SUSE Container Update Advisory: rancher/elemental-teal-iso/5.4
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3470-1
Container Tags        : rancher/elemental-teal-iso/5.4:1.2.2 , rancher/elemental-teal-iso/5.4:1.2.2-3.2.1 , rancher/elemental-teal-iso/5.4:latest
Container Release     : 3.2.1
Severity              : critical
Type                  : security
References            : 1029961 1041090 1048046 1049382 1051429 1089497 1096726 1102408
                        1103032 1113038 1113039 1113040 1114832 1116658 1118897 1118898
                        1118899 1120610 1120610 1121967 1123156 1123387 1124308 1130489
                        1130496 1130496 1131314 1131553 1135460 1136234 1136974 1137860
                        1141680 1143386 1149954 1152308 1155141 1155217 1160452 1160460
                        1164390 1167850 1168481 1170940 1171566 1171578 1172380 1172786
                        1173404 1173409 1173410 1173471 1174465 1175081 1175821 1175821
                        1176547 1177955 1178807 1178943 1178944 1179025 1179203 1179466
                        1179467 1179467 1181122 1181131 1181131 1181594 1181641 1181644
                        1181677 1181730 1181732 1181749 1181872 1181961 1182451 1182476
                        1182790 1182947 1182998 1183024 1183855 1184124 1184768 1184962
                        1185405 1185405 1186606 1187704 1188282 1189743 1190826 1191015
                        1191121 1191334 1191355 1191434 1192051 1193436 1193951 1194038
                        1194609 1194900 1197093 1199232 1199235 1199460 1199565 1200088
                        1200145 1200524 1200657 1200657 1202021 1202436 1202436 1202436
                        1202821 1202821 1203600 1205536 1207509 1207753 1208079 1208194
                        1208574 1208721 1209229 1209741 1210702 1210702 1210999 1211272
                        1211576 1211828 1212126 1212434 1213185 1213237 1213472 1213487
                        1213514 1213517 1213575 1213853 1213873 1214054 1214071 CVE-2018-14679
                        CVE-2018-14681 CVE-2018-14682 CVE-2018-15664 CVE-2018-16873 CVE-2018-16874
                        CVE-2018-16875 CVE-2018-18584 CVE-2018-18585 CVE-2018-18586 CVE-2018-20482
                        CVE-2018-20482 CVE-2019-1010305 CVE-2019-10152 CVE-2019-16884
                        CVE-2019-18466 CVE-2019-19921 CVE-2019-5736 CVE-2019-6778 CVE-2019-9923
                        CVE-2019-9923 CVE-2020-10756 CVE-2020-1983 CVE-2020-21913 CVE-2020-29129
                        CVE-2020-29130 CVE-2020-29130 CVE-2021-20193 CVE-2021-20193 CVE-2021-20206
                        CVE-2021-21284 CVE-2021-21285 CVE-2021-21334 CVE-2021-30465 CVE-2021-30465
                        CVE-2021-30560 CVE-2021-32760 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092
                        CVE-2021-41103 CVE-2021-43784 CVE-2022-1586 CVE-2022-1587 CVE-2022-29162
                        CVE-2022-31030 CVE-2022-41409 CVE-2022-48303 CVE-2023-31484 CVE-2023-32001
                        CVE-2023-3446 CVE-2023-34969 CVE-2023-36054 CVE-2023-3817 
-----------------------------------------------------------------

The container rancher/elemental-teal-iso/5.4 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:495-1
Released:    Tue Feb 26 16:42:35 2019
Summary:     Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc
Type:        security
Severity:    important
References:  1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:

Security issues fixed: 

- CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
- CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
- CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container
  breakout (bsc#1121967).

Other changes and fixes: 

- Update shell completion to use Group: System/Shells.
- Add daemon.json file with rotation logs configuration (bsc#1114832)
- Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84.
  See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
- Update go requirements to >= go1.10 
- Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
- Remove the usage of 'cp -r' to reduce noise in the build logs.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:748-1
Released:    Tue Mar 26 14:35:56 2019
Summary:     Security update for libmspack
Type:        security
Severity:    moderate
References:  1113038,1113039,CVE-2018-18584,CVE-2018-18585
This update for libmspack fixes the following issues:

Security issues fixed:

- CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038)
- CVE-2018-18585: chmd_read_headers accepted a filename that has '\0' as its first or second character (such as the '/\0' name). (bsc#1113039)
- Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:926-1
Released:    Wed Apr 10 16:33:12 2019
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1120610,1130496,CVE-2018-20482,CVE-2019-9923
This update for tar fixes the following issues:

Security issues fixed:

- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2223-1
Released:    Tue Aug 27 15:42:56 2019
Summary:     Security update for podman, slirp4netns and libcontainers-common
Type:        security
Severity:    moderate
References:  1096726,1123156,1123387,1135460,1136974,1137860,1143386,CVE-2018-15664,CVE-2019-10152,CVE-2019-6778

  
This is a version update for podman to version 1.4.4 (bsc#1143386).

Additional changes by SUSE on top:

- Remove fuse-overlayfs because it's (currently) an unsatisfied dependency on
  SLE (bsc#1143386)
- Update libpod.conf to use correct infra_command
- Update libpod.conf to use better versioned pause container
- Update libpod.conf to use official kubic pause container
- Update libpod.conf to match latest features set:
  detach_keys, lock_type, runtime_supports_json
- Add podman-remote varlink client

Version update podman to v1.4.4:

- Features

  - Podman now has greatly improved support for containers using multiple OCI
    runtimes. Containers now remember if they were created with a different
    runtime using --runtime and will always use that runtime
  - The cached and delegated options for volume mounts are now allowed for
    Docker compatability (#3340)
  - The podman diff command now supports the --latest flag

- Bugfixes

  - Fixed a bug where rootless Podman would attempt to use the entire root
    configuration if no rootless configuration was present for the user,
    breaking rootless Podman for new installations
  - Fixed a bug where rootless Podman's pause process would block SIGTERM,
    preventing graceful system shutdown and hanging until the system's init
    send SIGKILL
  - Fixed a bug where running Podman as root with sudo -E would not work after
    running rootless Podman at least once
  - Fixed a bug where options for tmpfs volumes added with the --tmpfs flag
    were being ignored
  - Fixed a bug where images with no layers could not properly be displayed
    and removed by Podman
  - Fixed a bug where locks were not properly freed on failure to create a
    container or pod
  - Fixed a bug where podman cp on a single file would create a directory at
    the target and place the file in it (#3384)
  - Fixed a bug where podman inspect --format '{{.Mounts}}' would print a
    hexadecimal address instead of a container's mounts
  - Fixed a bug where rootless Podman would not add an entry to container's
    /etc/hosts files for their own hostname (#3405)
  - Fixed a bug where podman ps --sync would segfault (#3411)
  - Fixed a bug where podman generate kube would produce an invalid ports
    configuration (#3408)

- Misc

  - Updated containers/storage to v1.12.13
  - Podman now performs much better on systems with heavy I/O load
  - The --cgroup-manager flag to podman now shows the correct default setting
    in help if the default was overridden by libpod.conf
  - For backwards compatability, setting --log-driver=json-file in podman run
    is now supported as an alias for --log-driver=k8s-file. This is considered
    deprecated, and json-file will be moved to a new implementation in the
    future ([#3363](\
    d/issues/3363))
  - Podman's default libpod.conf file now allows the crun OCI runtime to be
    used if it is installed

Update podman to v1.4.2:

- Fixed a bug where Podman could not run containers using an older version of
  Systemd as init
- Updated vendored Buildah to v1.9.0 to resolve a critical bug with
  Dockerfile RUN instructions
- The error message for running podman kill on containers that are not
  running has been improved
- Podman remote client can now log to a file if syslog is not available
- The podman exec command now sets its error code differently based on
  whether the container does not exist, and the command in the container does
  not exist
- The podman inspect command on containers now outputs Mounts JSON that matches
  that of docker inspect, only including user-specified volumes and
  differentiating bind mounts and named volumes
- The podman inspect command now reports the path to a container's OCI spec
  with the OCIConfigPath key (only included when the container is initialized
  or running)
- The podman run --mount command now supports the bind-nonrecursive option for
  bind mounts
- Fixed a bug where podman play kube would fail to create containers due to an
  unspecified log driver
- Fixed a bug where Podman would fail to build with musl libc
- Fixed a bug where rootless Podman using slirp4netns networking in an
  environment with no nameservers on the host other than localhost would
  result in nonfunctional networking
- Fixed a bug where podman import would not properly set environment
  variables, discarding their values and retaining only keys
- Fixed a bug where Podman would fail to run when built with Apparmor support
  but run on systems without the Apparmor kernel module loaded
- Remote Podman will now default the username it uses to log in to remote
  systems to the username of the current user
- Podman now uses JSON logging with OCI runtimes that support it, allowing for
  better error reporting
- Updated vendored containers/image to v2.0
- Update conmon to v0.3.0
- Support OOM Monitor under cgroup V2
- Add config binary and make target for configuring conmon with a go library
  for importing values

Updated podman to version 1.4.0 (bsc#1137860) and (bsc#1135460) 

- Podman checkpoint and podman restore commands can now be
  used to migrate containers between Podman installations on
  different systems.
- The podman cp now supports pause flag.
- The remote client now supports a configuration file for
  pre-configuring connections to remote Podman installations
- CVE-2019-10152: Fixed an iproper dereference of symlinks of the
  the podman cp command which introduced in version 1.1.0 (bsc#1136974).
- Fixed a bug where podman commit could improperly set environment variables 
  that contained = characters
- Fixed a bug where rootless podman would sometimes fail to start
  containers with forwarded ports
- Fixed a bug where podman version on the remote client could
  segfault
- Fixed a bug where podman container runlabel would use /proc/self/exe instead of 
  the path of the Podman command when printing the command being executed
- Fixed a bug where filtering images by label did not work
- Fixed a bug where specifying a bing mount or tmpfs mount over
  an image volume would cause a container to be unable to start
- Fixed a bug where podman generate kube did not work with
  containers with named volumes
- Fixed a bug where rootless podman would receive permission
  denied errors accessing conmon.pid
- Fixed a bug where podman cp with a folder specified as target
  would replace the folder, as opposed to copying into it
- Fixed a bug where rootless Podman commands could double-unlock
  a lock, causing a crash
- Fixed a bug where podman incorrectly set tmpcopyup on /dev/
  mounts, causing errors when using the Kata containers runtime
- Fixed a bug where podman exec would fail on older kernels
- Podman commit command is now usable with the Podman remote client
- Signature-policy flag has been deprecated
- Updated vendored containers/storage and containers/image libraries 
  with numerous bugfixes
- Updated vendored Buildah to v1.8.3
- Podman now requires Conmon v0.2.0
- The podman cp command is now aliased as podman container cp
- Rootless podman will now default init_path using root Podman's
  configuration files (/etc/containers/libpod.conf and
  /usr/share/containers/libpod.conf) if not overridden in the
  rootless configuration
- Added fuse-overlayfs dependency to support overlay based rootless image
  manipulations
- The podman cp command can now read input redirected to STDIN, and output to
  STDOUT instead of a file, using - instead of an argument.
- The podman remote client now displays version information from both the
  client and server in podman version
- The podman unshare command has been added, allowing easy entry into the
  user namespace set up by rootless Podman (allowing the removal of files
  created by rootless podman, among other things)
- Fixed a bug where Podman containers with the --rm flag were removing
  created volumes when they were automatically removed
- Fixed a bug where container and pod locks were incorrectly marked as
  released after a system reboot, causing errors on container and pod removal
- Fixed a bug where Podman pods could not be removed if any container in the
  pod encountered an error during removal
- Fixed a bug where Podman pods run with the cgroupfs CGroup driver would encounter 
  a race condition during removal, potentially failing to remove the pod CGroup
- Fixed a bug where the podman container checkpoint and podman container
  restore commands were not visible in the remote client
- Fixed a bug where podman remote ps --ns would not print the container's namespaces
- Fixed a bug where removing stopped containers with healthchecks could cause an error
- Fixed a bug where the default libpod.conf file was causing parsing errors
- Fixed a bug where pod locks were not being freed when pods were removed,
  potentially leading to lock exhaustion
- Fixed a bug where 'podman run' with SD_NOTIFY set could, on short-running
  containers, create an inconsistent state rendering the container unusable
- The remote Podman client now uses the Varlink bridge to establish remote
  connections by default
- Fixed an issue with apparmor_parser (bsc#1123387)

