fix list syntax</li>
<li>Docs: Add dedicated DOWNLOAD doc w/ links to bins</li>
<li>Make a consistently-named windows installer</li>
<li>checkpoint restore: fix --ignore-static-ip/mac</li>
<li>add support for subpath in play kube for named volumes</li>
<li>build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0</li>
<li>golangci-lint: remove three deprecated linters</li>
<li>parse-localbenchmarks: separate standard deviation</li>
<li>build(deps): bump golang.org/x/term from 0.2.0 to 0.3.0</li>
<li>podman play kube support container startup probe</li>
<li>Add podman buildx version support</li>
<li>Cirrus: Collect benchmarks on machine instances</li>
<li>Cirrus: Remove escape codes from log files</li>
<li>[CI:DOCS] Clarify secret target behavior</li>
<li>Fix typo on network docs</li>
<li>podman-remote build add --volume support</li>
<li>remote: allow --http-proxy for remote clients</li>
<li>Cleanup kube play workloads if error happens</li>
<li>health check: ignore dependencies of transient systemd units/timers</li>
<li>fix: event read from syslog</li>
<li>Fixes secret (un)marshaling for kube play.</li>
<li>Remove 'you' from man pages</li>
<li>build(deps): bump golang.org/x/tools from 0.3.0 to 0.4.0 in /test/tools</li>
<li>[CI:DOCS] test/README.md: run tests with podman-remote</li>
<li>e2e: keeps the http_proxy value</li>
<li>Makefile: Add podman-mac-helper to darwin client zip</li>
<li>test/e2e: enable "podman run with ipam none driver" for nv</li>
<li>[skip-ci] GHA/Cirrus-cron: Fix execution order</li>
<li>kube sdnotify: run proxies for the lifespan of the service</li>
<li>Update containers common package</li>
<li>podman manpage: Use man-page links instead of file names</li>
<li>e2e: fix e2e tests in proxy environment</li>
<li>Fix test</li>
<li>disable healthchecks automatically on non systemd systems</li>
<li>Quadlet Kube: Add support for userns flag</li>
<li>[CI:DOCS] Add warning about --opts,o with mount's -o</li>
<li>Add podman system prune --external</li>
<li>Add some tests for transient store</li>
<li>runtime: In transient_store mode, move bolt_state.db to rundir</li>
<li>runtime: Handle the transient store options</li>
<li>libpod: Move the creation of TmpDir to an earlier time</li>
<li>network create: support "-o parent=XXX" for ipvlan</li>
<li>compat API: allow MacAddress on container config</li>
<li>Quadlet Kube: Add support for relative path for YAML file</li>
<li>notify k8s system test: move sending message into exec</li>
<li>runtime: do not chown idmapped volumes</li>
<li>quadlet: Drop ExecStartPre=rm %t/%N.cid</li>
<li>Quadlet Kube: Set SyslogIdentifier if was not set</li>
<li>Add a FreeBSD cross build to the cirrus alt build task</li>
<li>Add completion for --init-ctr</li>
<li>Fix handling of readonly containers when defined in kube.yaml</li>
<li>Build cross-compilation fixes</li>
<li>libpod: Track healthcheck API changes in healthcheck_unsupported.go</li>
<li>quadlet: Use same default capability set as podman run</li>
<li>quadlet: Drop --pull=never</li>
<li>quadlet: Change default of ReadOnly to no</li>
<li>quadlet: Change RunInit default to no</li>
<li>quadlet: Change NoNewPrivileges default to false</li>
<li>test: podman run with checkpoint image</li>
<li>Enable 'podman run' for checkpoint images</li>
<li>test: Add tests for checkpoint images</li>
<li>CI setup: simplify environment passthrough code</li>
<li>Init containers should not be restarted</li>
<li>Update c/storage after https://github.com/containers/storage/pull/1436</li>
<li>Set the latest release explicitly</li>
<li>add friendly comment</li>
<li>fix an overriding logic and load config problem</li>
<li>Update the issue templates</li>
<li>Update vendor of containers/(image, buildah)</li>
<li>[CI:DOCS] Skip windows-smoke when not useful</li>
<li>[CI:DOCS] Remove broken gate-container docs</li>
<li>OWNERS: add Jason T. Greene</li>
