Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0933
SUSE-SU-2020:0697-1 Security update for podman
17 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: cni
cni-plugins
conmon
fuse-overlayfs
podman
Publisher: SUSE
Operating System: SUSE
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-18466
Original Bulletin:
https://www.suse.com/support/update/announcement/2020/suse-su-20200697-1.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than SUSE. It is recommended that administrators
running cni, cni-plugins, conmon, fuse-overlayfs or podman check for
an updated version of the software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for cni, cni-plugins, conmon, fuse-overlayfs
podman
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:0697-1
Rating: moderate
References: #1155217 #1160460 #1164390
Cross-References: CVE-2019-18466
Affected Products:
SUSE Linux Enterprise Module for Public Cloud 15-SP1
SUSE Linux Enterprise Module for Containers 15-SP1
______________________________________________________________________________
An update that solves one vulnerability and has two fixes is now available.
Description:
This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the
following issues:
podman was updated to 1.8.0:
o CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on
the host when copying a symlink in the container that included a glob
operator (#3829 bsc#1155217)
o The name of the cni-bridge in the default config changed from "cni0" to
"podman-cni0" with podman-1.6.0. Add a %trigger to rename the bridge in the
system to the new default if it exists. The trigger is only excuted when
updating podman-cni-config from something older than 1.6.0. This is mainly
needed for SLE where we're updating from 1.4.4 to 1.8.0 (bsc#1160460).
Update podman to v1.8.0 (bsc#1160460):
o Features
- - The podman system service command has been added, providing a preview of
Podman's new Docker-compatible API. This API is still very new, and not yet
ready for production use, but is available for early testing - Rootless Podman
now uses Rootlesskit for port forwarding, which should greatly improve
performance and capabilities - The podman untag command has been added to
remove tags from images without deleting them - The podman inspect command on
images now displays previous names they used - The podman generate systemd
command now supports a --new option to generate service files that create and
run new containers instead of managing existing containers - Support for
- --log-opt tag= to set logging tags has been added to the journald log driver -
Added support for using Seccomp profiles embedded in images for podman run and
podman create via the new --seccomp-policy CLI flag - The podman play kube
command now honors pull policy
o Bugfixes
- - Fixed a bug where the podman cp command would not copy the contents of
directories when paths ending in /. were given - Fixed a bug where the podman
play kube command did not properly locate Seccomp profiles specified relative
to localhost - Fixed a bug where the podman info command for remote Podman did
not show registry information - Fixed a bug where the podman exec command did
not support having input piped into it - Fixed a bug where the podman cp
command with rootless Podman on CGroups v2 systems did not properly determine
if the container could be paused while copying - Fixed a bug where the podman
container prune --force command could possible remove running containers if
they were started while the command was running - Fixed a bug where Podman,
when run as root, would not properly configure slirp4netns networking when
requested - Fixed a bug where podman run --userns=keep-id did not work when the
user had a UID over 65535 - Fixed a bug where rootless podman run and podman
create with the --userns=keep-id option could change permissions on /run/user/
$UID and break KDE - Fixed a bug where rootless Podman could not be run in a
systemd service on systems using CGroups v2 - Fixed a bug where podman inspect
would show CPUShares as 0, instead of the default (1024), when it was not
explicitly set - Fixed a bug where podman-remote push would segfault - Fixed a
bug where image healthchecks were not shown in the output of podman inspect -
Fixed a bug where named volumes created with containers from pre-1.6.3 releases
of Podman would be autoremoved with their containers if the --rm flag was
given, even if they were given names - Fixed a bug where podman history was not
computing image sizes correctly - Fixed a bug where Podman would not error on
invalid values to the --sort flag to podman images - Fixed a bug where
providing a name for the image made by podman commit was mandatory, not
optional as it should be - Fixed a bug where the remote Podman client would
append an extra " to %PATH - Fixed a bug where the podman build command would
sometimes ignore the -f option and build the wrong Containerfile - Fixed a bug
where the podman ps --filter command would only filter running containers,
instead of all containers, if --all was not passed - Fixed a bug where the
podman load command on compressed images would leave an extra copy on disk -
Fixed a bug where the podman restart command would not properly clean up the
network, causing it to function differently from podman stop; podman start -
Fixed a bug where setting the --memory-swap flag to podman create and podman
run to -1 (to indicate unlimited) was not supported
o Misc
- - Initial work on version 2 of the Podman remote API has been merged, but is
still in an alpha state and not ready for use. Read more here - Many formatting
corrections have been made to the manpages - The changes to address (#5009) may
cause anonymous volumes created by Podman versions 1.6.3 to 1.7.0 to not be
removed when their container is removed - Updated vendored Buildah to v1.13.1 -
Updated vendored containers/storage to v1.15.8 - Updated vendored containers/
image to v5.2.0
o Add apparmor-abstractions as required runtime dependency to have `tunables/
global` available.