- Update to libpod v1.4.0 (bsc#1137860):
- The podman checkpoint and podman restore commands can now be
  used to migrate containers between Podman installations on
  different systems
- The podman cp command now supports a pause flag to pause
  containers while copying into them
- The remote client now supports a configuration file for
  pre-configuring connections to remote Podman installations
- Fixed CVE-2019-10152 - The podman cp command improperly
  dereferenced symlinks in host context
- Fixed a bug where podman commit could improperly set
  environment variables that contained = characters
- Fixed a bug where rootless Podman would sometimes fail to start
  containers with forwarded ports
- Fixed a bug where podman version on the remote client could
  segfault
- Fixed a bug where podman container runlabel would use
  /proc/self/exe instead of the path of the Podman command when
  printing the command being executed
- Fixed a bug where filtering images by label did not work
- Fixed a bug where specifying a bing mount or tmpfs mount over
  an image volume would cause a container to be unable to start
- Fixed a bug where podman generate kube did not work with
  containers with named volumes
- Fixed a bug where rootless Podman would receive permission
  denied errors accessing conmon.pid
- Fixed a bug where podman cp with a folder specified as target
  would replace the folder, as opposed to copying into it
- Fixed a bug where rootless Podman commands could double-unlock
  a lock, causing a crash
- Fixed a bug where Podman incorrectly set tmpcopyup on /dev/
  mounts, causing errors when using the Kata containers runtime
- Fixed a bug where podman exec would fail on older kernels
- The podman commit command is now usable with the Podman remote
  client
- The --signature-policy flag (used with several image-related
  commands) has been deprecated
- The podman unshare command now defines two environment
  variables in the spawned shell: CONTAINERS_RUNROOT and
  CONTAINERS_GRAPHROOT, pointing to temporary and permanent
  storage for rootless containers
- Updated vendored containers/storage and containers/image
  libraries with numerous bugfixes
- Updated vendored Buildah to v1.8.3
- Podman now requires Conmon v0.2.0
- The podman cp command is now aliased as podman container cp
- Rootless Podman will now default init_path using root Podman's
  configuration files (/etc/containers/libpod.conf and
  /usr/share/containers/libpod.conf) if not overridden in the
  rootless configuration

- Update to image v1.5.1
- Vendor in latest containers/storage
- docker/docker_client: Drop redundant Domain(ref.ref) call
- pkg/blobinfocache: Split implementations into subpackages
- copy: progress bar: show messages on completion
- docs: rename manpages to *.5.command
- add container-certs.d.md manpage
- pkg/docker/config: Bring auth tests from
  docker/docker_client_test
- Don't allocate a sync.Mutex separately

Update to storage v1.12.10:

- Add function to parse out mount options from graphdriver
- Merge the disparate parts of all of the Unix-like lockfiles
- Fix unix-but-not-Linux compilation
- Return XDG_RUNTIME_DIR as RootlessRuntimeDir if set
- Cherry-pick moby/moby #39292 for CVE-2018-15664 fixes
- lockfile: add RecursiveLock() API
- Update generated files
- Fix crash on tesing of aufs code
- Let consumers know when Layers and Images came from read-only stores
- chown: do not change owner for the mountpoint
- locks: correctly mark updates to the layers list
- CreateContainer: don't worry about mapping layers unless necessary
- docs: fix manpage for containers-storage.conf
- docs: sort configuration options alphabetically
- docs: document OSTree file deduplication
- Add missing options to man page for containers-storage
- overlay: use the layer idmapping if present
- vfs: prefer layer custom idmappings
- layers: propagate down the idmapping settings
- Recreate symlink when not found
- docs: fix manpage for configuration file
- docs: add special handling for manpages in sect 5
- overlay: fix single-lower test
- Recreate symlink when not found
- overlay: propagate errors from mountProgram
- utils: root in a userns uses global conf file
- Fix handling of additional stores
- Correctly check permissions on rootless directory
- Fix possible integer overflow on 32bit builds
- Evaluate device path for lvm
- lockfile test: make concurrent RW test determinisitc
- lockfile test: make concurrent read tests deterministic
- drivers.DirCopy: fix filemode detection
- storage: move the logic to detect rootless into utils.go
- Don't set (struct flock).l_pid
- Improve documentation of getLockfile
- Rename getLockFile to createLockerForPath, and document it
- Add FILES section to containers-storage.5 man page
- add digest locks
- drivers/copy: add a non-cgo fallback

slirp4netns was updated to 0.3.0:

- CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() (bsc#1123156)

This update also includes:

- fuse3 and fuse-overlayfs to support rootless containers.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2810-1
Released:    Tue Oct 29 14:56:44 2019
Summary:     Security update for runc
Type:        security
Severity:    moderate
References:  1131314,1131553,1152308,CVE-2019-16884
This update for runc fixes the following issues:

Security issue fixed:

- CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)

Non-security issues fixed:

- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:697-1
Released:    Mon Mar 16 13:17:10 2020
Summary:     Security update for cni, cni-plugins, conmon, fuse-overlayfs, podman
Type:        security
Severity:    moderate
References:  1155217,1160460,1164390,CVE-2019-18466
This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues:

podman was updated to 1.8.0:

- CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the
  host when copying a symlink in the container that included a
  glob operator (#3829 bsc#1155217)

- The name of the cni-bridge in the default config changed from
  'cni0' to 'podman-cni0' with podman-1.6.0. Add a %trigger to
  rename the bridge in the system to the new default if it exists.
  The trigger is only excuted when updating podman-cni-config 
  from something older than 1.6.0. This is mainly needed for SLE
  where we're updating from 1.4.4 to 1.8.0 (bsc#1160460).

Update podman to v1.8.0 (bsc#1160460):

* Features

  - The podman system service command has been added, providing a
    preview of Podman's new Docker-compatible API. This API is
    still very new, and not yet ready for production use, but is
    available for early testing
  - Rootless Podman now uses Rootlesskit for port forwarding,
    which should greatly improve performance and capabilities
  - The podman untag command has been added to remove tags from
    images without deleting them
  - The podman inspect command on images now displays previous
    names they used
  - The podman generate systemd command now supports a --new
    option to generate service files that create and run new
    containers instead of managing existing containers
  - Support for --log-opt tag= to set logging tags has been added
    to the journald log driver
  - Added support for using Seccomp profiles embedded in images
    for podman run and podman create via the new --seccomp-policy
      CLI flag
  - The podman play kube command now honors pull policy

* Bugfixes

  - Fixed a bug where the podman cp command would not copy the
    contents of directories when paths ending in /. were given
  - Fixed a bug where the podman play kube command did not
    properly locate Seccomp profiles specified relative to
    localhost
  - Fixed a bug where the podman info command for remote Podman
    did not show registry information
  - Fixed a bug where the podman exec command did not support
    having input piped into it
  - Fixed a bug where the podman cp command with rootless Podman
    on CGroups v2 systems did not properly determine if the
    container could be paused while copying
  - Fixed a bug where the podman container prune --force command
    could possible remove running containers if they were started
    while the command was running 
  - Fixed a bug where Podman, when run as root, would not
    properly configure slirp4netns networking when requested
  - Fixed a bug where podman run --userns=keep-id did not work
    when the user had a UID over 65535
  - Fixed a bug where rootless podman run and podman create with
    the --userns=keep-id option could change permissions on
    /run/user/$UID and break KDE
  - Fixed a bug where rootless Podman could not be run in a
    systemd service on systems using CGroups v2
  - Fixed a bug where podman inspect would show CPUShares as 0,
    instead of the default (1024), when it was not explicitly set
  - Fixed a bug where podman-remote push would segfault
  - Fixed a bug where image healthchecks were not shown in the
    output of podman inspect
  - Fixed a bug where named volumes created with containers from
    pre-1.6.3 releases of Podman would be autoremoved with their
    containers if the --rm flag was given, even if they were
    given names
  - Fixed a bug where podman history was not computing image
    sizes correctly
  - Fixed a bug where Podman would not error on invalid values to
    the --sort flag to podman images
  - Fixed a bug where providing a name for the image made by
    podman commit was mandatory, not optional as it should be
  - Fixed a bug where the remote Podman client would append an
    extra ' to %PATH
  - Fixed a bug where the podman build command would sometimes
    ignore the -f option and build the wrong Containerfile
  - Fixed a bug where the podman ps --filter command would only
    filter running containers, instead of all containers, if
    --all was not passed
  - Fixed a bug where the podman load command on compressed
    images would leave an extra copy on disk
  - Fixed a bug where the podman restart command would not
    properly clean up the network, causing it to function
    differently from podman stop; podman start
  - Fixed a bug where setting the --memory-swap flag to podman
    create and podman run to -1 (to indicate unlimited) was not
    supported

* Misc

  - Initial work on version 2 of the Podman remote API has been
    merged, but is still in an alpha state and not ready for use.
    Read more here
  - Many formatting corrections have been made to the manpages
  - The changes to address (#5009) may cause anonymous volumes
    created by Podman versions 1.6.3 to 1.7.0 to not be removed
    when their container is removed
  - Updated vendored Buildah to v1.13.1
  - Updated vendored containers/storage to v1.15.8
  - Updated vendored containers/image to v5.2.0

- Add apparmor-abstractions as required runtime dependency to
  have `tunables/global` available.

