SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:2800-1 Container Tags : bci/bci-init:15.3 , bci/bci-init:15.3.21.22 Container Release : 21.22 Severity : critical Type : security References : 1087072 1167864 1181961 1202812 1203911 1204111 1204112 1204113 1204137 1204357 1204383 CVE-2020-10696 CVE-2021-20206 CVE-2022-2990 CVE-2022-32221 CVE-2022-3515 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3683-1 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Type: security Severity: critical References: 1204357,CVE-2022-3515 This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3766-1 Released: Wed Oct 26 11:38:01 2022 Summary: Security update for buildah Type: security Severity: important References: 1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990 This update for buildah fixes the following issues: - CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961). - CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864). - CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812 Buildah was updated to version 1.27.1: * run: add container gid to additional groups - Add fix for CVE-2022-2990 / bsc#1202812 Update to version 1.27.0: * Don't try to call runLabelStdioPipes if spec.Linux is not set * build: support filtering cache by duration using --cache-ttl * build: support building from commit when using git repo as build context * build: clean up git repos correctly when using subdirs* integration tests: quote '?' in shell scripts * test: manifest inspect should have OCIv1 annotation * vendor: bump to c/common@87fab4b7019a * Failure to determine a file or directory should print an error * refactor: remove unused CommitOptions from generateBuildOutput * stage_executor: generate output for cases with no commit * stage_executor, commit: output only if last stage in build * Use errors.Is() instead of os.Is{Not,}Exist * Minor test tweak for podman-remote compatibility * Cirrus: Use the latest imgts container * imagebuildah: complain about the right Dockerfile * tests: don't try to wrap `nil` errors* cmd/buildah.commitCmd: don't shadow 'err' * cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig * Fix a copy/paste error message * Fix a typo in an error message * build,cache: support pulling/pushing cache layers to/from remote sources * Update vendor of containers/(common, storage, image) * Rename chroot/run.go to chroot/run_linux.go * Don't bother telling codespell to skip files that don't exist * Set user namespace defaults correctly for the library * imagebuildah: optimize cache hits for COPY and ADD instructions * Cirrus: Update VM images w/ updated bats * docs, run: show SELinux label flag for cache and bind mounts * imagebuildah, build: remove undefined concurrent writes * bump github.com/opencontainers/runtime-tools * Add FreeBSD support for 'buildah info' * Vendor in latest containers/(storage, common, image) * Add freebsd cross build targets * Make the jail package build on 32bit platforms * Cirrus: Ensure the build-push VM image is labeled * GHA: Fix dynamic script filename * Vendor in containers/(common, storage, image) * Run codespell * Remove import of github.com/pkg/errors* Avoid using cgo in pkg/jail * Rename footypes to fooTypes for naming consistency * Move cleanupTempVolumes and cleanupRunMounts to run_common.go * Make the various run mounts work for FreeBSD * Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go * Move runSetupRunMounts to run_common.go * Move cleanableDestinationListFromMounts to run_common.go * Make setupMounts and runSetupBuiltinVolumes work on FreeBSD * Move setupMounts and runSetupBuiltinVolumes to run_common.go * Tidy up - runMakeStdioPipe can't be shared with linux * Move runAcceptTerminal to run_common.go * Move stdio copying utilities to run_common.go * Move runUsingRuntime and runCollectOutput to run_common.go * Move fileCloser, waitForSync and contains to run_common.go * Move checkAndOverrideIsolationOptions to run_common.go * Move DefaultNamespaceOptions to run_common.go * Move getNetworkInterface to run_common.go * Move configureEnvironment to run_common.go * Don't crash in configureUIDGID if Process.Capabilities is nil * Move configureUIDGID to run_common.go * Move runLookupPath to run_common.go * Move setupTerminal to run_common.go * Move etc file generation utilities to run_common.go * Add run support for FreeBSD * Add a simple FreeBSD jail library * Add FreeBSD support to pkg/chrootuser * Sync call signature for RunUsingChroot with chroot/run.go * test: verify feature to resolve basename with args * vendor: bump openshift/imagebuilder to master@4151e43 * GHA: Remove required reserved-name use * buildah: set XDG_RUNTIME_DIR before setting default runroot * imagebuildah: honor build output even if build container is not commited * chroot: honor DefaultErrnoRet * [CI:DOCS] improve pull-policy documentation * tests: retrofit test since --file does not supports dir * Switch to golang native error wrapping * BuildDockerfiles: error out if path to containerfile is a directory * define.downloadToDirectory: fail early if bad HTTP response * GHA: Allow re-use of Cirrus-Cron fail-mail workflow * add: fail on bad http response instead of writing to container * [CI:DOCS] Update buildahimage comment * lint: inspectable is never nil * vendor: c/common to common@7e1563b * build: support OCI hooks for ephemeral build containers* [CI:BUILD] Install latest buildah instead of compiling * Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED] * Make sure cpp is installed in buildah images * demo: use unshare for rootless invocations * buildah.spec.rpkg: initial addition * build: fix test for subid 4 * build, userns: add support for --userns=auto * Fix building upstream buildah image * Remove redundant buildahimages-are-sane validation * Docs: Update multi-arch buildah images readme * Cirrus: Migrate multiarch build off github actions * retrofit-tests: we skip unused stages so use stages * stage_executor: dont rely on stage while looking for additional-context * buildkit, multistage: skip computing unwanted stages * More test cleanup * copier: work around freebsd bug for 'mkdir /' * Replace $BUILDAH_BINARY with buildah() function * Fix up buildah images * Make util and copier build on FreeBSD * Vendor in latest github.com/sirupsen/logrus * Makefile: allow building without .git * run_unix: don't return an error from getNetworkInterface * run_unix: return a valid DefaultNamespaceOptions * Update vendor of containers/storage * chroot: use ActKillThread instead of ActKill * use resolvconf package from c/common/libnetwork * update c/common to latest main * copier: add `NoOverwriteNonDirDir` option * Sort buildoptions and move cli/build functions to internal * Fix TODO: de-spaghettify run mounts * Move options parsing out of build.go and into pkg/cli * [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps * build, multiarch: support splitting build logs for --platform * [CI:BUILD] WIP Cleanup Image Dockerfiles * cli remove stutter * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * Fix use generic/ambiguous DEBUG name * Cirrus: use Ubuntu 22.04 LTS * Fix codespell errors* Remove util.StringInSlice because it is defined in containers/common * buildah: add support for renaming a device in rootless setups * squash: never use build cache when computing last step of last stage * Update vendor of containers/(common, storage, image) * buildkit: supports additionalBuildContext in builds via --build-context * buildah source pull/push: show progress bar * run: allow resuing secret twice in different RUN steps * test helpers: default to being rootless-aware * Add --cpp-flag flag to buildah build * build: accept branch and subdirectory when context is git repo * Vendor in latest containers/common * vendor: update c/storage and c/image * Fix gentoo install docs * copier: move NSS load to new process * Add test for prevention of reusing encrypted layers* Make `buildah build --label foo` create an empty 'foo' label again Update to version 1.26.4: * build, multiarch: support splitting build logs for --platform * copier: add `NoOverwriteNonDirDir` option * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * buildkit: supports additionalBuildContext in builds via --build-context * Add --cpp-flag flag to buildah build Update to version 1.26.3: * define.downloadToDirectory: fail early if bad HTTP response * add: fail on bad http response instead of writing to container * squash: never use build cache when computing last step of last stage * run: allow resuing secret twice in different RUN steps * integration tests: update expected error messages * integration tests: quote '?' in shell scripts * Use errors.Is() to check for storage errors* lint: inspectable is never nil * chroot: use ActKillThread instead of ActKill * chroot: honor DefaultErrnoRet * Set user namespace defaults correctly for the library * contrib/rpm/buildah.spec: fix `rpm` parser warnings Drop requires on apparmor pattern, should be moved elsewhere for systems which want AppArmor instead of SELinux. - Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build. Update to version 1.26.2: * buildah: add support for renaming a device in rootless setups Update to version 1.26.1: * Make `buildah build --label foo` create an empty 'foo' label again * imagebuildah,build: move deepcopy of args before we spawn goroutine * Vendor in containers/storage v1.40.2 * buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated * help output: get more consistent about option usage text * Handle OS version and features flags * buildah build: --annotation and --label should remove values * buildah build: add a --env * buildah: deep copy options.Args before performing concurrent build/stage * test: inline platform and builtinargs behaviour * vendor: bump imagebuilder to master/009dbc6 * build: automatically set correct TARGETPLATFORM where expected * Vendor in containers/(common, storage, image) * imagebuildah, executor: process arg variables while populating baseMap * buildkit: add support for custom build output with --output * Cirrus: Update CI VMs to F36 * fix staticcheck linter warning for deprecated function * Fix docs build on FreeBSD * copier.unwrapError(): update for Go 1.16 * copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit * copier.Put(): write to read-only directories * Ed's periodic test cleanup * using consistent lowercase 'invalid' word in returned err msg * use etchosts package from c/common * run: set actual hostname in /etc/hostname to match docker parity * Update vendor of containers/(common,storage,image) * manifest-create: allow creating manifest list from local image * Update vendor of storage,common,image * Initialize network backend before first pull * oci spec: change special mount points for namespaces * tests/helpers.bash: assert handle corner cases correctly * buildah: actually use containers.conf settings * integration tests: learn to start a dummy registry * Fix error check to work on Podman * buildah build should accept at most one arg * tests: reduce concurrency for flaky bud-multiple-platform-no-run * vendor in latest containers/common,image,storage * manifest-add: allow override arch,variant while adding image * Remove a stray `\` from .containerenv * Vendor in latest opencontainers/selinux v1.10.1 * build, commit: allow removing default identity labels * Create shorter names for containers based on image IDs * test: skip rootless on cgroupv2 in root env * fix hang when oci runtime fails * Set permissions for GitHub actions * copier test: use correct UID/GID in test archives * run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3773-1 Released: Wed Oct 26 12:19:29 2022 Summary: Security update for curl Type: security Severity: important References: 1204383,CVE-2022-32221 This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3776-1 Released: Wed Oct 26 14:06:43 2022 Summary: Recommended update for permissions Type: recommended Severity: important References: 1203911,1204137 This update for permissions fixes the following issues: - Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't properly support ICMP_PROTO sockets feature yet (bsc#1204137) - Fix regression introduced by backport of security fix (bsc#1203911) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3805-1 Released: Thu Oct 27 17:19:46 2022 Summary: Security update for dbus-1 Type: security Severity: important References: 1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012 This update for dbus-1 fixes the following issues: - CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113). Bugfixes: - Disable asserts (bsc#1087072). The following package changes have been done: - dbus-1-1.12.2-150100.8.14.1 updated - libcurl4-7.66.0-150200.4.42.1 updated - libdbus-1-3-1.12.2-150100.8.14.1 updated - libgpg-error0-1.42-150300.9.3.1 updated - libksba8-1.3.5-150000.4.3.1 updated - permissions-20181225-150200.23.20.1 updated - container:sles15-image-15.0.0-17.20.58 updated