<li>hack/podmansnoop: print arguments</li>
<li>Improve atomicity of VM state persistence on Windows</li>
<li>[CI:BUILD] copr: enable podman-restart.service on rpm installation</li>
<li>macos: pkg: Use -arm64 suffix instead of -aarch64</li>
<li>linux: Add -linux suffix to podman-remote-static binaries</li>
<li>linux: Build amd64 and arm64 podman-remote-static binaries</li>
<li>container create: add inspect data to event</li>
<li>Allow manual override of install location</li>
<li>Run codespell on code</li>
<li>Add missing parameters for checkpoint/restore endpoint</li>
<li>Add support for startup healthchecks</li>
<li>Add information on metrics to the <code>network create</code> docs</li>
<li>Introduce podman machine os commands</li>
<li>Document that ignoreRootFS depends on export/import</li>
<li>Document ignoreVolumes in checkpoint/restore endpoint</li>
<li>Remove leaveRunning from swagger restore endpoint</li>
<li>libpod: Add checks to avoid nil pointer dereference if network setup fails</li>
<li>Address golangci-lint issues</li>
<li>Documenting Hyper-V QEMU acceleration settings</li>
<li>Kube Play: fix the handling of the optional field of SecretVolumeSource</li>
<li>Update Vendor of containers/(common, image, buildah)</li>
<li>Fix swapped NetInput/-Output stats</li>
<li>libpod: Use O_CLOEXEC for descriptors returned by (*Container).openDirectory</li>
<li>chore: Fix MD for Troubleshooting Guide link in GitHub Issue Template</li>
<li>test/tools: rebuild when files are changed</li>
<li>ginkgo tests: apply ginkgolinter fixes</li>
<li>ginkgo: restructure install work flow</li>
<li>Fix manpage emphasis</li>
<li>specgen: support CDI devices from containers.conf</li>
<li>vendor: update containers/common</li>
<li>pkg/trust: Take the default policy path from c/common/pkg/config</li>
<li>Add validate-in-container target</li>
<li>Adding encryption decryption feature</li>
<li>container restart: clean up healthcheck state</li>
<li>Add support for podman-remote manifest annotate</li>
<li>Quadlet: Add support for .kube files</li>
<li>Update vendor of containers/(buildah, common, storage, image)</li>
<li>specgen: honor user namespace value</li>
<li>[CI:DOCS] Migrate OSX Cross to M1</li>
<li>quadlet: Rework uid/gid remapping</li>
<li>GHA: Fix cirrus re-run workflow for other repos.</li>
<li>ssh system test: skip until it becomes a test</li>
<li>shell completion: fix hard coded network drivers</li>
<li>libpod: Report network setup errors properly on FreeBSD</li>
<li>E2E Tests: change the registry for the search test to avoid authentication</li>
<li>pkginstaller: install podman-mac-helper by default</li>
<li>Fix language. Mostly spelling a -> an</li>
<li>podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd environment.</li>
<li>[CI:DOCS] Fix spelling and typos</li>
<li>Modify man page of "--pids-limit" option to correct a default value.</li>
<li>Update docs/source/markdown/podman-remote.1.md</li>
<li>Update pkg/bindings/connection.go</li>
<li>Add more documentation on UID/GID Mappings with --userns=keep-id</li>
<li>support podman-remote to connect tcpURL with proxy</li>
<li>Removing the RawInput from the API output</li>
<li>fix port issues for CONTAINER_HOST</li>
<li>CI: Package versions: run in the 'main' step</li>
<li>build(deps): bump github.com/rootless-containers/rootlesskit</li>
<li>pkg/domain: Make checkExecPreserveFDs platform-specific</li>
<li>e2e tests: fix restart race</li>
<li>Fix podman --noout to suppress all output</li>
<li>remove pod if creation has failed</li>
<li>pkg/rootless: Implement rootless.IsFdInherited on FreeBSD</li>
<li>Fix more podman-logs flakes</li>
<li>healthcheck system tests: try to fix flake</li>
<li>libpod: treat ESRCH from /proc/PID/cgroup as ENOENT</li>
<li>GHA: Configure workflows for reuse</li>
<li>compat,build: handle docker's preconfigured cacheTo,cacheFrom</li>
<li>docs: deprecate pasta network name</li>