o fixed the --force flag for the "container prune" command. (https://
github.com/containers/libpod/issues/4844)
Update podman to v1.7.0
o Features
- - Added support for setting a static MAC address for containers - Added support
for creating macvlan networks with podman network create, allowing Podman
containers to be attached directly to networks the host is connected to - The
podman image prune and podman container prune commands now support the --filter
flag to filter what will be pruned, and now prompts for confirmation when run
without --force (#4410 and #4411) - Podman now creates CGroup namespaces by
default on systems using CGroups v2 (#4363) - Added the podman system reset
command to remove all Podman files and perform a factory reset of the Podman
installation - Added the --history flag to podman images to display previous
names used by images (#4566) - Added the --ignore flag to podman rm and podman
stop to not error when requested containers no longer exist - Added the
- --cidfile flag to podman rm and podman stop to read the IDs of containers to be
removed or stopped from a file - The podman play kube command now honors
Seccomp annotations (#3111) - The podman play kube command now honors
RunAsUser, RunAsGroup, and selinuxOptions - The output format of the podman
version command has been changed to better match docker version when using the
- --format flag - Rootless Podman will no longer initialize containers/storage
twice, removing a potential deadlock preventing Podman commands from running
while an image was being pulled (#4591) - Added tmpcopyup and notmpcopyup
options to the --tmpfs and --mount type=tmpfs flags to podman create and podman
run to control whether the content of directories are copied into tmpfs
filesystems mounted over them - Added support for disabling detaching from
containers by setting empty detach keys via --detach-keys="" - The podman build
command now supports the --pull and --pull-never flags to control when images
are pulled during a build - The podman ps -p command now shows the name of the
pod as well as its ID (#4703) - The podman inspect command on containers will
now display the command used to create the container - The podman info command
now displays information on registry mirrors (#4553)
o Bugfixes
- - Fixed a bug where Podman would use an incorrect runtime directory as root,
causing state to be deleted after root logged out and making Podman in systemd
services not function properly - Fixed a bug where the --change flag to podman
import and podman commit was not being parsed properly in many cases - Fixed a
bug where detach keys specified in libpod.conf were not used by the podman
attach and podman exec commands, which always used the global default
ctrl-p,ctrl-q key combination (#4556) - Fixed a bug where rootless Podman was
not able to run podman pod stats even on CGroups v2 enabled systems (#4634) -
Fixed a bug where rootless Podman would fail on kernels without the renameat2
syscall (#4570) - Fixed a bug where containers with chained network namespace
dependencies (IE, container A using --net container=B and container B using
- --net container=C) would not properly mount /etc/hosts and /etc/resolv.conf
into the container (#4626) - Fixed a bug where podman run with the --rm flag
and without -d could, when run in the background, throw a 'container does not
exist' error when attempting to remove the container after it exited - Fixed a
bug where named volume locks were not properly reacquired after a reboot,
potentially leading to deadlocks when trying to start containers using the
volume (#4605 and #4621) - Fixed a bug where Podman could not completely remove
containers if sent SIGKILL during removal, leaving the container name unusable
without the podman rm --storage command to complete removal (#3906) - Fixed a
bug where checkpointing containers started with --rm was allowed when --export
was not specified (the container, and checkpoint, would be removed after
checkpointing was complete by --rm) (#3774) - Fixed a bug where the podman pod
prune command would fail if containers were present in the pods and the --force
flag was not passed (#4346) - Fixed a bug where containers could not set a
static IP or static MAC address if they joined a non-default CNI network (#
4500) - Fixed a bug where podman system renumber would always throw an error if
a container was mounted when it was run - Fixed a bug where podman container
restore would fail with containers using a user namespace - Fixed a bug where
rootless Podman would attempt to use the journald events backend even on
systems without systemd installed - Fixed a bug where podman history would
sometimes not properly identify the IDs of layers in an image (#3359) - Fixed a
bug where containers could not be restarted when Conmon v2.0.3 or later was
used - Fixed a bug where Podman did not check image OS and Architecture against
the host when starting a container - Fixed a bug where containers in pods did
not function properly with the Kata OCI runtime (#4353) - Fixed a bug where
`podman info --format '{{ json . }}' would not produce JSON output (#4391) -
Fixed a bug where Podman would not verify if files passed to --authfile existed
(#4328) - Fixed a bug where podman images --digest would not always print
digests when they were available - Fixed a bug where rootless podman run could
hang due to a race with reading and writing events - Fixed a bug where rootless
Podman would print warning-level logs despite not be instructed to do so (#
4456) - Fixed a bug where podman pull would attempt to fetch from remote
registries when pulling an unqualified image using the docker-daemon transport
(#4434) - Fixed a bug where podman cp would not work if STDIN was a pipe -
Fixed a bug where podman exec could stop accepting input if anything was typed
between the command being run and the exec session starting (#4397) - Fixed a
bug where podman logs --tail 0 would print all lines of a container's logs,
instead of no lines (#4396) - Fixed a bug where the timeout for slirp4netns was
incorrectly set, resulting in an extremely long timeout (#4344) - Fixed a bug