SUSE: 2022:2800-1 bci/bci-init Security Update

November 2, 2022

The container bci/bci-init was updated

Summary

Advisory ID: SUSE-SU-2022:3683-1 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Type: security Severity: critical Advisory ID: SUSE-SU-2022:3766-1 Released: Wed Oct 26 11:38:01 2022 Summary: Security update for buildah Type: security Severity: important Advisory ID: SUSE-SU-2022:3773-1 Released: Wed Oct 26 12:19:29 2022 Summary: Security update for curl Type: security Severity: important Advisory ID: SUSE-RU-2022:3776-1 Released: Wed Oct 26 14:06:43 2022 Summary: Recommended update for permissions Type: recommended Severity: important Advisory ID: SUSE-SU-2022:3805-1 Released: Thu Oct 27 17:19:46 2022 Summary: Security update for dbus-1 Type: security Severity: important

References

References : 1087072 1167864 1181961 1202812 1203911 1204111 1204112 1204113

1204137 1204357 1204383 CVE-2020-10696 CVE-2021-20206 CVE-2022-2990

CVE-2022-32221 CVE-2022-3515 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012

1204357,CVE-2022-3515

This update for libksba fixes the following issues:

- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990

This update for buildah fixes the following issues:

- CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).

- CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).

- CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

Buildah was updated to version 1.27.1:

* run: add container gid to additional groups

- Add fix for CVE-2022-2990 / bsc#1202812

Update to version 1.27.0:

* Don't try to call runLabelStdioPipes if spec.Linux is not set

* build: support filtering cache by duration using --cache-ttl

* build: support building from commit when using git repo as build context

* build: clean up git repos correctly when using subdirs* integration tests: quote '?' in shell scripts

* test: manifest inspect should have OCIv1 annotation

* vendor: bump to c/common@87fab4b7019a

* Failure to determine a file or directory should print an error

* refactor: remove unused CommitOptions from generateBuildOutput

* stage_executor: generate output for cases with no commit

* stage_executor, commit: output only if last stage in build

* Use errors.Is() instead of os.Is{Not,}Exist

* Minor test tweak for podman-remote compatibility

* Cirrus: Use the latest imgts container

* imagebuildah: complain about the right Dockerfile

* tests: don't try to wrap `nil` errors* cmd/buildah.commitCmd: don't shadow 'err'

* cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig

* Fix a copy/paste error message

* Fix a typo in an error message

* build,cache: support pulling/pushing cache layers to/from remote sources

* Update vendor of containers/(common, storage, image)

* Rename chroot/run.go to chroot/run_linux.go

* Don't bother telling codespell to skip files that don't exist

* Set user namespace defaults correctly for the library

* imagebuildah: optimize cache hits for COPY and ADD instructions

* Cirrus: Update VM images w/ updated bats

* docs, run: show SELinux label flag for cache and bind mounts

* imagebuildah, build: remove undefined concurrent writes

* bump github.com/opencontainers/runtime-tools

* Add FreeBSD support for 'buildah info'

* Vendor in latest containers/(storage, common, image)

* Add freebsd cross build targets

* Make the jail package build on 32bit platforms

* Cirrus: Ensure the build-push VM image is labeled

* GHA: Fix dynamic script filename

* Vendor in containers/(common, storage, image)