<li>utils: Enable cgroup utils for FreeBSD</li>
<li>pkg/specgen: Disable kube play tests on FreeBSD</li>
<li>libpod/lock: Fix build and tests for SHM locks on FreeBSD</li>
<li>podman cp: fix copying with "." suffix</li>
<li>pkginstaller: bump Qemu to version 7.1.0</li>
<li>specgen,wasm: switch to crun-wasm wherever applicable</li>
<li>vendor: bump c/common to v0.50.2-0.20221111184705-791b83e1cdf1</li>
<li>libpod: Make unit test for statToPercent Linux only</li>
<li>Update vendor of containers/storage</li>
<li>fix connection usage with containers.conf</li>
<li>Add --quiet and --no-info flags to podman machine start</li>
<li>Add hidden podman manifest inspect -v option</li>
<li>Add podman volume create -d short option for driver</li>
<li>Vendor in latest containers/(common,image,storage)</li>
<li>Add podman system events alias to podman events</li>
<li>Fix search_test to return correct version of alpine</li>
<li>GHA: Fix undefined secret env. var.</li>
<li>Release notes for 4.3.1</li>
<li>GHA: Fix make_email-body script reference</li>
<li>Add release keys to README</li>
<li>GHA: Fix typo setting output parameter</li>
<li>GHA: Fix typo.</li>
<li>New tool, docs/version-check</li>
<li>Formalize our compare-against-docker mechanism</li>
<li>Add restart-sec for container service files</li>
<li>test/tools: bump module to go 1.17</li>
<li>contrib/cirrus/check_go_changes.sh: ignore test/tools/vendor</li>
<li>build(deps): bump golang.org/x/tools from 0.1.12 to 0.2.0 in /test/tools</li>
<li>libpod: Add FreeBSD support in packageVersion</li>
<li>Allow podman manigest push --purge|-p as alias for --rm</li>
<li>[CI:DOCS] Add performance tutorial</li>
<li>[CI:DOCS] Fix build targets in build_osx.md.</li>
<li>fix --format {{json .}} output to match docker</li>
<li>remote: fix manifest add --annotation</li>
<li>Skip test if <code>--events-backend</code> is necessary with podman-remote</li>
<li>kube play: update the handling of PersistentVolumeClaim</li>
<li>system tests: fix a system test in proxy environment</li>
<li>Use single unqualified search registry on Windows</li>
<li>test/system: Add, use tcp_port_probe() to check for listeners rather than binds</li>
<li>test/system: Add tests for pasta(1) connectivity</li>
<li>test/system: Move network-related helpers to helpers.network.bash</li>
<li>test/system: Use procfs to find bound ports, with optional address and protocol</li>
<li>test/system: Use port_is_free() from wait_for_port()</li>
<li>libpod: Add pasta networking mode</li>
<li>More log-flake work</li>
<li>Fix test flakes caused by improper podman-logs</li>
<li>fix incorrect systemd booted check</li>
<li>Cirrus: Add tests for GHA scripts</li>
<li>GHA: Update scripts to pass shellcheck</li>
<li>Cirrus: Shellcheck github-action scripts</li>
<li>Cirrus: shellcheck support for github-action scripts</li>
<li>GHA: Fix cirrus-cron scripts</li>
<li>Makefile: don't install to tmpfiles.d on FreeBSD</li>
<li>Make sure we can build and read each line of docker py's api client</li>
<li>Docker compat build api - make sure only one line appears per flush</li>
<li>Run codespell on code</li>
<li>Update vendor of containers/(image, storage, common)</li>
<li>Allow namespace path network option for pods.</li>
<li>Cirrus: Never skip running Windows Cross task</li>
<li>GHA: Auto. re-run failed cirrus-cron builds once</li>
<li>GHA: Migrate inline script to file</li>
<li>GHA: Simplify script reference</li>
<li>test/e2e: do not use apk in builds</li>
<li>remove container/pod id file along with container/pod</li>
<li>Cirrus: Synchronize windows image</li>
<li>Add --insecure,--tls-verify,--verbose flags to podman manifest inspect</li>
<li>runtime: add check for valid pod systemd cgroup</li>
<li>CI: set and verify DESIRED_NETWORK (netavark, cni)</li>
<li>[CI:DOCS] troubleshooting: document keep-id options</li>
<li>Man pages: refactor common options: --security-opt</li>