where the podman stats command would print CPU utilizations figures incorrectly
(#4409) - Fixed a bug where the podman inspect --size command would not print
the size of the container's read/write layer if the size was 0 (#4744) - Fixed
a bug where the podman kill command was not properly validating signals before
use (#4746) - Fixed a bug where the --quiet and --format flags to podman ps
could not be used at the same time - Fixed a bug where the podman stop command
was not stopping exec sessions when a container was created without a PID
namespace (--pid=host) - Fixed a bug where the podman pod rm --force command
was not removing anonymous volumes for containers that were removed - Fixed a
bug where the podman checkpoint command would not export all changes to the
root filesystem of the container if performed more than once on the same
container (#4606) - Fixed a bug where containers started with --rm would not be
automatically removed on being stopped if an exec session was running inside
the container (#4666)
o Misc
- - The fixes to runtime directory path as root can cause strange behavior if an
upgrade is performed while containers are running - Updated vendored Buildah to
v1.12.0 - Updated vendored containers/storage library to v1.15.4 - Updated
vendored containers/image library to v5.1.0 - Kata Containers runtimes
(kata-runtime, kata-qemu, and kata-fc) are now present in the default
libpod.conf, but will not be available unless Kata containers is installed on
the system - Podman previously did not allow the creation of containers with a
memory limit lower than 4MB. This restriction has been removed, as the crun
runtime can create containers with significantly less memory
Update podman to v1.6.4
o Remove winsz FIFO on container restart to allow use with Conmon 2.03 and
higher
o Ensure volumes reacquire locks on system restart, preventing deadlocks when
starting containers
o Suppress spurious log messages when running rootless Podman
o Update vendored containers/storage to v1.13.6
o Fix a deadlock related to writing events
o Do not use the journald event logger when it is not available
Update podman to v1.6.2
o Features
- - Added a --runtime flag to podman system migrate to allow the OCI runtime for
all containers to be reset, to ease transition to the crun runtime on CGroups
V2 systems until runc gains full support - The podman rm command can now remove
containers in broken states which previously could not be removed - The podman
info command, when run without root, now shows information on UID and GID
mappings in the rootless user namespace - Added podman build --squash-all flag,
which squashes all layers (including those of the base image) into one layer -
The --systemd flag to podman run and podman create now accepts a string
argument and allows a new value, always, which forces systemd support without
checking if the the container entrypoint is systemd
o Bugfixes
- - Fixed a bug where the podman top command did not work on systems using
CGroups V2 (#4192) - Fixed a bug where rootless Podman could double-close a
file, leading to a panic - Fixed a bug where rootless Podman could fail to
retrieve some containers while refreshing the state - Fixed a bug where podman
start --attach --sig-proxy=false would still proxy signals into the container -
Fixed a bug where Podman would unconditionally use a non-default path for
authentication credentials (auth.json), breaking podman login integration with
skopeo and other tools using the containers/image library - Fixed a bug where
podman ps --format=json and podman images --format=json would display null when
no results were returned, instead of valid JSON - Fixed a bug where podman
build --squash was incorrectly squashing all layers into one, instead of only
new layers - Fixed a bug where rootless Podman would allow volumes with options
to be mounted (mounting volumes requires root), creating an inconsistent state
where volumes reported as mounted but were not (#4248) - Fixed a bug where
volumes which failed to unmount could not be removed (#4247) - Fixed a bug
where Podman incorrectly handled some errors relating to unmounted or missing
containers in containers/storage - Fixed a bug where podman stats was broken on
systems running CGroups V2 when run rootless (#4268) - Fixed a bug where the
podman start command would print the short container ID, instead of the full ID
- - Fixed a bug where containers created with an OCI runtime that is no longer
available (uninstalled or removed from the config file) would not appear in
podman ps and could not be removed via podman rm - Fixed a bug where containers
restored via podman container restore --import would retain the CGroup path of
the original container, even if their container ID changed; thus, multiple
containers created from the same checkpoint would all share the same CGroup
o Misc
- - The default PID limit for containers is now set to 4096. It can be adjusted
back to the old default (unlimited) by passing --pids-limit 0 to podman create
and podman run - The podman start --attach command now automatically attaches
STDIN if the container was created with -i - The podman network create command
now validates network names using the same regular expression as container and
pod names - The --systemd flag to podman run and podman create will now only
enable systemd mode when the binary being run inside the container is /sbin/
init, /usr/sbin/init, or ends in systemd (previously detected any path ending
in init or systemd) - Updated vendored Buildah to 1.11.3 - Updated vendored
containers/storage to 1.13.5 - Updated vendored containers/image to 4.0.1
Update podman to v1.6.1
o Features
- - The podman network create, podman network rm, podman network inspect, and
podman network ls commands have been added to manage CNI networks used by
Podman - The podman volume create command can now create and mount volumes with
options, allowing volumes backed by NFS, tmpfs, and many other filesystems -
Podman can now run containers without CGroups for better integration with
systemd by using the --cgroups=disabled flag with podman create and podman run.