- fixed the --force flag for the 'container prune' command.
  (d/issues/4844)

Update podman to v1.7.0

* Features

  - Added support for setting a static MAC address for containers
  - Added support for creating macvlan networks with podman
    network create, allowing Podman containers to be attached
    directly to networks the host is connected to
  - The podman image prune and podman container prune commands
    now support the --filter flag to filter what will be pruned,
    and now prompts for confirmation when run without --force
    (#4410 and #4411)
  - Podman now creates CGroup namespaces by default on systems
    using CGroups v2 (#4363)
  - Added the podman system reset command to remove all Podman
    files and perform a factory reset of the Podman installation
  - Added the --history flag to podman images to display previous
    names used by images (#4566)
  - Added the --ignore flag to podman rm and podman stop to not
    error when requested containers no longer exist
  - Added the --cidfile flag to podman rm and podman stop to read
    the IDs of containers to be removed or stopped from a file
  - The podman play kube command now honors Seccomp annotations
    (#3111)
  - The podman play kube command now honors RunAsUser,
    RunAsGroup, and selinuxOptions
  - The output format of the podman version command has been
    changed to better match docker version when using the
    --format flag
  - Rootless Podman will no longer initialize containers/storage
    twice, removing a potential deadlock preventing Podman
    commands from running while an image was being pulled (#4591)
  - Added tmpcopyup and notmpcopyup options to the --tmpfs and
    --mount type=tmpfs flags to podman create and podman run to
    control whether the content of directories are copied into
    tmpfs filesystems mounted over them
  - Added support for disabling detaching from containers by
    setting empty detach keys via --detach-keys=''
  - The podman build command now supports the --pull and
    --pull-never flags to control when images are pulled during a
    build
  - The podman ps -p command now shows the name of the pod as
    well as its ID (#4703)
  - The podman inspect command on containers will now display the
    command used to create the container
  - The podman info command now displays information on registry
    mirrors (#4553)

* Bugfixes

  - Fixed a bug where Podman would use an incorrect runtime
    directory as root, causing state to be deleted after root
    logged out and making Podman in systemd services not function
    properly
  - Fixed a bug where the --change flag to podman import and
    podman commit was not being parsed properly in many cases
  - Fixed a bug where detach keys specified in libpod.conf were
    not used by the podman attach and podman exec commands, which
    always used the global default ctrl-p,ctrl-q key combination
    (#4556)
  - Fixed a bug where rootless Podman was not able to run podman
    pod stats even on CGroups v2 enabled systems (#4634)
  - Fixed a bug where rootless Podman would fail on kernels
    without the renameat2 syscall (#4570)
  - Fixed a bug where containers with chained network namespace
    dependencies (IE, container A using --net container=B and
    container B using --net container=C) would not properly mount
    /etc/hosts and /etc/resolv.conf into the container (#4626)
  - Fixed a bug where podman run with the --rm flag and without
    -d could, when run in the background, throw a 'container does
    not exist' error when attempting to remove the container
    after it exited
  - Fixed a bug where named volume locks were not properly
    reacquired after a reboot, potentially leading to deadlocks
    when trying to start containers using the volume (#4605 and
    #4621)
  - Fixed a bug where Podman could not completely remove
    containers if sent SIGKILL during removal, leaving the
    container name unusable without the podman rm --storage
    command to complete removal (#3906)
  - Fixed a bug where checkpointing containers started with --rm
    was allowed when --export was not specified (the container,
    and checkpoint, would be removed after checkpointing was
    complete by --rm) (#3774)
  - Fixed a bug where the podman pod prune command would fail if
    containers were present in the pods and the --force flag was
    not passed (#4346)
  - Fixed a bug where containers could not set a static IP or
    static MAC address if they joined a non-default CNI network
    (#4500)
  - Fixed a bug where podman system renumber would always throw
    an error if a container was mounted when it was run
  - Fixed a bug where podman container restore would fail with
    containers using a user namespace
  - Fixed a bug where rootless Podman would attempt to use the
    journald events backend even on systems without systemd
    installed
  - Fixed a bug where podman history would sometimes not properly
    identify the IDs of layers in an image (#3359)
  - Fixed a bug where containers could not be restarted when
    Conmon v2.0.3 or later was used
  - Fixed a bug where Podman did not check image OS and
    Architecture against the host when starting a container
  - Fixed a bug where containers in pods did not function
    properly with the Kata OCI runtime (#4353)
  - Fixed a bug where `podman info --format '{{ json . }}' would
    not produce JSON output (#4391)
  - Fixed a bug where Podman would not verify if files passed to
    --authfile existed (#4328)
  - Fixed a bug where podman images --digest would not always
    print digests when they were available
  - Fixed a bug where rootless podman run could hang due to a
    race with reading and writing events
  - Fixed a bug where rootless Podman would print warning-level
    logs despite not be instructed to do so (#4456)
  - Fixed a bug where podman pull would attempt to fetch from
    remote registries when pulling an unqualified image using the
    docker-daemon transport (#4434)
  - Fixed a bug where podman cp would not work if STDIN was a
    pipe
  - Fixed a bug where podman exec could stop accepting input if
    anything was typed between the command being run and the exec
    session starting (#4397)
  - Fixed a bug where podman logs --tail 0 would print all lines
    of a container's logs, instead of no lines (#4396)
  - Fixed a bug where the timeout for slirp4netns was incorrectly
    set, resulting in an extremely long timeout (#4344)
  - Fixed a bug where the podman stats command would print CPU
    utilizations figures incorrectly (#4409)
  - Fixed a bug where the podman inspect --size command would not
    print the size of the container's read/write layer if the
    size was 0 (#4744)
  - Fixed a bug where the podman kill command was not properly
    validating signals before use (#4746)
  - Fixed a bug where the --quiet and --format flags to podman ps
    could not be used at the same time
  - Fixed a bug where the podman stop command was not stopping
    exec sessions when a container was created without a PID
    namespace (--pid=host)
  - Fixed a bug where the podman pod rm --force command was not
    removing anonymous volumes for containers that were removed
  - Fixed a bug where the podman checkpoint command would not
    export all changes to the root filesystem of the container if
    performed more than once on the same container (#4606)
  - Fixed a bug where containers started with --rm would not be
    automatically removed on being stopped if an exec session was
    running inside the container (#4666)

* Misc

  - The fixes to runtime directory path as root can cause strange
    behavior if an upgrade is performed while containers are
    running
  - Updated vendored Buildah to v1.12.0
  - Updated vendored containers/storage library to v1.15.4
  - Updated vendored containers/image library to v5.1.0
  - Kata Containers runtimes (kata-runtime, kata-qemu, and
    kata-fc) are now present in the default libpod.conf, but will
    not be available unless Kata containers is installed on the
    system
  - Podman previously did not allow the creation of containers
    with a memory limit lower than 4MB. This restriction has been
    removed, as the crun runtime can create containers with
    significantly less memory

Update podman to v1.6.4
- Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher
- Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers
- Suppress spurious log messages when running rootless Podman
- Update vendored containers/storage to v1.13.6
- Fix a deadlock related to writing events
- Do not use the journald event logger when it is not available

Update podman to v1.6.2

* Features

  - Added a --runtime flag to podman system migrate to allow the
    OCI runtime for all containers to be reset, to ease transition
    to the crun runtime on CGroups V2 systems until runc gains full
    support
  - The podman rm command can now remove containers in broken
    states which previously could not be removed
  - The podman info command, when run without root, now shows
    information on UID and GID mappings in the rootless user
    namespace
  - Added podman build --squash-all flag, which squashes all layers
    (including those of the base image) into one layer
  - The --systemd flag to podman run and podman create now accepts
    a string argument and allows a new value, always, which forces
    systemd support without checking if the the container
    entrypoint is systemd

* Bugfixes

  - Fixed a bug where the podman top command did not work on
    systems using CGroups V2 (#4192)
  - Fixed a bug where rootless Podman could double-close a file,
    leading to a panic
  - Fixed a bug where rootless Podman could fail to retrieve some
    containers while refreshing the state
  - Fixed a bug where podman start --attach --sig-proxy=false would
    still proxy signals into the container
  - Fixed a bug where Podman would unconditionally use a
    non-default path for authentication credentials (auth.json),
    breaking podman login integration with skopeo and other tools
    using the containers/image library
  - Fixed a bug where podman ps --format=json and podman images
    --format=json would display null when no results were returned,
    instead of valid JSON
  - Fixed a bug where podman build --squash was incorrectly
    squashing all layers into one, instead of only new layers
  - Fixed a bug where rootless Podman would allow volumes with
    options to be mounted (mounting volumes requires root),
    creating an inconsistent state where volumes reported as
    mounted but were not (#4248)
  - Fixed a bug where volumes which failed to unmount could not be
    removed (#4247)
  - Fixed a bug where Podman incorrectly handled some errors
    relating to unmounted or missing containers in
    containers/storage
  - Fixed a bug where podman stats was broken on systems running
    CGroups V2 when run rootless (#4268)
  - Fixed a bug where the podman start command would print the
    short container ID, instead of the full ID
  - Fixed a bug where containers created with an OCI runtime that
    is no longer available (uninstalled or removed from the config
    file) would not appear in podman ps and could not be removed
    via podman rm
  - Fixed a bug where containers restored via podman container
    restore --import would retain the CGroup path of the original
    container, even if their container ID changed; thus, multiple
    containers created from the same checkpoint would all share the
    same CGroup

* Misc

  - The default PID limit for containers is now set to 4096. It can
    be adjusted back to the old default (unlimited) by passing
    --pids-limit 0 to podman create and podman run
  - The podman start --attach command now automatically attaches
    STDIN if the container was created with -i
  - The podman network create command now validates network names
    using the same regular expression as container and pod names
  - The --systemd flag to podman run and podman create will now
    only enable systemd mode when the binary being run inside the
    container is /sbin/init, /usr/sbin/init, or ends in systemd
    (previously detected any path ending in init or systemd)
  - Updated vendored Buildah to 1.11.3
  - Updated vendored containers/storage to 1.13.5
  - Updated vendored containers/image to 4.0.1

Update podman to v1.6.1

* Features

  - The podman network create, podman network rm, podman network
    inspect, and podman network ls commands have been added to
    manage CNI networks used by Podman
  - The podman volume create command can now create and mount
    volumes with options, allowing volumes backed by NFS, tmpfs,
    and many other filesystems
  - Podman can now run containers without CGroups for better
    integration with systemd by using the --cgroups=disabled flag
    with podman create and podman run. This is presently only
    supported with the crun OCI runtime
  - The podman volume rm and podman volume inspect commands can now
    refer to volumes by an unambiguous partial name, in addition to
    full name (e.g. podman volume rm myvol to remove a volume named
    myvolume) (#3891)
  - The podman run and podman create commands now support the
    --pull flag to allow forced re-pulling of images (#3734)
  - Mounting volumes into a container using --volume, --mount, and
    --tmpfs now allows the suid, dev, and exec mount options (the
    inverse of nosuid, nodev, noexec) (#3819)
  - Mounting volumes into a container using --mount now allows the
    relabel=Z and relabel=z options to relabel mounts.
  - The podman push command now supports the --digestfile option to
    save a file containing the pushed digest
  - Pods can now have their hostname set via podman pod create
    --hostname or providing Pod YAML with a hostname set to podman
    play kube (#3732)
  - The podman image sign command now supports the --cert-dir flag
  - The podman run and podman create commands now support the
    --security-opt label=filetype:$LABEL flag to set the SELinux
    label for container files
  - The remote Podman client now supports healthchecks