<li>Cirrus: Guarantee CNI testing w/o nv/av present</li>
<li>Cirrus: temp. disable all Ubuntu testing</li>
<li>Cirrus: Update to F37beta</li>
<li>buildah bud tests: better handling of remote</li>
<li>quadlet: Warn in generator if using short names</li>
<li>Add Windows Smoke Testing</li>
<li>Add podman kube apply command</li>
<li>docs: offer advice on installing test dependencies</li>
<li>Fix documentation on read-only-tmpfs</li>
<li>version bump to 4.4.0-dev</li>
<li>deps: bump go-criu to v6</li>
<li>Makefile: Add cross build targets for freebsd</li>
<li>pkg/machine: Make this build on FreeBSD/arm64</li>
<li>pkg/rctl: Remove unused cgo dependency</li>
<li>man pages: assorted underscore fixes</li>
<li>Upgrade GitHub actions packages from v2 to v3</li>
<li>vendor github.com/godbus/dbus/v5@4b691ce</li>
<li>[CI:DOCS] fix --tmpdir typos</li>
<li>Do not report that /usr/share/containers/storage.conf has been edited.</li>
<li>Eval symlinks on XDG_RUNTIME_DIR</li>
<li>hack/podmansnoop</li>
<li>rootless: support keep-id with one mapping</li>
<li>rootless: add argument to GetConfiguredMappings</li>
<li>Update vendor containers/(common,storage,buildah,image)</li>
<li>Fix deadlock between 'podman ps' and 'container inspect' commands</li>
<li>Add information about where the libpod/boltdb database lives</li>
<li>Consolidate the dependencies for the IsTerminal() API</li>
<li>Ensure that StartAndAttach locks while sending signals</li>
<li>ginkgo testing: fix podman usernamespace join</li>
<li>Test runners: nuke podman from $PATH before tests</li>
<li>volumes: Fix idmap not working for volumes</li>
<li>FIXME: Temporary workaround for ubi8 CI breakage</li>
<li>System tests: teardown: clean up volumes</li>
<li>update api versions on docs.podman.io</li>
<li>system tests: runlabel: use podman-under-test</li>
<li>system tests: podman network create: use random port</li>
<li>sig-proxy test: bump timeout</li>
<li>play kube: Allow the user to import the contents of a tar file into a volume</li>
<li>Clarify the docs on DropCapability</li>
<li>quadlet tests: Disable kmsg logging while testing</li>
<li>quadlet: Support multiple Network=</li>
<li>quadlet: Add support for Network=...</li>
<li>Fix manpage for podman run --network option</li>
<li>quadlet: Add support for AddDevice=</li>
<li>quadlet: Add support for setting seccomp profile</li>
<li>quadlet: Allow multiple elements on each Add/DropCaps line</li>
<li>quadlet: Embed the correct binary name in the generated comment</li>
<li>quadlet: Drop the SocketActivated key</li>
<li>quadlet: Switch log-driver to passthrough</li>
<li>quadlet: Change ReadOnly to default to enabled</li>
<li>quadlet tests: Run the tests even for (exected) failed tests</li>
<li>quadlet tests: Fix handling of stderr checks</li>
<li>Remove unused script file</li>
<li>notifyproxy: fix container watcher</li>
<li>container/pod id file: truncate instead of throwing an error</li>
<li>quadlet: Use the new podman create volume --ignore</li>
<li>Add podman volume create --ignore</li>
<li>logcollector: include aardvark-dns</li>
<li>build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1</li>
<li>build(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1</li>
<li>docs: generate systemd: point to kube template</li>
<li>docs: kube play: mention restart policy</li>
<li>Fixes: 15858 (podman system reset --force destroy machine)</li>
<li>fix search flake</li>
<li>use cached containers.conf</li>
<li>adding regex support to the ancestor ps filter function</li>
<li>Fix <code>system df</code> issues with <code>-f</code> and <code>-v</code></li>
<li>markdown-preprocess: cross-reference where opts are used</li>
<li>Default qemu flags for Windows amd64</li>
<li>build(deps): bump golang.org/x/text from 0.3.8 to 0.4.0</li>
<li>Update main to reflect v4.3.0 release</li>
<li>build(deps): bump github.com/docker/docker</li>