This is presently only supported with the crun OCI runtime - The podman volume
rm and podman volume inspect commands can now refer to volumes by an
unambiguous partial name, in addition to full name (e.g. podman volume rm myvol
to remove a volume named myvolume) (#3891) - The podman run and podman create
commands now support the --pull flag to allow forced re-pulling of images (#
3734) - Mounting volumes into a container using --volume, --mount, and --tmpfs
now allows the suid, dev, and exec mount options (the inverse of nosuid, nodev,
noexec) (#3819) - Mounting volumes into a container using --mount now allows
the relabel=Z and relabel=z options to relabel mounts. - The podman push
command now supports the --digestfile option to save a file containing the
pushed digest - Pods can now have their hostname set via podman pod create
- --hostname or providing Pod YAML with a hostname set to podman play kube (#
3732) - The podman image sign command now supports the --cert-dir flag - The
podman run and podman create commands now support the --security-opt label=
filetype:$LABEL flag to set the SELinux label for container files - The remote
Podman client now supports healthchecks
o Bugfixes
- - Fixed a bug where remote podman pull would panic if a Varlink connection was
not available (#4013) - Fixed a bug where podman exec would not properly set
terminal size when creating a new exec session (#3903) - Fixed a bug where
podman exec would not clean up socket symlinks on the host (#3962) - Fixed a
bug where Podman could not run systemd in containers that created a CGroup
namespace - Fixed a bug where podman prune -a would attempt to prune images
used by Buildah and CRI-O, causing errors (#3983) - Fixed a bug where improper
permissions on the ~/.config directory could cause rootless Podman to use an
incorrect directory for storing some files - Fixed a bug where the bash
completions for podman import threw errors - Fixed a bug where Podman volumes
created with podman volume create would not copy the contents of their
mountpoint the first time they were mounted into a container (#3945) - Fixed a
bug where rootless Podman could not run podman exec when the container was not
run inside a CGroup owned by the user (#3937) - Fixed a bug where podman play
kube would panic when given Pod YAML without a securityContext (#3956) - Fixed
a bug where Podman would place files incorrectly when storage.conf
configuration items were set to the empty string (#3952) - Fixed a bug where
podman build did not correctly inherit Podman's CGroup configuration, causing
crashed on CGroups V2 systems (#3938) - Fixed a bug where remote podman run
- --rm would exit before the container was completely removed, allowing race
conditions when removing container resources (#3870) - Fixed a bug where
rootless Podman would not properly handle changes to /etc/subuid and /etc/
subgid after a container was launched - Fixed a bug where rootless Podman could
not include some devices in a container using the --device flag (#3905) - Fixed
a bug where the commit Varlink API would segfault if provided incorrect
arguments (#3897) - Fixed a bug where temporary files were not properly cleaned
up after a build using remote Podman (#3869) - Fixed a bug where podman remote
cp crashed instead of reporting it was not yet supported (#3861) - Fixed a bug
where podman exec would run as the wrong user when execing into a container was
started from an image with Dockerfile USER (or a user specified via podman run
- --user) (#3838) - Fixed a bug where images pulled using the oci: transport
would be improperly named - Fixed a bug where podman varlink would hang when
managed by systemd due to SD_NOTIFY support conflicting with Varlink (#3572) -
Fixed a bug where mounts to the same destination would sometimes not trigger a
conflict, causing a race as to which was actually mounted - Fixed a bug where
podman exec --preserve-fds caused Podman to hang (#4020) - Fixed a bug where
removing an unmounted container that was unmounted might sometimes not properly
clean up the container (#4033) - Fixed a bug where the Varlink server would
freeze when run in a systemd unit file (#4005) - Fixed a bug where Podman would
not properly set the $HOME environment variable when the OCI runtime did not
set it - Fixed a bug where rootless Podman would incorrectly print warning
messages when an OCI runtime was not found (#4012) - Fixed a bug where named
volumes would conflict with, instead of overriding, tmpfs filesystems added by
the --read-only-tmpfs flag to podman create and podman run - Fixed a bug where
podman cp would incorrectly make the target directory when copying to a symlink
which pointed to a nonexistent directory (#3894) - Fixed a bug where remote
Podman would incorrectly read STDIN when the -i flag was not set (#4095) -
Fixed a bug where podman play kube would create an empty pod when given an
unsupported YAML type (#4093) - Fixed a bug where podman import --change
improperly parsed CMD (#4000) - Fixed a bug where rootless Podman on systems
using CGroups V2 would not function with the cgroupfs CGroups manager - Fixed a