* Bugfixes

  - Fixed a bug where remote podman pull would panic if a Varlink
    connection was not available (#4013)
  - Fixed a bug where podman exec would not properly set terminal
    size when creating a new exec session (#3903)
  - Fixed a bug where podman exec would not clean up socket
    symlinks on the host (#3962)
  - Fixed a bug where Podman could not run systemd in containers
    that created a CGroup namespace
  - Fixed a bug where podman prune -a would attempt to prune images
    used by Buildah and CRI-O, causing errors (#3983)
  - Fixed a bug where improper permissions on the ~/.config
    directory could cause rootless Podman to use an incorrect
    directory for storing some files
  - Fixed a bug where the bash completions for podman import threw
    errors
  - Fixed a bug where Podman volumes created with podman volume
    create would not copy the contents of their mountpoint the
    first time they were mounted into a container (#3945)
  - Fixed a bug where rootless Podman could not run podman exec
    when the container was not run inside a CGroup owned by the
    user (#3937)
  - Fixed a bug where podman play kube would panic when given Pod
    YAML without a securityContext (#3956)
  - Fixed a bug where Podman would place files incorrectly when
    storage.conf configuration items were set to the empty string
    (#3952)
  - Fixed a bug where podman build did not correctly inherit
    Podman's CGroup configuration, causing crashed on CGroups V2
    systems (#3938)
  - Fixed a bug where remote podman run --rm would exit before the
    container was completely removed, allowing race conditions when
    removing container resources (#3870)
  - Fixed a bug where rootless Podman would not properly handle
    changes to /etc/subuid and /etc/subgid after a container was
    launched
  - Fixed a bug where rootless Podman could not include some
    devices in a container using the --device flag (#3905)
  - Fixed a bug where the commit Varlink API would segfault if
    provided incorrect arguments (#3897)
  - Fixed a bug where temporary files were not properly cleaned up
    after a build using remote Podman (#3869)
  - Fixed a bug where podman remote cp crashed instead of reporting
    it was not yet supported (#3861)
  - Fixed a bug where podman exec would run as the wrong user when
    execing into a container was started from an image with
    Dockerfile USER (or a user specified via podman run --user)
    (#3838)
  - Fixed a bug where images pulled using the oci: transport would
    be improperly named
  - Fixed a bug where podman varlink would hang when managed by
    systemd due to SD_NOTIFY support conflicting with Varlink
    (#3572)
  - Fixed a bug where mounts to the same destination would
    sometimes not trigger a conflict, causing a race as to which
    was actually mounted
  - Fixed a bug where podman exec --preserve-fds caused Podman to
    hang (#4020)
  - Fixed a bug where removing an unmounted container that was
    unmounted might sometimes not properly clean up the container
    (#4033)
  - Fixed a bug where the Varlink server would freeze when run in a
    systemd unit file (#4005)
  - Fixed a bug where Podman would not properly set the $HOME
    environment variable when the OCI runtime did not set it
  - Fixed a bug where rootless Podman would incorrectly print
    warning messages when an OCI runtime was not found (#4012)
  - Fixed a bug where named volumes would conflict with, instead of
    overriding, tmpfs filesystems added by the --read-only-tmpfs
    flag to podman create and podman run
  - Fixed a bug where podman cp would incorrectly make the target
    directory when copying to a symlink which pointed to a
    nonexistent directory (#3894)
  - Fixed a bug where remote Podman would incorrectly read STDIN
    when the -i flag was not set (#4095)
  - Fixed a bug where podman play kube would create an empty pod
    when given an unsupported YAML type (#4093)
  - Fixed a bug where podman import --change improperly parsed CMD
    (#4000)
  - Fixed a bug where rootless Podman on systems using CGroups V2
    would not function with the cgroupfs CGroups manager
  - Fixed a bug where rootless Podman could not correctly identify
    the DBus session address, causing containers to fail to start
    (#4162)
  - Fixed a bug where rootless Podman with slirp4netns networking
    would fail to start containers due to mount leaks

* Misc

  - Significant changes were made to Podman volumes in this
    release. If you have pre-existing volumes, it is strongly
    recommended to run podman system renumber after upgrading.
  - Version 0.8.1 or greater of the CNI Plugins is now required for
    Podman
  - Version 2.0.1 or greater of Conmon is strongly recommended
  - Updated vendored Buildah to v1.11.2
  - Updated vendored containers/storage library to v1.13.4
  - Improved error messages when trying to create a pod with no
    name via podman play kube
  - Improved error messages when trying to run podman pause or
    podman stats on a rootless container on a system without
    CGroups V2 enabled
  - TMPDIR has been set to /var/tmp by default to better handle
    large temporary files
  - podman wait has been optimized to detect stopped containers
    more rapidly
  - Podman containers now include a ContainerManager annotation
    indicating they were created by libpod
  - The podman info command now includes information about
    slirp4netns and fuse-overlayfs if they are available
  - Podman no longer sets a default size of 65kb for tmpfs
    filesystems
  - The default Podman CNI network has been renamed in an attempt
    to prevent conflicts with CRI-O when both are run on the same
    system. This should only take effect on system restart
  - The output of podman volume inspect has been more closely
    matched to docker volume inspect

- Add katacontainers as a recommended package, and include it as an
  additional OCI runtime in the configuration.

Update podman to v1.5.1

* Features

 - The hostname of pods is now set to the pod's name

* Bugfixes

 - Fixed a bug where podman run and podman create did not honor the --authfile
   option (#3730)
 - Fixed a bug where containers restored with podman container restore
   --import would incorrectly duplicate the Conmon PID file of the original container
 - Fixed a bug where podman build ignored the default OCI runtime configured
   in libpod.conf
 - Fixed a bug where podman run --rm (or force-removing any running container
   with podman rm --force) were not retrieving the correct exit code (#3795)
 - Fixed a bug where Podman would exit with an error if any configured hooks
   directory was not present
 - Fixed a bug where podman inspect and podman commit would not use the
   correct CMD for containers run with podman play kube
 - Fixed a bug created pods when using rootless Podman and CGroups V2 (#3801)
 - Fixed a bug where the podman events command with the --since or --until
   options could take a very long time to complete
* Misc

 - Rootless Podman will now inherit OCI runtime configuration from the root
   configuration (#3781)
 - Podman now properly sets a user agent while contacting registries (#3788)

- Add zsh completion for podman commands

Update podman to v1.5.0

* Features

  - Podman containers can now join the user namespaces of other
    containers with --userns=container:$ID, or a user namespace at
    an arbitary path with --userns=ns:$PATH
  - Rootless Podman can experimentally squash all UIDs and GIDs in
    an image to a single UID and GID (which does not require use of
    the newuidmap and newgidmap executables) by passing
    --storage-opt ignore_chown_errors
  - The podman generate kube command now produces YAML for any bind
    mounts the container has created (#2303)
  - The podman container restore command now features a new flag,
    --ignore-static-ip, that can be used with --import to import a
    single container with a static IP multiple times on the same
    host
  - Added the ability for podman events to output JSON by
    specifying --format=json
  - If the OCI runtime or conmon binary cannot be found at the
    paths specified in libpod.conf, Podman will now also search for
    them in the calling user's path
  - Added the ability to use podman import with URLs (#3609)
  - The podman ps command now supports filtering names using
    regular expressions (#3394)
  - Rootless Podman containers with --privileged set will now mount
    in all host devices that the user can access
  - The podman create and podman run commands now support the
    --env-host flag to forward all environment variables from the
    host into the container
  - Rootless Podman now supports healthchecks (#3523)
  - The format of the HostConfig portion of the output of podman
    inspect on containers has been improved and synced with Docker
  - Podman containers now support CGroup namespaces, and can create
    them by passing --cgroupns=private to podman run or podman
    create
  - The podman create and podman run commands now support the
    --ulimit=host flag, which uses any ulimits currently set on the
    host for the container
  - The podman rm and podman rmi commands now use different exit
    codes to indicate 'no such container' and 'container is
    running' errors
  - Support for CGroups V2 through the crun OCI runtime has been
    greatly improved, allowing resource limits to be set for
    rootless containers when the CGroups V2 hierarchy is in use

* Bugfixes

  - Fixed a bug where a race condition could cause podman restart
    to fail to start containers with ports
  - Fixed a bug where containers restored from a checkpoint would
    not properly report the time they were started at
  - Fixed a bug where podman search would return at most 25
    results, even when the maximum number of results was set higher
  - Fixed a bug where podman play kube would not honor capabilities
    set in imported YAML (#3689)
  - Fixed a bug where podman run --env, when passed a single key
    (to use the value from the host), would set the environment
    variable in the container even if it was not set on the host
    (#3648)
  - Fixed a bug where podman commit --changes would not properly
    set environment variables
  - Fixed a bug where Podman could segfault while working with
    images with no history
  - Fixed a bug where podman volume rm could remove arbitrary
    volumes if given an ambiguous name (#3635)
  - Fixed a bug where podman exec invocations leaked memory by not
    cleaning up files in tmpfs
  - Fixed a bug where the --dns and --net=container flags to podman
    run and podman create were not mutually exclusive (#3553)
  - Fixed a bug where rootless Podman would be unable to run
    containers when less than 5 UIDs were available
  - Fixed a bug where containers in pods could not be removed
    without removing the entire pod (#3556)
  - Fixed a bug where Podman would not properly clean up all CGroup
    controllers for created cgroups when using the cgroupfs CGroup
    driver
  - Fixed a bug where Podman containers did not properly clean up
    files in tmpfs, resulting in a memory leak as containers
    stopped
  - Fixed a bug where healthchecks from images would not use
    default settings for interval, retries, timeout, and start
    period when they were not provided by the image (#3525)
  - Fixed a bug where healthchecks using the HEALTHCHECK CMD format
    where not properly supported (#3507)
  - Fixed a bug where volume mounts using relative source paths
    would not be properly resolved (#3504)
  - Fixed a bug where podman run did not use authorization
    credentials when a custom path was specified (#3524)
  - Fixed a bug where containers checkpointed with podman container
    checkpoint did not properly set their finished time
  - Fixed a bug where running podman inspect on any container not
    created with podman run or podman create (for example, pod
    infra containers) would result in a segfault (#3500)
  - Fixed a bug where healthcheck flags for podman create and
    podman run were incorrectly named (#3455)
  - Fixed a bug where Podman commands would fail to find targets if
    a partial ID was specified that was ambiguous between a
    container and pod (#3487)
  - Fixed a bug where restored containers would not have the
    correct SELinux label
  - Fixed a bug where Varlink endpoints were not working properly
    if more was not correctly specified
  - Fixed a bug where the Varlink PullImage endpoint would crash if
    an error occurred (#3715)
  - Fixed a bug where the --mount flag to podman create and podman
    run did not allow boolean arguments for its ro and rw options
    (#2980)
  - Fixed a bug where pods did not properly share the UTS
    namespace, resulting in incorrect behavior from some utilities
    which rely on hostname (#3547)
  - Fixed a bug where Podman would unconditionally append
    ENTRYPOINT to CMD during podman commit (and when reporting CMD
    in podman inspect) (#3708)
  - Fixed a bug where podman events with the journald events
    backend would incorrectly print 6 previous events when only new
    events were requested (#3616)
  - Fixed a bug where podman port would exit prematurely when a
    port number was specified (#3747)
  - Fixed a bug where passing . as an argument to the --dns-search
    flag to podman create and podman run was not properly clearing
    DNS search domains in the container