<li>move quadlet packages into pkg/systemd</li>
<li>system df: fix image-size calculations</li>
<li>Add man page for quadlet</li>
<li>Fix small typo</li>
<li>testimage: add iproute2 & socat, for pasta networking</li>
<li>Set up minikube for k8s testing</li>
<li>Makefile: don't install systemd generator binaries on FreeBSD</li>
<li>[CI:BUILD] copr: podman rpm should depend on containers-common-extra</li>
<li>Podman image: Set default_sysctls to empty for rootless containers</li>
<li>Don't use github.com/docker/distribution</li>
<li>libpod: Add support for 'podman top' on FreeBSD</li>
<li>libpod: Factor out jail name construction from stats_freebsd.go</li>
<li>pkg/util: Add pid information descriptors for FreeBSD</li>
<li>Initial quadlet version integrated in golang</li>
<li>bump golangci-lint to v1.49.0</li>
<li>Update vendor containers/(common,image,storage)</li>
<li>Allow volume mount dups, iff source and dest dirs</li>
<li>rootless: fix return value handling</li>
<li>Change to correct break statements</li>
<li>vendor containers/psgo@v1.8.0</li>
<li>Clarify that MacOSX docs are client specific</li>
<li>libpod: Factor out the call to PidFdOpen from (*Container).WaitForExit</li>
<li>Add swagger install + allow version updates in CI</li>
<li>Cirrus: Fix windows clone race</li>
<li>build(deps): bump github.com/docker/docker</li>
<li>kill: wait for the container</li>
<li>generate systemd: set --stop-timeout for stopping containers</li>
<li>hack/tree_status.sh: print diff at the end</li>
<li>Fix markdown header typo</li>
<li>markdown-preprocess: add generic include mechanism</li>
<li>markdown-preprocess: almost complete OO rewrite</li>
<li>Update tests for changed error messages</li>
<li>Update c/image after https://github.com/containers/image/pull/1299</li>
<li>Man pages: refactor common options (misc)</li>
<li>Man pages: Refactor common options: --detach-keys</li>
<li>vendor containers/storage@main</li>
<li>Man pages: refactor common options: --attach</li>
<li>build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0</li>
<li>KillContainer: improve error message</li>
<li>docs: add missing options</li>
<li>Man pages: refactor common options: --annotation (manifest)</li>
<li>build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0</li>
<li>system tests: health-on-failure: fix broken logic</li>
<li>build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8</li>
<li>build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1</li>
<li>ContainerEngine.SetupRootless(): Avoid calling container.Config()</li>
<li>Container filters: Avoid use of ctr.Config()</li>
<li>Avoid unnecessary calls to Container.Spec()</li>
<li>Add and use Container.LinuxResource() helper</li>
<li>play kube: notifyproxy: listen before starting the pod</li>
<li>play kube: add support for configmap binaryData</li>
<li>Add and use libpod/Container.Terminal() helper</li>
<li>Revert "Add checkpoint image tests"</li>
<li>Revert "cmd/podman: add support for checkpoint images"</li>
<li>healthcheck: fix --on-failure=stop</li>
<li>Man pages: Add mention of behavior due to XDG_CONFIG_HOME</li>
<li>build(deps): bump github.com/containers/ocicrypt from 1.1.5 to 1.1.6</li>
<li>Avoid unnecessary timeout of 250msec when waiting on container shutdown</li>
<li>health checks: make on-failure action retry aware</li>
<li>libpod: Remove 100msec delay during shutdown</li>
<li>libpod: Add support for 'podman pod' on FreeBSD</li>
<li>libpod: Factor out cgroup validation from (*Runtime).NewPod</li>
<li>libpod: Move runtime_pod_linux.go to runtime_pod_common.go</li>
<li>specgen/generate: Avoid a nil dereference in MakePod</li>
<li>libpod: Factor out cgroups handling from (*Pod).refresh</li>
<li>Adds a link to OSX docs in CONTRIBUTING.md</li>
<li>Man pages: refactor common options: --os-version</li>
<li>Create full path to a directory when DirectoryOrCreate is used with play kube</li>