bug where rootless Podman could not correctly identify the DBus session
address, causing containers to fail to start (#4162) - Fixed a bug where
rootless Podman with slirp4netns networking would fail to start containers due
to mount leaks
o Misc
- - Significant changes were made to Podman volumes in this release. If you have
pre-existing volumes, it is strongly recommended to run podman system renumber
after upgrading. - Version 0.8.1 or greater of the CNI Plugins is now required
for Podman - Version 2.0.1 or greater of Conmon is strongly recommended -
Updated vendored Buildah to v1.11.2 - Updated vendored containers/storage
library to v1.13.4 - Improved error messages when trying to create a pod with
no name via podman play kube - Improved error messages when trying to run
podman pause or podman stats on a rootless container on a system without
CGroups V2 enabled - TMPDIR has been set to /var/tmp by default to better
handle large temporary files - podman wait has been optimized to detect stopped
containers more rapidly - Podman containers now include a ContainerManager
annotation indicating they were created by libpod - The podman info command now
includes information about slirp4netns and fuse-overlayfs if they are available
- - Podman no longer sets a default size of 65kb for tmpfs filesystems - The
default Podman CNI network has been renamed in an attempt to prevent conflicts
with CRI-O when both are run on the same system. This should only take effect
on system restart - The output of podman volume inspect has been more closely
matched to docker volume inspect
o Add katacontainers as a recommended package, and include it as an
additional OCI runtime in the configuration.
Update podman to v1.5.1
o Features
- - The hostname of pods is now set to the pod's name
o Bugfixes
- - Fixed a bug where podman run and podman create did not honor the --authfile
option (#3730) - Fixed a bug where containers restored with podman container
restore --import would incorrectly duplicate the Conmon PID file of the
original container - Fixed a bug where podman build ignored the default OCI
runtime configured in libpod.conf - Fixed a bug where podman run --rm (or
force-removing any running container with podman rm --force) were not
retrieving the correct exit code (#3795) - Fixed a bug where Podman would exit
with an error if any configured hooks directory was not present - Fixed a bug
where podman inspect and podman commit would not use the correct CMD for
containers run with podman play kube - Fixed a bug created pods when using
rootless Podman and CGroups V2 (#3801) - Fixed a bug where the podman events
command with the --since or --until options could take a very long time to
complete
o Misc
- - Rootless Podman will now inherit OCI runtime configuration from the root
configuration (#3781) - Podman now properly sets a user agent while contacting
registries (#3788)
o Add zsh completion for podman commands
Update podman to v1.5.0
o Features
- - Podman containers can now join the user namespaces of other containers with
- --userns=container:$ID, or a user namespace at an arbitary path with --userns=
ns:$PATH - Rootless Podman can experimentally squash all UIDs and GIDs in an
image to a single UID and GID (which does not require use of the newuidmap and
newgidmap executables) by passing --storage-opt ignore_chown_errors - The
podman generate kube command now produces YAML for any bind mounts the
container has created (#2303) - The podman container restore command now
features a new flag, --ignore-static-ip, that can be used with --import to
import a single container with a static IP multiple times on the same host -
Added the ability for podman events to output JSON by specifying --format=json
- - If the OCI runtime or conmon binary cannot be found at the paths specified in
libpod.conf, Podman will now also search for them in the calling user's path -
Added the ability to use podman import with URLs (#3609) - The podman ps
command now supports filtering names using regular expressions (#3394) -
Rootless Podman containers with --privileged set will now mount in all host
devices that the user can access - The podman create and podman run commands
now support the --env-host flag to forward all environment variables from the
host into the container - Rootless Podman now supports healthchecks (#3523) -
The format of the HostConfig portion of the output of podman inspect on
containers has been improved and synced with Docker - Podman containers now
support CGroup namespaces, and can create them by passing --cgroupns=private to
podman run or podman create - The podman create and podman run commands now
support the --ulimit=host flag, which uses any ulimits currently set on the
host for the container - The podman rm and podman rmi commands now use
different exit codes to indicate 'no such container' and 'container is running'
errors - Support for CGroups V2 through the crun OCI runtime has been greatly
improved, allowing resource limits to be set for rootless containers when the
CGroups V2 hierarchy is in use
o Bugfixes