* Run codespell

* Remove import of github.com/pkg/errors* Avoid using cgo in pkg/jail

* Rename footypes to fooTypes for naming consistency

* Move cleanupTempVolumes and cleanupRunMounts to run_common.go

* Make the various run mounts work for FreeBSD

* Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go

* Move runSetupRunMounts to run_common.go

* Move cleanableDestinationListFromMounts to run_common.go

* Make setupMounts and runSetupBuiltinVolumes work on FreeBSD

* Move setupMounts and runSetupBuiltinVolumes to run_common.go

* Tidy up - runMakeStdioPipe can't be shared with linux

* Move runAcceptTerminal to run_common.go

* Move stdio copying utilities to run_common.go

* Move runUsingRuntime and runCollectOutput to run_common.go

* Move fileCloser, waitForSync and contains to run_common.go

* Move checkAndOverrideIsolationOptions to run_common.go

* Move DefaultNamespaceOptions to run_common.go

* Move getNetworkInterface to run_common.go

* Move configureEnvironment to run_common.go

* Don't crash in configureUIDGID if Process.Capabilities is nil

* Move configureUIDGID to run_common.go

* Move runLookupPath to run_common.go

* Move setupTerminal to run_common.go

* Move etc file generation utilities to run_common.go

* Add run support for FreeBSD

* Add a simple FreeBSD jail library

* Add FreeBSD support to pkg/chrootuser

* Sync call signature for RunUsingChroot with chroot/run.go

* test: verify feature to resolve basename with args

* vendor: bump openshift/imagebuilder to master@4151e43

* GHA: Remove required reserved-name use

* buildah: set XDG_RUNTIME_DIR before setting default runroot

* imagebuildah: honor build output even if build container is not commited

* chroot: honor DefaultErrnoRet

* [CI:DOCS] improve pull-policy documentation

* tests: retrofit test since --file does not supports dir

* Switch to golang native error wrapping

* BuildDockerfiles: error out if path to containerfile is a directory

* define.downloadToDirectory: fail early if bad HTTP response

* GHA: Allow re-use of Cirrus-Cron fail-mail workflow

* add: fail on bad http response instead of writing to container

* [CI:DOCS] Update buildahimage comment

* lint: inspectable is never nil

* vendor: c/common to common@7e1563b

* build: support OCI hooks for ephemeral build containers* [CI:BUILD] Install latest buildah instead of compiling

* Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]

* Make sure cpp is installed in buildah images

* demo: use unshare for rootless invocations

* buildah.spec.rpkg: initial addition

* build: fix test for subid 4

* build, userns: add support for --userns=auto

* Fix building upstream buildah image

* Remove redundant buildahimages-are-sane validation

* Docs: Update multi-arch buildah images readme

* Cirrus: Migrate multiarch build off github actions

* retrofit-tests: we skip unused stages so use stages

* stage_executor: dont rely on stage while looking for additional-context

* buildkit, multistage: skip computing unwanted stages

* More test cleanup

* copier: work around freebsd bug for 'mkdir /'

* Replace $BUILDAH_BINARY with buildah() function

* Fix up buildah images

* Make util and copier build on FreeBSD

* Vendor in latest github.com/sirupsen/logrus

* Makefile: allow building without .git

* run_unix: don't return an error from getNetworkInterface

* run_unix: return a valid DefaultNamespaceOptions

* Update vendor of containers/storage

* chroot: use ActKillThread instead of ActKill

* use resolvconf package from c/common/libnetwork

* update c/common to latest main

* copier: add `NoOverwriteNonDirDir` option

* Sort buildoptions and move cli/build functions to internal

* Fix TODO: de-spaghettify run mounts

* Move options parsing out of build.go and into pkg/cli

* [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps

* build, multiarch: support splitting build logs for --platform

* [CI:BUILD] WIP Cleanup Image Dockerfiles

* cli remove stutter

* docker-parity: ignore sanity check if baseImage history is null

* build, commit: allow disabling image history with --omit-history

* Fix use generic/ambiguous DEBUG name

* Cirrus: use Ubuntu 22.04 LTS

* Fix codespell errors* Remove util.StringInSlice because it is defined in containers/common

* buildah: add support for renaming a device in rootless setups

* squash: never use build cache when computing last step of last stage

* Update vendor of containers/(common, storage, image)

* buildkit: supports additionalBuildContext in builds via --build-context

* buildah source pull/push: show progress bar

* run: allow resuing secret twice in different RUN steps

* test helpers: default to being rootless-aware

* Add --cpp-flag flag to buildah build

* build: accept branch and subdirectory when context is git repo

* Vendor in latest containers/common

* vendor: update c/storage and c/image

* Fix gentoo install docs

* copier: move NSS load to new process

* Add test for prevention of reusing encrypted layers* Make `buildah build --label foo` create an empty 'foo' label again

Update to version 1.26.4:

* build, multiarch: support splitting build logs for --platform

* copier: add `NoOverwriteNonDirDir` option

* docker-parity: ignore sanity check if baseImage history is null

* build, commit: allow disabling image history with --omit-history

* buildkit: supports additionalBuildContext in builds via --build-context

* Add --cpp-flag flag to buildah build

Update to version 1.26.3:

* define.downloadToDirectory: fail early if bad HTTP response

* add: fail on bad http response instead of writing to container

* squash: never use build cache when computing last step of last stage

* run: allow resuing secret twice in different RUN steps

* integration tests: update expected error messages

* integration tests: quote '?' in shell scripts

* Use errors.Is() to check for storage errors* lint: inspectable is never nil

* chroot: use ActKillThread instead of ActKill

* chroot: honor DefaultErrnoRet

* Set user namespace defaults correctly for the library

* contrib/rpm/buildah.spec: fix `rpm` parser warnings

Drop requires on apparmor pattern, should be moved elsewhere

for systems which want AppArmor instead of SELinux.

- Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file

is required to build.

Update to version 1.26.2:

* buildah: add support for renaming a device in rootless setups

Update to version 1.26.1:

* Make `buildah build --label foo` create an empty 'foo' label again

* imagebuildah,build: move deepcopy of args before we spawn goroutine

* Vendor in containers/storage v1.40.2

* buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated

* help output: get more consistent about option usage text

* Handle OS version and features flags

* buildah build: --annotation and --label should remove values

* buildah build: add a --env

* buildah: deep copy options.Args before performing concurrent build/stage

* test: inline platform and builtinargs behaviour

* vendor: bump imagebuilder to master/009dbc6

* build: automatically set correct TARGETPLATFORM where expected

* Vendor in containers/(common, storage, image)

* imagebuildah, executor: process arg variables while populating baseMap

* buildkit: add support for custom build output with --output

* Cirrus: Update CI VMs to F36

* fix staticcheck linter warning for deprecated function

* Fix docs build on FreeBSD

* copier.unwrapError(): update for Go 1.16

* copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit

* copier.Put(): write to read-only directories

* Ed's periodic test cleanup

* using consistent lowercase 'invalid' word in returned err msg

* use etchosts package from c/common

* run: set actual hostname in /etc/hostname to match docker parity

* Update vendor of containers/(common,storage,image)

* manifest-create: allow creating manifest list from local image

* Update vendor of storage,common,image

* Initialize network backend before first pull

* oci spec: change special mount points for namespaces

* tests/helpers.bash: assert handle corner cases correctly

* buildah: actually use containers.conf settings

* integration tests: learn to start a dummy registry

* Fix error check to work on Podman

* buildah build should accept at most one arg

* tests: reduce concurrency for flaky bud-multiple-platform-no-run

* vendor in latest containers/common,image,storage

* manifest-add: allow override arch,variant while adding image

* Remove a stray `\` from .containerenv

* Vendor in latest opencontainers/selinux v1.10.1

* build, commit: allow removing default identity labels

* Create shorter names for containers based on image IDs

* test: skip rootless on cgroupv2 in root env

* fix hang when oci runtime fails

* Set permissions for GitHub actions

* copier test: use correct UID/GID in test archives

* run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM

1204383,CVE-2022-32221

This update for curl fixes the following issues:

- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

1203911,1204137

This update for permissions fixes the following issues:

- Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't

properly support ICMP_PROTO sockets feature yet (bsc#1204137)

- Fix regression introduced by backport of security fix (bsc#1203911)

1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012

This update for dbus-1 fixes the following issues:

- CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111).

- CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112).

- CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113).

Bugfixes:

- Disable asserts (bsc#1087072).

The following package changes have been done:

- dbus-1-1.12.2-150100.8.14.1 updated

- libcurl4-7.66.0-150200.4.42.1 updated

- libdbus-1-3-1.12.2-150100.8.14.1 updated

- libgpg-error0-1.42-150300.9.3.1 updated

- libksba8-1.3.5-150000.4.3.1 updated

- permissions-20181225-150200.23.20.1 updated

- container:sles15-image-15.0.0-17.20.58 updated