* Misc

  - Updated vendored Buildah to v1.10.1
  - Updated vendored containers/image to v3.0.2
  - Updated vendored containers/storage to v1.13.1
  - Podman now requires conmon v2.0.0 or higher
  - The podman info command now displays the events logger being in
    use
  - The podman inspect command on containers now includes the ID of
    the pod a container has joined and the PID of the container's
    conmon process
  - The -v short flag for podman --version has been re-added
  - Error messages from podman pull should be significantly clearer
  - The podman exec command is now available in the remote client
  - The podman-v1.5.0.tar.gz file attached is podman packaged for
    MacOS. It can be installed using Homebrew.
- Update libpod.conf to support latest path discovery feature for
  `runc` and `conmon` binaries.

conmon was included in version 2.0.10. (bsc#1160460, bsc#1164390, jsc#ECO-1048, jsc#SLE-11485, jsc#SLE-11331):

fuse-overlayfs was updated to v0.7.6 (bsc#1160460)

- do not look in lower layers for the ino if there is no origin
  xattr set
- attempt to use the file path if the operation on the fd fails
  with ENXIO
- do not expose internal xattrs through listxattr and getxattr
- fix fallocate for deleted files.
- ignore O_DIRECT.  It causes issues with libfuse not using an
  aligned buffer, causing write(2) to fail with EINVAL.
- on copyup, do not copy the opaque xattr.
- fix a wrong lookup for whiteout files, that could happen on a
  double unlink.
- fix possible segmentation fault in direct_fsync()
- use the data store to create missing whiteouts
- after a rename, force a directory reload
- introduce inodes cache
- correctly read inode for unix sockets
- avoid hash map lookup when possible
- use st_dev for the ino key
- check whether writeback is supported
- set_attrs: don't require write to S_IFREG
- ioctl: do not reuse fi->fh for directories
- fix skip whiteout deletion optimization
- store the new mode after chmod
- support fuse writeback cache and enable it by default
- add option to disable fsync
- add option to disable xattrs
- add option to skip ino number check in lower layers
- fix fd validity check
- fix memory leak
- fix read after free
- fix type for flistxattr return
- fix warnings reported by lgtm.com
- enable parallel dirops

cni was updated to 0.7.1:

- Set correct CNI version for 99-loopback.conf

Update to version 0.7.1 (bsc#1160460):

* Library changes:

  + invoke : ensure custom envs of CNIArgs are prepended to process envs
  + add GetNetworkListCachedResult to CNI interface
  + delegate : allow delegation funcs override CNI_COMMAND env automatically in heritance

* Documentation & Convention changes:

  + Update cnitool documentation for spec v0.4.0
  + Add cni-route-override to CNI plugin list

Update to version 0.7.0:

* Spec changes:

  + Use more RFC2119 style language in specification (must, should...)
  + add notes about ADD/DEL ordering
  + Make the container ID required and unique.
  + remove the version parameter from ADD and DEL commands.
  + Network interface name matters
  + be explicit about optional and required structure members
  + add CHECK method
  + Add a well-known error for 'try again'
  + SPEC.md: clarify meaning of 'routes'

* Library changes:

  + pkg/types: Makes IPAM concrete type
  + libcni: return error if Type is empty
  + skel: VERSION shouldn't block on stdin
  + non-pointer instances of types.Route now correctly marshal to JSON
  + libcni: add ValidateNetwork and ValidateNetworkList functions
  + pkg/skel: return error if JSON config has no network name
  + skel: add support for plugin version string
  + libcni: make exec handling an interface for better downstream testing
  + libcni: api now takes a Context to allow operations to be timed out or cancelled
  + types/version: add helper to parse PrevResult
  + skel: only print about message, not errors
  + skel,invoke,libcni: implementation of CHECK method
  + cnitool: Honor interface name supplied via CNI_IFNAME environment variable.
  + cnitool: validate correct number of args
  + Don't copy gw from IP4.Gateway to Route.GW When converting from 0.2.0
  + add PrintTo method to Result interface
  + Return a better error when the plugin returns none
- Install sleep binary into CNI plugin directory

cni-plugins was updated to 0.8.4:

Update to version 0.8.4 (bsc#1160460):

* add support for mips64le
* Add missing cniVersion in README example
* bump go-iptables module to v0.4.5
* iptables: add idempotent functions
* portmap doesn't fail if chain doesn't exist
* fix portmap port forward flakiness
* Add Bruce Ma and Piotr Skarmuk as owners

Update to version 0.8.3:

* Enhancements:
  * static: prioritize the input sources for IPs (#400).
  * tuning: send gratuitous ARP in case of MAC address update (#403).
  * bandwidth: use uint64 for Bandwidth value (#389).
  * ptp: only override DNS conf if DNS settings provided (#388).
  * loopback: When prevResults are not supplied to loopback plugin, create results to return (#383).
  * loopback support CNI CHECK and result cache (#374).

* Better input validation:
  * vlan: add MTU validation to loadNetConf (#405).
  * macvlan: add MTU validation to loadNetConf (#404).
  * bridge: check vlan id when loading net conf (#394).

* Bugfixes:

  * bugfix: defer after err check, or it may panic (#391).
  * portmap: Fix dual-stack support (#379).
  * firewall: don't return error in DEL if prevResult is not found (#390).
  * bump up libcni back to v0.7.1 (#377).

* Docs:

  * contributing doc: revise test script name to run (#396).
  * contributing doc: describe cnitool installation (#397).

Update plugins to v0.8.2

+ New features:

  * Support 'args' in static and tuning
  * Add Loopback DSR support, allow l2tunnel networks
    to be used with the l2bridge plugin
  * host-local: return error if same ADD request is seen twice
  * bandwidth: fix collisions
  * Support ips capability in static and mac capability in tuning
  * pkg/veth: Make host-side veth name configurable

+ Bug fixes:
  * Fix: failed to set bridge addr: could not add IP address to 'cni0': file exists
  * host-device: revert name setting to make retries idempotent (#357).
  * Vendor update go-iptables. Vendor update go-iptables to
    obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10
  * Update go.mod & go.sub
  * Remove link Down/Up in MAC address change to prevent route flush (#364).
  * pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall
    error message is 'invalid argument' not 'file exists'
  * bump containernetworking/cni to v0.7.1

Updated plugins to v0.8.1:

+ Bugs:

  * bridge: fix ipMasq setup to use correct source address
  * fix compilation error on 386
  * bandwidth: get bandwidth interface in host ns through
    container interface

+ Improvements:
  * host-device: add pciBusID property

Updated plugins to v0.8.0:

+ New plugins:

  * bandwidth - limit incoming and outgoing bandwidth
  * firewall - add containers to firewall rules
  * sbr - convert container routes to source-based routes
  * static - assign a fixed IP address
  * win-bridge, win-overlay: Windows plugins

+ Plugin features / changelog:

  * CHECK Support
  * macvlan:
    - Allow to configure empty ipam for macvlan
    - Make master config optional
  * bridge:
    - Add vlan tag to the bridge cni plugin
    - Allow the user to assign VLAN tag
    - L2 bridge Implementation.
  * dhcp:
    - Include Subnet Mask option parameter in DHCPREQUEST
    - Add systemd unit file to activate socket with systemd
    - Add container ifName to the dhcp clientID, making the
      clientID value
  * flannel:
    - Pass through runtimeConfig to delegate
  * host-local:
    - host-local: add ifname to file tracking IP address used
  * host-device:
    - Support the IPAM in the host-device
    - Handle empty netns in DEL for loopback and host-device
  * tuning:
    - adds 'ip link' command related feature into tuning
+ Bug fixes & minor changes
  * Correctly DEL on ipam failure for all plugins
  * Fix bug on ip revert if cmdAdd fails on macvlan and host-device
  * host-device: Ensure device is down before rename
  * Fix -hostprefix option
  * some DHCP servers expect to request for explicit router options
  * bridge: release IP in case of error
  * change source of ipmasq rule from ipn to ip

from version v0.7.5:

+ This release takes a minor change to the portmap plugin:
  * Portmap: append, rather than prepend, entry rules

+ This fixes a potential issue where firewall rules may
  be bypassed by port mapping


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:821-1
Released:    Tue Mar 31 13:05:59 2020
Summary:     Recommended update for podman, slirp4netns
Type:        recommended
Severity:    moderate
References:  1167850
This update for podman, slirp4netns fixes the following issues:

slirp4netns was updated to 0.4.4 (bsc#1167850):

* libslirp: Update to v4.2.0:
  * New API function slirp_add_unix: add a forward rule to a Unix
    socket.
  * New API function slirp_remove_guestfwd: remove a forward rule
    previously added by slirp_add_exec, slirp_add_unix or
    slirp_add_guestfwd
  * New SlirpConfig.outbound_addr{,6} fields to bind output
    socket to a specific address
  * socket: do not fallback on host loopback if get_dns_addr()
    failed or the address is in slirp network
  * ncsi: fix checksum OOB memory access
  * tcp_emu(): fix OOB accesses
  * tftp: restrict relative path access
  * state: fix loading of guestfwd state

Update to 0.4.3:

* api: raise an error if the socket path is too long
* libslirp: update to v4.1.0: Including the fix for libslirp
  sends RST to app in response to arriving FIN when containerized
  socket is shutdown() with SHUT_WR
* Fix create_sandbox error

Update to 0.4.2:

* Do not propagate mounts to the parent ns in sandbox

Update to 0.4.1:

* Support specifying netns path (slirp4netns --netns-type=path PATH
  TAPNAME)
* Support specifying --userns-path
* Vendor https://gitlab.freedesktop.org/slirp/libslirp (QEMU v4.1+)
* Bring up loopback device when --configure is specified
* Support sandboxing by creating a mount namespace
  (--enable-sandbox)
* Support seccomp (--enable-seccomp)
- Add new build dependencies libcap-devel and libseccomp-devel

Update to 0.3.3:

* Fix use-after-free in libslirp

Update to 0.3.2:

* Fix heap overflow in `ip_reass` on big packet input

Update to 0.3.1:

* Fix use-after-free

Changes in podman:

- Fixed dependency on slirp4netns. We need at least 0.4.0 now (bsc#1167850)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:944-1
Released:    Tue Apr  7 15:49:33 2020
Summary:     Security update for runc
Type:        security
Severity:    moderate
References:  1149954,1160452,CVE-2019-19921
This update for runc fixes the following issues:

runc was updated to v1.0.0~rc10

- CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
- Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).	  

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1197-1
Released:    Wed May  6 13:52:04 2020
Summary:     Security update for slirp4netns
Type:        security
Severity:    important
References:  1170940,CVE-2020-1983
This update for slirp4netns fixes the following issues:

Security issue fixed:

- CVE-2020-1983: Fixed a use-after-free in ip_reass (bsc#1170940).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1493-1
Released:    Wed May 27 18:55:51 2020
Summary:     Security update for libmspack
Type:        security
Severity:    low
References:  1130489,1141680,CVE-2019-1010305
This update for libmspack fixes the following issues:

Security issue fixed:

- CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file
  which could have led to information disclosure (bsc#1141680).
  