- - Fixed a bug where a race condition could cause podman restart to fail to
start containers with ports - Fixed a bug where containers restored from a
checkpoint would not properly report the time they were started at - Fixed a
bug where podman search would return at most 25 results, even when the maximum
number of results was set higher - Fixed a bug where podman play kube would not
honor capabilities set in imported YAML (#3689) - Fixed a bug where podman run
- --env, when passed a single key (to use the value from the host), would set the
environment variable in the container even if it was not set on the host (#
3648) - Fixed a bug where podman commit --changes would not properly set
environment variables - Fixed a bug where Podman could segfault while working
with images with no history - Fixed a bug where podman volume rm could remove
arbitrary volumes if given an ambiguous name (#3635) - Fixed a bug where podman
exec invocations leaked memory by not cleaning up files in tmpfs - Fixed a bug
where the --dns and --net=container flags to podman run and podman create were
not mutually exclusive (#3553) - Fixed a bug where rootless Podman would be
unable to run containers when less than 5 UIDs were available - Fixed a bug
where containers in pods could not be removed without removing the entire pod
(#3556) - Fixed a bug where Podman would not properly clean up all CGroup
controllers for created cgroups when using the cgroupfs CGroup driver - Fixed a
bug where Podman containers did not properly clean up files in tmpfs, resulting
in a memory leak as containers stopped - Fixed a bug where healthchecks from
images would not use default settings for interval, retries, timeout, and start
period when they were not provided by the image (#3525) - Fixed a bug where
healthchecks using the HEALTHCHECK CMD format where not properly supported (#
3507) - Fixed a bug where volume mounts using relative source paths would not
be properly resolved (#3504) - Fixed a bug where podman run did not use
authorization credentials when a custom path was specified (#3524) - Fixed a
bug where containers checkpointed with podman container checkpoint did not
properly set their finished time - Fixed a bug where running podman inspect on
any container not created with podman run or podman create (for example, pod
infra containers) would result in a segfault (#3500) - Fixed a bug where
healthcheck flags for podman create and podman run were incorrectly named (#
3455) - Fixed a bug where Podman commands would fail to find targets if a
partial ID was specified that was ambiguous between a container and pod (#3487)
- - Fixed a bug where restored containers would not have the correct SELinux
label - Fixed a bug where Varlink endpoints were not working properly if more
was not correctly specified - Fixed a bug where the Varlink PullImage endpoint
would crash if an error occurred (#3715) - Fixed a bug where the --mount flag
to podman create and podman run did not allow boolean arguments for its ro and
rw options (#2980) - Fixed a bug where pods did not properly share the UTS
namespace, resulting in incorrect behavior from some utilities which rely on
hostname (#3547) - Fixed a bug where Podman would unconditionally append
ENTRYPOINT to CMD during podman commit (and when reporting CMD in podman
inspect) (#3708) - Fixed a bug where podman events with the journald events
backend would incorrectly print 6 previous events when only new events were
requested (#3616) - Fixed a bug where podman port would exit prematurely when a
port number was specified (#3747) - Fixed a bug where passing . as an argument
to the --dns-search flag to podman create and podman run was not properly
clearing DNS search domains in the container
o Misc
- - Updated vendored Buildah to v1.10.1 - Updated vendored containers/image to
v3.0.2 - Updated vendored containers/storage to v1.13.1 - Podman now requires
conmon v2.0.0 or higher - The podman info command now displays the events
logger being in use - The podman inspect command on containers now includes the
ID of the pod a container has joined and the PID of the container's conmon
process - The -v short flag for podman --version has been re-added - Error
messages from podman pull should be significantly clearer - The podman exec
command is now available in the remote client - The podman-v1.5.0.tar.gz file
attached is podman packaged for MacOS. It can be installed using Homebrew.
o Update libpod.conf to support latest path discovery feature for `runc` and
`conmon` binaries.
conmon was included in version 2.0.10. (bsc#1160460, bsc#1164390, jsc#ECO-1048,
jsc#SLE-11485, jsc#SLE-11331):
fuse-overlayfs was updated to v0.7.6 (bsc#1160460)
o do not look in lower layers for the ino if there is no origin xattr set
o attempt to use the file path if the operation on the fd fails with ENXIO
o do not expose internal xattrs through listxattr and getxattr
o fix fallocate for deleted files.
o ignore O_DIRECT. It causes issues with libfuse not using an aligned buffer,
causing write(2) to fail with EINVAL.
o on copyup, do not copy the opaque xattr.
