SUSE Security Update: Security update for podman
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3378-1
Rating:             moderate
References:         #1176804 #1178122 #1178392 
Cross-References:   CVE-2020-14370
Affected Products:
                    SUSE Linux Enterprise Module for Containers 15-SP2
                    SUSE Linux Enterprise Module for Containers 15-SP1
                    SUSE Enterprise Storage 7
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available.

Description:

   This update for podman fixes the following issues:

   Security issue fixed:

   - This release resolves CVE-2020-14370, in which environment variables
     could be leaked between containers created using the Varlink API
     (bsc#1176804).

   Non-security issues fixed:

   - add dependency to timezone package or podman fails to build a container
     (bsc#1178122)

   - Install new auto-update system units
   - Update to v2.1.1 (bsc#1178392):
     * Changes
       - The `podman info` command now includes the cgroup manager Podman is
         using.
     * API
       - The REST API now includes a Server header in all responses.
       - Fixed a bug where the Libpod and Compat Attach endpoints could
         terminate early, before sending all output from the container.
       - Fixed a bug where the Compat Create endpoint for containers did not
         properly handle the Interactive parameter.
       - Fixed a bug where the Compat Kill endpoint for containers could
         continue to run after a fatal error.
       - Fixed a bug where the Limit parameter of the Compat List endpoint
         for Containers did not properly handle a limit of 0 (returning
         nothing, instead of all containers) [#7722].
       - The Libpod Stats endpoint for containers is being deprecated and
         will be replaced by a similar endpoint with additional features in a
         future release.
   - Changes in v2.1.0
     * Features
       - A new command, `podman image mount`, has been added. This allows for
         an image to be mounted, read-only, to inspect its contents without
         creating a container from it [#1433].
       - The `podman save` and `podman load` commands can now create and load
         archives containing multiple images [#2669].
       - Rootless Podman now supports all `podman network` commands, and
         rootless containers can now be joined to networks.
       - The performance of `podman build` on `ADD` and `COPY` instructions
         has been greatly improved, especially when a `.dockerignore` is
         present.
       - The `podman run` and `podman create` commands now support a new mode
         for the `--cgroups` option, `--cgroups=split`. Podman will create
         two cgroups under the cgroup it was launched in, one for the
         container and one for Conmon. This mode is useful for running Podman
         in a systemd unit, as it ensures that all processes are retained in
         systemd's cgroup hierarchy [#6400].
       - The `podman run` and `podman create` commands can now specify
         options to slirp4netns by using the `--network` option as follows:
   `--net slirp4netns:opt1,opt2`. This allows for, among other things,
   switching the port forwarder used by slirp4netns away from rootlessport.
       - The `podman ps` command now features a new option, `--storage`, to
         show containers from Buildah, CRI-O and other applications.
       - The `podman run` and `podman create` commands now feature a
         `--sdnotify` option to control the behavior of systemd's sdnotify
         with containers, enabling improved support for Podman in
         `Type=notify` units.
       - The `podman run` command now features a `--preserve-fds`
         opton to pass file descriptors from the host into the container
   [#6458].
       - The `podman run` and `podman create` commands can now create
         overlay volume mounts, by adding the `:O` option to a bind mount
   (e.g. `-v /test:/test:O`). Overlay volume mounts will mount a directory
   into a container from the host and allow changes to it, but not write
   those changes back to the directory on the host.
       - The `podman play kube` command now supports the Socket HostPath type
         [#7112].
       - The `podman play kube` command now supports read-only mounts.
       - The `podman play kube` command now supports setting labels on pods
         from Kubernetes metadata labels.
       - The `podman play kube` command now supports setting container
         restart policy [#7656].
       - The `podman play kube` command now properly handles `HostAlias`
         entries.
       - The `podman generate kube` command now adds entries to `/etc/hosts`
         from `--host-add` generated YAML as `HostAlias` entries.
       - The `podman play kube` and `podman generate kube` commands now
         properly support `shareProcessNamespace` to share the PID namespace
         in pods.
       - The `podman volume ls` command now supports the `dangling` filter to
         identify volumes that are dangling (not attached to any container).
       - The `podman run` and `podman create` commands now feature a
         `--umask` option to set the umask of the created container.
       - The `podman create` and `podman run` commands now feature a `--tz`
         option to set the timezone within the container [#5128].
       - Environment variables for Podman can now be added in the
         `containers.conf` configuration file.
       - The `--mount` option of `podman run` and `podman create` now
         supports a new mount type, `type=devpts`, to add a `devpts` mount to
         the container. This is useful for containers that want to mount
         `/dev/` from the host into the container, but still create a
         terminal.
       - The `--security-opt` flag to `podman run` and `podman create` now
         supports a new option, `proc-opts`, to specify options for the
         container's `/proc` filesystem.