Other issue addressed: 

- Enable build-time tests (bsc#1130489)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1915-1
Released:    Wed Jul 15 09:34:15 2020
Summary:     Security update for slirp4netns
Type:        security
Severity:    important
References:  1172380,CVE-2020-10756
This update for slirp4netns fixes the following issues:

- Update to 0.4.7 (bsc#1172380)
  * libslirp: update to v4.3.1 (Fix CVE-2020-10756)
  * Fix config_from_options() to correctly enable ipv6

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2080-1
Released:    Wed Jul 29 20:09:09 2020
Summary:     Recommended update for libtool
Type:        recommended
Severity:    moderate
References:  1171566

This update for libtool provides missing the libltdl 32bit library. (bsc#1171566)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2965-1
Released:    Tue Oct 20 13:27:21 2020
Summary:     Recommended update for cni, cni-plugins
Type:        recommended
Severity:    moderate
References:  1172786

This update ships cni and cni-plugins to the Public Cloud Module of SUSE Linux Enterprise 15 SP2.
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:927-1
Released:    Tue Mar 23 14:07:06 2021
Summary:     Recommended update for libreoffice
Type:        recommended
Severity:    moderate
References:  1041090,1049382,1116658,1136234,1155141,1173404,1173409,1173410,1173471,1174465,1176547,1177955,1178807,1178943,1178944,1179025,1179203,1181122,1181644,1181872,1182790
This update for libreoffice provides the upgrade from version 6.4.5.2 to 7.1.1.2 (jsc#ECO-3150, bsc#1182790)


libreoffice:

- Image shown with different aspect ratio (bsc#1176547)
- Text changes are reproducibly lost on PPTX with SmartArt (bsc#1181644)
- Adjust to new Box2D and enable KDE on SUSE Linux Enterprise 15-SP3 or newer (jsc#ECO-3375)
- Wrong bullet points in Impress (bsc#1174465)
- SmartArt: text wrongly aligned, background boxes not quite right (bsc#1177955)
- Update the SUSE color palette to reflect the new SUSE branding. (bsc#1181122, bsc#1173471)
  - SUSE Mint
  - SUSE Midnight Blue
  - SUSE Waterhole Blue
  - SUSE Persimmon
- Fix a crash opening a PPTX. (bsc#1179025)
- Fix text box from PowerPoint renders vertically instead of horizontally (bsc#1178807)
- Shadow effects for table completely missing (bsc#1178944, bsc#1178943)
- Disable firebird integration for the time being (bsc#1179203)
- Fixes hang on Writer on scrolling/saving of a document (bsc#1136234)
- Wrong rendering of bulleted lists in PPTX document (bsc#1155141)
- Sidebar: paragraph widget: numeric fields become inactive/unaccessible after saving (bsc#1173404) 
- Crash of Writer opening any document having 'invalid' python file in home directory (bsc#1116658)

libixion:

Update to 0.16.1:

- fixed a build issue on 32-bit linux platforms, caused by slicing of integer string ID values.
- worked around floating point rounding errors which prevented two theoretically-equal numeric values from being 
  evaluated as equal in test code.
- added new function to allow printing of single formula tokens.
- added method for setting cached results on formula cells in model_context.
- changed the model_context design to ensure that all sheets are of the same size.
- added an accessor method to formula_model_access interface (and implicitly in model_context) that directly returns
  a string value from cell.
- added cell_access class for querying of cell states without knowing its type ahead of time.
- added document class which provides a layer on top of model_context, to abstract away the handling of formula 
  calculations.
- deprecated model_context::erase_cell() in favor of empty_cell().
- added support for 3D references - references that contain multiple sheets.
- added support for the exponent (^) and concatenation (&) operators.
- fixed incorrect handling of range references containing whole columns such as A:A.
- added support for unordered range references - range references whose start row or column is greater than 
  their end position counterparts, such as A3:A1.
- fixed a bug that prevented nested formula functions from working properly.
- implemented Calc A1 style reference resolver.
- formula results now directly store the string values when the results are of string type.  
  They previously stored string ID values after interning the original strings.
- Removed build-time dependency on spdlog.

libmwaw:

Update to 0.3.17:

- add a parser for Jazz(Lotus) writer and spreasheet files. The writer parser can only be called if the file 
  still contains its resource fork
- add a parser for Canvas 3 and 3.5 files
- AppleWorks parser: try to retrieve more Windows presentation
- add a parser for Drawing Table files
- add a parser for Canvas 2 files
- API: add new reserved enums in MWAWDocument.hxx `MWAW_T_RESERVED10..MWAW_T_RESERVED29` 
  and add a new define in libmwaw.hxx `MWAW_INTERFACE_VERSION` to check if these enums are defined
- remove the QuarkXPress parser (must be in libqxp)
- retrieve the annotation in MsWord 5 document
- try to better understand RagTime 5-6 document

libnumbertext:

Update to 1.0.6

liborcus:

Update to 0.16.1

- Add upstream changes to fix build with GCC 11 (bsc#1181872)

libstaroffice:

Update to 0.0.7:

- fix `text:sender-lastname` when creating meta-data

libwps:

Update to 0.4.11:

- XYWrite: add a parser to .fil v2 and v4 files
- wks,wk1: correct some problems when retrieving cell's reference.

glfw:

New package provided on version 3.3.2:

- See also: https://www.glfw.org/changelog.html
- Sort list of input files to geany for reproducible builds (bsc#1049382, bsc#1041090)
  * Require pkgconfig(gl) for the devel package to supply needed include GL/gl.h
  * glfwFocusWindow could terminate on older WMs or without a WM
  * Creating an undecorated window could fail with BadMatch 
  * Querying a disconnected monitor could segfault 
  * Video modes with a duplicate screen area were discarded
  * The CMake files did not check for the XInput headers
  * Key names were not updated when the keyboard layout changed 
  * Decorations could not be enabled after window creation
  * Content scale fallback value could be inconsistent 
  * Disabled cursor mode was interrupted by indicator windows
  * Monitor physical dimensions could be reported as zero mm
  * Window position events were not emitted during resizing
  * Added on-demand loading of Vulkan and context creation API libraries
  * [X11] Bugfix: Window size limits were ignored if the minimum or maximum size was 
    set to `GLFW_DONT_CARE`
  * [X11] Bugfix: Input focus was set before window was visible,
    causing BadMatch on some non-reparenting WMs 
  * [X11] Bugfix: glfwGetWindowPos and glfwSetWindowPos operated on
    the window frame instead of the client area
  * [WGL] Added reporting of errors from `WGL_ARB_create_context` extension
  * [EGL] Added lib prefix matching between EGL and OpenGL ES library binaries
  * [EGL] Bugfix: Dynamically loaded entry points were not verified
- Made build of geany-tags optional.

Box2D:

New package provided on version 2.4.1:

    * Extended distance joint to have a minimum and maximum limit.
    * `B2_USER_SETTINGS` and `b2_user_settings.h` can control user 
      data, length units, and maximum polygon vertices.
    * Default user data is now uintptr_t instead of void*
    * b2FixtureDef::restitutionThreshold lets you set the 
      restitution velocity threshold per fixture.
  * Collision
    * Chain and edge shape must now be one-sided to eliminate ghost 
      collisions
    * Broad-phase optimizations
    * Added b2ShapeCast for linear shape casting
  * Dynamics
    * Joint limits are now predictive and not stateful
    * Experimental 2D cloth (rope)
    * b2Body::SetActive -> b2Body::SetEnabled
    * Better support for running multiple worlds
    * Handle zero density better
      * The body behaves like a static body
      * The body is drawn with a red color
    * Added translation limit to wheel joint
    * World dump now writes to box2d_dump.inl
    * Static bodies are never awake
    * All joints with spring-dampers now use stiffness and damping
    * Added utility functions to convert frequency and damping 
      ratio to stiffness and damping
 * Polygon creation now computes the convex hull.
 * The convex hull code will merge vertices closer than dm_linearSlop.


 
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:974-1
Released:    Mon Mar 29 19:31:27 2021
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1181131,CVE-2021-20193
This update for tar fixes the following issues:

CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1954-1
Released:    Fri Jun 11 10:45:09 2021
Summary:     Security update for containerd, docker, runc
Type:        security
Severity:    important
References:  1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183855,1184768,1184962,1185405,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334,CVE-2021-30465
This update for containerd, docker, runc fixes the following issues:

Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)

* Switch version to use -ce suffix rather than _ce to avoid confusing other
  tools (bsc#1182476).
* CVE-2021-21284: Fixed a potential privilege escalation when the root user in 
  the remapped namespace has access to the host filesystem (bsc#1181732)
* CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest 
  crashes the dockerd daemon (bsc#1181730). 
* btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)

runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962).

* Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
* Fixed /dev/null is not available (bsc#1168481).
* CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).

containerd was updated to v1.4.4

* CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
* Handle a requirement from docker (bsc#1181594).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2193-1
Released:    Mon Jun 28 18:38:43 2021
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1184124
This update for tar fixes the following issues:

- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2802-1
Released:    Fri Aug 20 10:47:08 2021
Summary:     Security update for libmspack
Type:        security
Severity:    moderate
References:  1103032,CVE-2018-14679,CVE-2018-14681,CVE-2018-14682
This update for libmspack fixes the following issues:

- CVE-2018-14681: Bad KWAJ file header extensions could cause a one or two byte overwrite. (bsc#1103032)
- CVE-2018-14682: There is an off-by-one error in the TOLOWER() macro for CHM decompression. (bsc#1103032)
- CVE-2018-14679: There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service. (bsc#1103032)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2895-1
Released:    Tue Aug 31 19:40:32 2021
Summary:     Recommended update for unixODBC
Type:        recommended
Severity:    moderate
References:  
This update for unixODBC fixes the following issues:

- ECO: Update unixODBC to 2.3.9 in SLE 15. (jsc#SLE-18004)
- Fix incorrect permission for documentation files.
- Update requires and baselibs for new libodbc2.
- Employ shared library packaging guideline: new subpacakge libodbc2. 
- Update to 2.3.9:
  * Remove '#define UNIXODBC_SOURCE' from unixodbc_conf.h

- Update to 2.3.8:
  * Add configure support for editline
  * SQLDriversW was ignoring user config
  * SQLDataSources Fix termination character
  * Fix for pooling seg fault
  * Make calling SQLSetStmtAttrW call the W function in the driver is its there
  * Try and fix race condition clearing system odbc.ini file
  * Remove trailing space from isql/iusql SQL
  * When setting connection attributes set before connect also check if the W entry poins can be used
  * Try calling the W error functions first if available in the driver
  * Add iconvperdriver configure option to allow calling unicode_setup in SQLAllocHandle
  * iconv handles was being lost when reusing pooled connection
  * Catch null copy in iniPropertyInsert
  * Fix a few leaks 

- Update to 2.3.7:
  * Fix for pkg-config file update on no linux platforms
  * Add W entry for GUI work
  * Various fixes for SQLBrowseConnect/W, SQLGetConnectAttr/W,and SQLSetConnectAttr/W
  * Fix buffer overflows in SQLConnect/W and refine behaviour of SQLGet/WritePrivateProfileString
  * SQLBrowseConnect/W allow disconnecting a started browse session after error
  * Add --with-stats-ftok-name configure option to allow the selection of a file name
    used to generate the IPC id when collecting stats. Default is the system odbc.ini file
  * Improve diag record handling with the behavior of Windows DM and export SQLCancelHandle
  * bug fix when SQLGetPrivateProfileString() is called to get a list of sections or a list of keys
  * Connection pooling: Fix liveness check for Unicode drivers

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2962-1
Released:    Mon Sep  6 18:23:01 2021
Summary:     Recommended update for runc
Type:        recommended
Severity:    critical
References:  1189743
This update for runc fixes the following issues:

- Fixed an issue when toolbox container fails to start. (bsc#1189743)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3506-1
Released:    Mon Oct 25 10:20:22 2021
Summary:     Security update for containerd, docker, runc
Type:        security
Severity:    important
References:  1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
This update for containerd, docker, runc fixes the following issues:

Docker was updated to 20.10.9-ce. (bsc#1191355)

See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. 

  CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103

container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

- CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)

- Install systemd service file as well (bsc#1190826)

Update to runc v1.0.2. Upstream changelog is available from

  https://github.com/opencontainers/runc/releases/tag/v1.0.2

* Fixed a failure to set CPU quota period in some cases on cgroup v1.
* Fixed the inability to start a container with the 'adding seccomp filter
  rule for syscall ...' error, caused by redundant seccomp rules (i.e. those
  that has action equal to the default one). Such redundant rules are now
  skipped.
* Made release builds reproducible from now on.
* Fixed a rare debug log race in runc init, which can result in occasional
  harmful 'failed to decode ...' errors from runc run or exec.
* Fixed the check in cgroup v1 systemd manager if a container needs to be
  frozen before Set, and add a setting to skip such freeze unconditionally.
  The previous fix for that issue, done in runc 1.0.1, was not working.

Update to runc v1.0.1. Upstream changelog is available from

https://github.com/opencontainers/runc/releases/tag/v1.0.1

* Fixed occasional runc exec/run failure ('interrupted system call') on an
  Azure volume.
* Fixed 'unable to find groups ... token too long' error with /etc/group
  containing lines longer than 64K characters.
* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
  frozen. This is a regression in 1.0.0, not affecting runc itself but some
  of libcontainer users (e.g Kubernetes).
* cgroupv2: bpf: Ignore inaccessible existing programs in case of
  permission error when handling replacement of existing bpf cgroup
  programs. This fixes a regression in 1.0.0, where some SELinux
  policies would block runc from being able to run entirely.
* cgroup/systemd/v2: don't freeze cgroup on Set.
* cgroup/systemd/v1: avoid unnecessary freeze on Set.
- fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

Update to runc v1.0.0. Upstream changelog is available from

https://github.com/opencontainers/runc/releases/tag/v1.0.0

! The usage of relative paths for mountpoints will now produce a warning
  (such configurations are outside of the spec, and in future runc will
  produce an error when given such configurations).
* cgroupv2: devices: rework the filter generation to produce consistent
  results with cgroupv1, and always clobber any existing eBPF
  program(s) to fix runc update and avoid leaking eBPF programs
  (resulting in errors when managing containers).
* cgroupv2: correctly convert 'number of IOs' statistics in a
  cgroupv1-compatible way.
* cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
* cgroupv2: wait for freeze to finish before returning from the freezing
  code, optimize the method for checking whether a cgroup is frozen.
* cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
* cgroups/systemd: fixed returning 'unit already exists' error from a systemd
  cgroup manager (regression in rc94)
+ cgroupv2: support SkipDevices with systemd driver
+ cgroup/systemd: return, not ignore, stop unit error from Destroy
+ Make 'runc --version' output sane even when built with go get or
  otherwise outside of our build scripts.
+ cgroups: set SkipDevices during runc update (so we don't modify
  cgroups at all during runc update).
+ cgroup1: blkio: support BFQ weights.
+ cgroupv2: set per-device io weights if BFQ IO scheduler is available.

Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95

This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users). (bsc#1185405)

Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94

Breaking Changes:
* cgroupv1: kernel memory limits are now always ignored, as kmemcg has
  been effectively deprecated by the kernel. Users should make use of regular
  memory cgroup controls.

Regression Fixes:

* seccomp: fix 32-bit compilation errors
* runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
* runc start: fix 'chdir to cwd: permission denied' for some setups

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4171-1
Released:    Thu Dec 23 09:55:13 2021
Summary:     Security update for runc
Type:        security
Severity:    moderate
References:  1193436,CVE-2021-43784
This update for runc fixes the following issues:

Update to runc v1.0.3. 
    
* CVE-2021-43784: Fixed a potential vulnerability related to the internal usage
  of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
* Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
* Fixed inability to start when read-only /dev in set in spec.
* Fixed not removing sub-cgroups upon container delete, when rootless cgroup
  v2 is used with older systemd.
* Fixed returning error from GetStats when hugetlb is unsupported (which
  causes excessive logging for kubernetes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:69-1
Released:    Thu Jan 13 15:12:30 2022
Summary:     Security update for libmspack
Type:        security
Severity:    low
References:  1113040,CVE-2018-18586
This update for libmspack fixes the following issues:

- CVE-2018-18586: Fixed directory traversal in chmextract by adding anti '../' and leading slash protection (bsc#1113040).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:943-1
Released:    Thu Mar 24 12:52:54 2022
Summary:     Security update for slirp4netns
Type:        security
Severity:    moderate
References:  1179467,CVE-2020-29130
This update for slirp4netns fixes the following issues:

- CVE-2020-29130: Fixed an invalid memory access while processing ARP packets (bsc#1179467).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1548-1
Released:    Thu May  5 16:45:28 2022
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193
This update for tar fixes the following issues:

- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

- Update to GNU tar 1.34:
  * Fix extraction over pipe
  * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
  * Fix extraction when . and .. are unreadable
  * Gracefully handle duplicate symlinks when extracting
  * Re-initialize supplementary groups when switching to user
    privileges

- Update to GNU tar 1.33:
  * POSIX extended format headers do not include PID by default
  * --delay-directory-restore works for archives with reversed
    member ordering
  * Fix extraction of a symbolic link hardlinked to another
    symbolic link
  * Wildcards in exclude-vcs-ignore mode don't match slash
  * Fix the --no-overwrite-dir option
  * Fix handling of chained renames in incremental backups
  * Link counting works for file names supplied with -T
  * Accept only position-sensitive (file-selection) options in file
    list files

- prepare usrmerge (bsc#1029961)

- Update to GNU 1.32
  * Fix the use of --checkpoint without explicit --checkpoint-action
  * Fix extraction with the -U option
  * Fix iconv usage on BSD-based systems
  * Fix possible NULL dereference (savannah bug #55369)
    [bsc#1130496] [CVE-2019-9923]
  * Improve the testsuite

- Update to GNU 1.31
  * Fix heap-buffer-overrun with --one-top-level, bug introduced
    with the addition of that option in 1.28
  * Support for zstd compression
  * New option '--zstd' instructs tar to use zstd as compression
    program. When listing, extractng and comparing, zstd compressed
    archives are recognized automatically. When '-a' option is in
    effect, zstd compression is selected if the destination archive
    name ends in '.zst' or '.tzst'.
  * The -K option interacts properly with member names given in the
    command line. Names of members to extract can be specified along
    with the '-K NAME' option. In this case, tar will extract NAME
    and those of named members that appear in the archive after it,
    which is consistent with the semantics of the option. Previous
    versions of tar extracted NAME, those of named members that
    appeared before it, and everything after it.
  * Fix CVE-2018-20482 - When creating archives with the --sparse
    option, previous versions of tar would loop endlessly if a
    sparse file had been truncated while being archived.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2341-1
Released:    Fri Jul  8 16:09:12 2022
Summary:     Security update for containerd, docker and runc
Type:        security
Severity:    important
References:  1192051,1199460,1199565,1200088,1200145,CVE-2022-29162,CVE-2022-31030
This update for containerd, docker and runc fixes the following issues:

containerd:

- CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145)

docker:

- Update to Docker 20.10.17-ce. See upstream changelog online at
  https://docs.docker.com/engine/release-notes/25.0/. (bsc#1200145)

runc:

Update to runc v1.1.3.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3.

* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
  s390 and s390x. This solves the issue where syscalls the host kernel did not
  support would return `-EPERM` despite the existence of the `-ENOSYS` stub
  code (this was due to how s390x does syscall multiplexing).
* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
  intended; this fix does not affect runc binary itself but is important for
  libcontainer users such as Kubernetes.
* Inability to compile with recent clang due to an issue with duplicate
  constants in libseccomp-golang.
* When using systemd cgroup driver, skip adding device paths that don't exist,
  to stop systemd from emitting warnings about those paths.
* Socket activation was failing when more than 3 sockets were used.
* Various CI fixes.
* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
- Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
  that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565)

Update to runc v1.1.2.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.2.

Security issue fixed:

- CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with
  non-empty inheritable Linux process capabilities, creating an atypical Linux
  environment. (bsc#1199460)

- `runc spec` no longer sets any inheritable capabilities in the created
  example OCI spec (`config.json`) file.

Update to runc v1.1.1.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.1.

* runc run/start can now run a container with read-only /dev in OCI spec,
  rather than error out. (#3355)
* runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
  libcontainer systemd v2 manager no longer errors out if one of the files
  listed in /sys/kernel/cgroup/delegate do not exist in container's
  cgroup. (#3387, #3404)
* Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported'
  error. (#3406)
* libcontainer/cgroups no longer panics in cgroup v1 managers if stat
  of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)

Update to runc v1.1.0.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0.

- libcontainer will now refuse to build without the nsenter package being
  correctly compiled (specifically this requires CGO to be enabled). This
  should avoid folks accidentally creating broken runc binaries (and
  incorrectly importing our internal libraries into their projects). (#3331)

Update to runc v1.1.0~rc1.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.