o fix a wrong lookup for whiteout files, that could happen on a double
unlink.
o fix possible segmentation fault in direct_fsync()
o use the data store to create missing whiteouts
o after a rename, force a directory reload
o introduce inodes cache
o correctly read inode for unix sockets
o avoid hash map lookup when possible
o use st_dev for the ino key
o check whether writeback is supported
o set_attrs: don't require write to S_IFREG
o ioctl: do not reuse fi->fh for directories
o fix skip whiteout deletion optimization
o store the new mode after chmod
o support fuse writeback cache and enable it by default
o add option to disable fsync
o add option to disable xattrs
o add option to skip ino number check in lower layers
o fix fd validity check
o fix memory leak
o fix read after free
o fix type for flistxattr return
o fix warnings reported by lgtm.com
o enable parallel dirops
cni was updated to 0.7.1:
o Set correct CNI version for 99-loopback.conf
Update to version 0.7.1 (bsc#1160460):
o Library changes:
+ invoke : ensure custom envs of CNIArgs are prepended to process envs + add
GetNetworkListCachedResult to CNI interface + delegate : allow delegation funcs
override CNI_COMMAND env automatically in heritance
o Documentation & Convention changes:
+ Update cnitool documentation for spec v0.4.0 + Add cni-route-override to CNI
plugin list
Update to version 0.7.0:
o Spec changes:
+ Use more RFC2119 style language in specification (must, should...) + add
notes about ADD/DEL ordering + Make the container ID required and unique. +
remove the version parameter from ADD and DEL commands. + Network interface
name matters + be explicit about optional and required structure members + add
CHECK method + Add a well-known error for "try again" + SPEC.md: clarify
meaning of 'routes'
o Library changes:
+ pkg/types: Makes IPAM concrete type + libcni: return error if Type is empty +
skel: VERSION shouldn't block on stdin + non-pointer instances of types.Route
now correctly marshal to JSON + libcni: add ValidateNetwork and
ValidateNetworkList functions + pkg/skel: return error if JSON config has no
network name + skel: add support for plugin version string + libcni: make exec
handling an interface for better downstream testing + libcni: api now takes a
Context to allow operations to be timed out or cancelled + types/version: add
helper to parse PrevResult + skel: only print about message, not errors +
skel,invoke,libcni: implementation of CHECK method + cnitool: Honor interface
name supplied via CNI_IFNAME environment variable. + cnitool: validate correct
number of args + Don't copy gw from IP4.Gateway to Route.GW When converting
from 0.2.0 + add PrintTo method to Result interface + Return a better error
when the plugin returns none
o Install sleep binary into CNI plugin directory
cni-plugins was updated to 0.8.4:
Update to version 0.8.4 (bsc#1160460):
o add support for mips64le
o Add missing cniVersion in README example
o bump go-iptables module to v0.4.5
o iptables: add idempotent functions
o portmap doesn't fail if chain doesn't exist
o fix portmap port forward flakiness
o Add Bruce Ma and Piotr Skarmuk as owners
Update to version 0.8.3:
o Enhancements: * static: prioritize the input sources for IPs (#400). *
tuning: send gratuitous ARP in case of MAC address update (#403). *
bandwidth: use uint64 for Bandwidth value (#389). * ptp: only override DNS
conf if DNS settings provided (#388). * loopback: When prevResults are not
supplied to loopback plugin, create results to return (#383). * loopback
support CNI CHECK and result cache (#374).
o Better input validation: * vlan: add MTU validation to loadNetConf (#405).
* macvlan: add MTU validation to loadNetConf (#404). * bridge: check vlan
id when loading net conf (#394).
o Bugfixes:
* bugfix: defer after err check, or it may panic (#391). * portmap: Fix
dual-stack support (#379). * firewall: don't return error in DEL if prevResult
is not found (#390). * bump up libcni back to v0.7.1 (#377).
o Docs:
* contributing doc: revise test script name to run (#396). * contributing doc:
describe cnitool installation (#397).