<li>Return error in podman system service if URI scheme is not unix/tcp</li>
<li>Man pages: refactor common options: --time</li>
<li>man pages: document some --format options: images</li>
<li>Clean up when stopping pods</li>
<li>Update vendor of containers/buildah v1.28.0</li>
<li>
<p>Proof of concept: nightly dependency treadmill</p>
</li>
<li>
<p>Make the priority for picking the storage driver configurable (bsc#1197093)</p>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE Important update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap Micro 5.3
<br/>
<code>zypper in -t patch openSUSE-Leap-Micro-5.3-2023-1814=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch openSUSE-SLE-15.4-2023-1814=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro for Rancher 5.3
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-5.3-2023-1814=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro 5.3
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-5.3-2023-1814=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro for Rancher 5.4
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-5.4-2023-1814=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro 5.4
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-5.4-2023-1814=1</code>
</li>
<li class="list-group-item">
Containers Module 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Containers-15-SP4-2023-1814=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap Micro 5.3 (aarch64 x86_64)
<ul>
<li>podman-debuginfo-4.4.4-150400.4.16.1</li>
<li>podman-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
openSUSE Leap Micro 5.3 (noarch)
<ul>
<li>podman-cni-config-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>podman-remote-4.4.4-150400.4.16.1</li>
<li>podman-remote-debuginfo-4.4.4-150400.4.16.1</li>
<li>podman-debuginfo-4.4.4-150400.4.16.1</li>
<li>podman-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.4 (noarch)
<ul>
<li>podman-cni-config-4.4.4-150400.4.16.1</li>
<li>podman-docker-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
<ul>
<li>podman-debuginfo-4.4.4-150400.4.16.1</li>
<li>podman-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro for Rancher 5.3 (noarch)
<ul>
<li>podman-cni-config-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
<ul>
<li>podman-debuginfo-4.4.4-150400.4.16.1</li>
<li>podman-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.3 (noarch)
<ul>
<li>podman-cni-config-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)
<ul>
<li>podman-debuginfo-4.4.4-150400.4.16.1</li>
<li>podman-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro for Rancher 5.4 (noarch)
<ul>
<li>podman-cni-config-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)
<ul>
<li>podman-debuginfo-4.4.4-150400.4.16.1</li>
<li>podman-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.4 (noarch)
<ul>
<li>podman-cni-config-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
Containers Module 15-SP4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>podman-remote-4.4.4-150400.4.16.1</li>
<li>podman-remote-debuginfo-4.4.4-150400.4.16.1</li>
<li>podman-debuginfo-4.4.4-150400.4.16.1</li>
<li>podman-4.4.4-150400.4.16.1</li>
</ul>
</li>
<li>
Containers Module 15-SP4 (noarch)
<ul>
<li>podman-cni-config-4.4.4-150400.4.16.1</li>
<li>podman-docker-4.4.4-150400.4.16.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-0778.html">https://www.suse.com/security/cve/CVE-2023-0778.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1197093">https://bugzilla.suse.com/show_bug.cgi?id=1197093</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1208364">https://bugzilla.suse.com/show_bug.cgi?id=1208364</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1208510">https://bugzilla.suse.com/show_bug.cgi?id=1208510</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1209495">https://bugzilla.suse.com/show_bug.cgi?id=1209495</a>
</li>
</ul>
</div>