       - Podman with the `crun` OCI runtime now supports a new option to
         `podman run` and `podman create`, `--cgroup-conf`, which allows for
         advanced configuration of cgroups on cgroups v2 systems.
       - The `podman create` and `podman run` commands now support a
         `--override-variant` option, to override the architecture variant of
         the image that will be pulled and ran.
       - A new global option has been added to Podman, `--runtime-flags`,
         which allows for setting flags to use when the OCI runtime is called.
       - The `podman manifest add` command now supports the `--cert-dir`,
         `--auth-file`, `--creds`, and `--tls-verify`
         options.
     * Security
       - This release resolves CVE-2020-14370, in which environment variables
         could be leaked between containers created using the Varlink API.
     * Changes
       - Podman will now retry pulling an image 3 times if a pull fails due
         to network errors.
       - The `podman exec` command would previously print error messages
         (e.g. `exec session exited with non-zero exit code
         -1`) when the command run exited with a non-0 exit code. It no
   longer does this. The `podman exec` command will still exit with the same
   exit code as the command run in the container did.
       - Error messages when creating a container or pod with a name that is
         already in use have been improved.
       - For read-only containers running systemd init, Podman creates a
         tmpfs filesystem at `/run`. This was previously limited to 65k in
         size and mounted `noexec`, but is now unlimited size and mounted
         `exec`.
       - The `podman system reset` command no longer removes configuration
         files for rootless Podman.
     * API
       - The Libpod API version has been bumped to v2.0.0 due to a breaking
         change in the Image List API.
       - Docker-compatible Volume Endpoints (Create, Inspect, List, Remove,
         Prune) are now available!
       - Added an endpoint for generating systemd unit files for containers.
       - The `last` parameter to the Libpod container list endpoint now has
         an alias, `limit` [#6413].
       - The Libpod image list API new returns timestamps in Unix format, as
         integer, as opposed to as strings
       - The Compat Inspect endpoint for containers now includes port
         information in NetworkSettings.
       - The Compat List endpoint for images now features limited support for
         the (deprecated) `filter` query parameter [#6797].
       - Fixed a bug where the Compat Create endpoint for containers was not
         correctly handling bind mounts.
       - Fixed a bug where the Compat Create endpoint for containers would
         not return a 404 when the requested image was not present.
       - Fixed a bug where the Compat Create endpoint for containers did not
         properly handle Entrypoint and Command from images.
       - Fixed a bug where name history information was not properly added in
         the Libpod Image List endpoint.
       - Fixed a bug where the Libpod image search endpoint improperly
         populated the Description field of responses.
       - Added a `noTrunc` option to the Libpod image search endpoint.
       - Fixed a bug where the Pod List API would return null, instead
         of an empty array, when no pods were present [#7392].
       - Fixed a bug where endpoints that hijacked would do perform the
         hijack too early, before being ready to send and receive data
         [#7195].
       - Fixed a bug where Pod endpoints that can operate on multiple
         containers at once (e.g. Kill, Pause, Unpause, Stop) would not
         forward errors from individual containers that failed.
       - The Compat List endpoint for networks now supports filtering results
         [#7462].
       - Fixed a bug where the Top endpoint for pods would return both a 500
         and 404 when run on a non-existent pod.
       - Fixed a bug where Pull endpoints did not stream progress back to the
         client.
       - The Version endpoints (Libpod and Compat) now provide version in a
         format compatible with Docker.
       - All non-hijacking responses to API requests should not include
         headers with the version of the server.
       - Fixed a bug where Libpod and Compat Events endpoints did not send
         response headers until the first event occurred [#7263].
       - Fixed a bug where the Build endpoints (Compat and Libpod) did not
         stream progress to the client.
       - Fixed a bug where the Stats endpoints (Compat and Libpod) did not
         properly handle clients disconnecting.
       - Fixed a bug where the Ignore parameter to the Libpod Stop endpoint
         was not performing properly.
       - Fixed a bug where the Compat Logs endpoint for containers did not
         stream its output in the correct format [#7196].


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Containers 15-SP2:

      zypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2020-3378=1

   - SUSE Linux Enterprise Module for Containers 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-3378=1

   - SUSE Enterprise Storage 7:

      zypper in -t patch SUSE-Storage-7-2020-3378=1



Package List:

   - SUSE Linux Enterprise Module for Containers 15-SP2 (aarch64 ppc64le s390x x86_64):

      podman-2.1.1-4.28.1

   - SUSE Linux Enterprise Module for Containers 15-SP2 (noarch):

      podman-cni-config-2.1.1-4.28.1

   - SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x x86_64):

      podman-2.1.1-4.28.1

   - SUSE Linux Enterprise Module for Containers 15-SP1 (noarch):

      podman-cni-config-2.1.1-4.28.1

   - SUSE Enterprise Storage 7 (aarch64 x86_64):

      podman-2.1.1-4.28.1


References:

   https://www.suse.com/security/cve/CVE-2020-14370.html
   https://bugzilla.suse.com/1176804
   https://bugzilla.suse.com/1178122
   https://bugzilla.suse.com/1178392