Update plugins to v0.8.2
o New features:
* Support "args" in static and tuning * Add Loopback DSR support, allow
l2tunnel networks to be used with the l2bridge plugin * host-local: return
error if same ADD request is seen twice * bandwidth: fix collisions * Support
ips capability in static and mac capability in tuning * pkg/veth: Make
host-side veth name configurable
o Bug fixes: * Fix: failed to set bridge addr: could not add IP address to
"cni0": file exists * host-device: revert name setting to make retries
idempotent (#357). * Vendor update go-iptables. Vendor update go-iptables
to obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10 * Update go.mod &
go.sub * Remove link Down/Up in MAC address change to prevent route flush
(#364). * pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the
syscall error message is "invalid argument" not "file exists" * bump
containernetworking/cni to v0.7.1
Updated plugins to v0.8.1:
o Bugs:
* bridge: fix ipMasq setup to use correct source address * fix compilation
error on 386 * bandwidth: get bandwidth interface in host ns through container
interface
o Improvements: * host-device: add pciBusID property
Updated plugins to v0.8.0:
o New plugins:
* bandwidth - limit incoming and outgoing bandwidth * firewall - add containers
to firewall rules * sbr - convert container routes to source-based routes *
static - assign a fixed IP address * win-bridge, win-overlay: Windows plugins
o Plugin features / changelog:
* CHECK Support * macvlan: - Allow to configure empty ipam for macvlan - Make
master config optional * bridge: - Add vlan tag to the bridge cni plugin -
Allow the user to assign VLAN tag - L2 bridge Implementation. * dhcp: - Include
Subnet Mask option parameter in DHCPREQUEST - Add systemd unit file to activate
socket with systemd - Add container ifName to the dhcp clientID, making the
clientID value * flannel: - Pass through runtimeConfig to delegate *
host-local: - host-local: add ifname to file tracking IP address used *
host-device: - Support the IPAM in the host-device - Handle empty netns in DEL
for loopback and host-device * tuning: - adds 'ip link' command related feature
into tuning
o Bug fixes & minor changes * Correctly DEL on ipam failure for all plugins *
Fix bug on ip revert if cmdAdd fails on macvlan and host-device *
host-device: Ensure device is down before rename * Fix -hostprefix option *
some DHCP servers expect to request for explicit router options * bridge:
release IP in case of error * change source of ipmasq rule from ipn to ip
from version v0.7.5:
o This release takes a minor change to the portmap plugin: * Portmap: append,
rather than prepend, entry rules
o This fixes a potential issue where firewall rules may be bypassed by port
mapping
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Module for Public Cloud 15-SP1:
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-697=1
o SUSE Linux Enterprise Module for Containers 15-SP1:
zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-697=1
Package List:
o SUSE Linux Enterprise Module for Public Cloud 15-SP1 (x86_64):
cni-0.7.1-3.3.1
cni-plugins-0.8.4-3.3.1
o SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x
x86_64):
cni-0.7.1-3.3.1
cni-plugins-0.8.4-3.3.1
conmon-2.0.10-3.3.1
conmon-debuginfo-2.0.10-3.3.1
fuse-overlayfs-0.7.6-3.6.1
fuse-overlayfs-debuginfo-0.7.6-3.6.1
fuse-overlayfs-debugsource-0.7.6-3.6.1
podman-1.8.0-4.14.1
o SUSE Linux Enterprise Module for Containers 15-SP1 (noarch):
podman-cni-config-1.8.0-4.14.1
References:
o https://www.suse.com/security/cve/CVE-2019-18466.html
o https://bugzilla.suse.com/1155217
o https://bugzilla.suse.com/1160460
o https://bugzilla.suse.com/1164390
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXnAryWaOgq3Tt24GAQiBiw//RJrp3Vy/DtPu+gv44P+ikc4kFUUHVdnE
dlp8QO9lTbB22v49IoAzcBYq1B8DAJmc+0sBWZrqlfQWg4z6YGnVe2Jsp5ICGZT9
zCRuoyrenoSYLYihXyud9L5n861LABuj515fGph1Oh5PCsXoQHscWaPiH9db1jQl
OAwTWSIuYCGBu5qthEWBzCN250xyx92jzmbWYNTeSHQWg/SGXpyX5fodForhEjbF
rn+NiXUF4fdFsB4ptWjBe7ybzV/FK95QcfVZtk5w2b3BGK0OVDCtwfWIf91wbZDI
8CY/xTgl/awDuTxWqWulGPYC7B7F10tKh7hYEhSh0MblrpEEgTMbS11DanE6m7NB
zLuwrKGUFAeUuasIjBj8YeZtp6FDqVb6UkwCMeG7Sw2+wXcMJiT7JVSR9R8+1SQr
TX0xgmSRhfYY9OhGfnlp269rp0V06fzijoR49SguBlzXd3qBfdWQATEYMwvon3st
I2IVFK7ceuFqHtutfT5+CmwtarJX+X03HjDKnZXPxKbrJSLB5ZRHK1zVbNc7kt5C
dE92q8CUhst+Qr9QAAfEz3d3vxgo28iuPiAr2xR0VL7Ywoedu+ejtzkGPGmFMtoq
1gy+aiEnGQZutuFHliSvHI8mdi60y9HZckRNQPve1TBhR2pCjT6hBCqot3iQAXD+
pbc8ZS0MeMs=
=2HRg
-----END PGP SIGNATURE-----