+ Add support for RDMA cgroup added in Linux 4.11.
* runc exec now produces exit code of 255 when the exec failed.
  This may help in distinguishing between runc exec failures
  (such as invalid options, non-running container or non-existent
  binary etc.) and failures of the command being executed.
+ runc run: new --keep option to skip removal exited containers artefacts.
  This might be useful to check the state (e.g. of cgroup controllers) after
  the container hasexited.
+ seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
  (the latter is just an alias for SCMP_ACT_KILL).
+ seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
  users to create sophisticated seccomp filters where syscalls can be
  efficiently emulated by privileged processes on the host.
+ checkpoint/restore: add an option (--lsm-mount-context) to set
  a different LSM mount context on restore.
+ intelrdt: support ClosID parameter.
+ runc exec --cgroup: an option to specify a (non-top) in-container cgroup
  to use for the process being executed.
+ cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
  machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
  run/exec now adds the container to the appropriate cgroup under it).
+ sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
  behaviour.
+ mounts: add support for bind-mounts which are inaccessible after switching
  the user namespace. Note that this does not permit the container any
  additional access to the host filesystem, it simply allows containers to
  have bind-mounts configured for paths the user can access but have
  restrictive access control settings for other users.
+ Add support for recursive mount attributes using mount_setattr(2). These
  have the same names as the proposed mount(8) options -- just prepend r
  to the option name (such as rro).
+ Add runc features subcommand to allow runc users to detect what features
  runc has been built with. This includes critical information such as
  supported mount flags, hook names, and so on. Note that the output of this
  command is subject to change and will not be considered stable until runc
  1.2 at the earliest. The runtime-spec specification for this feature is
  being developed in opencontainers/runtime-spec#1130.
* system: improve performance of /proc/$pid/stat parsing.
* cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
  the ownership of certain cgroup control files (as per
  /sys/kernel/cgroup/delegate) to allow for proper deferral to the container
  process.
* runc checkpoint/restore: fixed for containers with an external bind mount
  which destination is a symlink.
* cgroup: improve openat2 handling for cgroup directory handle hardening.
  runc delete -f now succeeds (rather than timing out) on a paused
  container.
* runc run/start/exec now refuses a frozen cgroup (paused container in case of
  exec). Users can disable this using --ignore-paused.
- Update version data embedded in binary to correctly include the git commit of the release.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2360-1
Released:    Tue Jul 12 12:01:39 2022
Summary:     Security update for pcre2
Type:        security
Severity:    important
References:  1199232,CVE-2022-1586
This update for pcre2 fixes the following issues:

- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2566-1
Released:    Wed Jul 27 15:04:49 2022
Summary:     Security update for pcre2
Type:        security
Severity:    important
References:  1199235,CVE-2022-1587
This update for pcre2 fixes the following issues:

- CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2735-1
Released:    Wed Aug 10 04:31:41 2022
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1200657
This update for tar fixes the following issues:

- Fix race condition while creating intermediate subdirectories (bsc#1200657)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2844-1
Released:    Thu Aug 18 14:41:25 2022
Summary:     Recommended update for tar
Type:        recommended
Severity:    important
References:  1202436
This update for tar fixes the following issues:

- A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)

 
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3142-1
Released:    Wed Sep  7 09:54:18 2022
Summary:     Security update for icu
Type:        security
Severity:    moderate
References:  1193951,CVE-2020-21913
This update for icu fixes the following issues:

- CVE-2020-21913: Fixed a memory safetey issue that could lead to use
  after free (bsc#1193951).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3435-1
Released:    Tue Sep 27 14:55:38 2022
Summary:     Recommended update for runc
Type:        recommended
Severity:    important
References:  1202821
This update for runc fixes the following issues:

- Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the 
  cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd.
- Fix 'permission denied' error from runc run on noexec fs
- Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3927-1
Released:    Wed Nov  9 14:55:47 2022
Summary:     Recommended update for runc
Type:        recommended
Severity:    moderate
References:  1202021,1202821
This update for runc fixes the following issues:

- Update to runc v1.1.4 (bsc#1202021)
- Fix failed exec after systemctl daemon-reload (bsc#1202821)
- Fix mounting via wrong proc
- Fix 'permission denied' error from runc run on noexec filesystem

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4312-1
Released:    Fri Dec  2 11:16:47 2022
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1200657,1203600
This update for tar fixes the following issues:

- Fix unexpected inconsistency when making directory (bsc#1203600)
- Update race condition fix (bsc#1200657)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4592-1
Released:    Tue Dec 20 16:51:35 2022
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1181961,CVE-2021-20206
This update for cni fixes the following issues:

- CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:179-1
Released:    Thu Jan 26 21:54:30 2023
Summary:     Recommended update for tar
Type:        recommended
Severity:    low
References:  1202436
This update for tar fixes the following issue:

- Fix hang when unpacking test tarball (bsc#1202436)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:463-1
Released:    Mon Feb 20 16:33:39 2023
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1202436,1207753,CVE-2022-48303
This update for tar fixes the following issues:

- CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753). 

Bug fixes:

- Fix hang when unpacking test tarball (bsc#1202436).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:557-1
Released:    Tue Feb 28 09:29:15 2023
Summary:     Security update for libxslt
Type:        security
Severity:    important
References:  1208574,CVE-2021-30560
This update for libxslt fixes the following issues:

- CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:870-1
Released:    Wed Mar 22 09:44:13 2023
Summary:     Security update for slirp4netns
Type:        security
Severity:    moderate
References:  1179466,1179467,CVE-2020-29129,CVE-2020-29130
This update for slirp4netns fixes the following issues:

- CVE-2020-29129: Fixed out-of-bounds access while processing NCSI packets (bsc#1179466).
- CVE-2020-29130: Fixed out-of-bounds access while processing ARP packets (bsc#1179467).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1774-1
Released:    Wed Apr  5 13:13:19 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    moderate
References:  1171578,1175821,1182998,1197093,1200524,1205536,1207509
This update for libcontainers-common fixes the following issues:

- Add registry.suse.com to the unqualified-search-registries (bsc#1205536)
- New upstream release 20230214
- bump c/storage to 1.45.3
- bump c/image to 5.24.1
- bump c/common to 0.51.0
- containers.conf:
  - add commented out options containers.read_only, engine.platform_to_oci_runtime,
engine.events_container_create_inspect_data, network.volume_plugin_timeout, engine.runtimes.youki, machine.provider
  - remove deprecated setting containers.userns_size
  - add youki to engine.runtime_supports_json
- shortnames.conf: pull in latest upstream version
- storage.conf: add commented out option storage.transient_store
- correct license to APACHE-2.0
- Changes introduced to c/storage's storage.conf which adds a driver_priority attribute would break consumers of
libcontainer-common as long as those packages are vendoring an older c/storage version. (bsc#1207509)
- storage.conf: Unset 'driver' and set 'driver_priority' to allow podman to use 'btrfs' if available and fallback to
'overlay' if not.
- .spec: rm %post script to set 'btrfs' as storage driver in storage.conf
- Remove registry.suse.com from search unqualified-search-registries
- add requires on util-linux-systemd for findmnt in profile script
- only set storage_driver env when no libpod exists
- add container-storage-driver.sh (bsc#1197093)
- postinstall script: slight cleanup, no functional change
- set detached sigstore attachments for the SUSE controlled registries
- Fix obvious typo in containers.conf
- Resync containers.conf / storage.conf with Fedora
- Create /etc/containers/registries.conf.d and add 000-shortnames.conf to it.
- Use $() again in %post, but with a space for POSIX compliance
- Add missing Requires(post): sed (bsc#1200524)
- Make %post compatible with dash
- Switch registries.conf to v2 format
- Reintroduce SLE specific mounts config, to avoid errors on non-SLE systems
- Require util-linux-systemd for %post scripts (bsc#1182998, jsc#SLE-12122, bsc#1175821)
- Update default registry (bsc#1171578)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1880-1
Released:    Tue Apr 18 11:11:27 2023
Summary:     Recommended update for systemd-rpm-macros
Type:        recommended
Severity:    low
References:  1208079
This update for systemd-rpm-macros fixes the following issue:

- Don't emit a warning when the flag file in /var/lib/systemd/migrated/ is not present as it's expected (bsc#1208079).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2307-1
Released:    Mon May 29 10:29:49 2023
Summary:     Recommended update for kbd
Type:        recommended
Severity:    low
References:  1210702
This update for kbd fixes the following issue:

- Add 'ara' vc keymap, 'ara' is slightly better than 'arabic' as it matches the name of its X11 layout counterpart. (bsc#1210702)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2482-1
Released:    Mon Jun 12 07:19:53 2023
Summary:     Recommended update for systemd-rpm-macros
Type:        recommended
Severity:    moderate
References:  1211272
This update for systemd-rpm-macros fixes the following issues:

- Adjust functions so they are disabled when called from a chroot (bsc#1211272)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2877-1
Released:    Wed Jul 19 09:43:42 2023
Summary:     Security update for dbus-1
Type:        security
Severity:    moderate
References:  1212126,CVE-2023-34969
This update for dbus-1 fixes the following issues:

- CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2882-1
Released:    Wed Jul 19 11:49:39 2023
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1210999,CVE-2023-31484
This update for perl fixes the following issues:


  - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2885-1
Released:    Wed Jul 19 16:58:43 2023
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1208721,1209229,1211828
This update for glibc fixes the following issues:

- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bsc#1208721)
- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2891-1
Released:    Wed Jul 19 21:14:33 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1213237,CVE-2023-32001
This update for curl fixes the following issues:

- CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2918-1
Released:    Thu Jul 20 12:00:17 2023
Summary:     Recommended update for gpgme
Type:        recommended
Severity:    moderate
References:  1089497
This update for gpgme fixes the following issues:

gpgme:

- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)
    
libassuan:

- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2962-1
Released:    Tue Jul 25 09:34:53 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213487,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3275-1
Released:    Fri Aug 11 10:19:36 2023
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1213472
This update for apparmor fixes the following issues:

- Add pam_apparmor README (bsc#1213472)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3286-1
Released:    Fri Aug 11 10:32:03 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194038,1194900
This update for util-linux fixes the following issues:

- Fix blkid for floppy drives (bsc#1194900)
- Fix rpmbuild %checks fail when @ in the directory path (bsc#1194038)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3327-1
Released:    Wed Aug 16 08:45:25 2023
Summary:     Security update for pcre2
Type:        security
Severity:    moderate
References:  1213514,CVE-2022-41409
This update for pcre2 fixes the following issues:

  - CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3363-1
Released:    Fri Aug 18 14:54:16 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3397-1
Released:    Wed Aug 23 18:35:56 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213517,1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
- Don't pass zero length input to EVP_Cipher because s390x assembler optimized AES cannot handle zero size. (bsc#1213517)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3451-1
Released:    Mon Aug 28 12:15:22 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873
This update for systemd fixes the following issues:

- Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
- Decrease devlink priority for iso disks (bsc#1213185)
- Do not ignore mount point paths longer than 255 characters (bsc#1208194)
- Refuse hibernation if there's no possible way to resume (bsc#1186606)
- Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
- Drop some entries no longer needed by YaST (bsc#1194609)
- The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
- Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3486-1
Released:    Tue Aug 29 14:25:23 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1214071
This update for lvm2 fixes the following issues:

- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)


The following package changes have been done:

- kbd-legacy-2.4.0-150400.5.6.1 updated
- filesystem-15.0-150400.1.1 updated
- glibc-2.31-150300.52.2 updated
- perl-base-5.26.1-150300.17.14.1 updated
- libuuid1-2.37.2-150400.8.20.1 updated
- libudev1-249.16-150400.8.33.1 updated
- libsmartcols1-2.37.2-150400.8.20.1 updated
- libpcre2-8-0-10.39-150400.4.9.1 added
- libblkid1-2.37.2-150400.8.20.1 updated
- libaudit1-3.0.6-150400.4.13.1 updated
- libapparmor1-3.0.4-150400.5.6.1 updated
- libfdisk1-2.37.2-150400.8.20.1 updated
- libxtables12-1.8.7-1.1 added
- libmspack0-0.6-3.14.1 added
- libltdl7-2.4.6-3.4.1 added
- libassuan0-2.5.5-150000.4.5.2 updated
- file-5.32-7.14.1 added
- libmnl0-1.0.4-1.25 added
- libgdbm4-1.12-1.418 added
- libselinux1-3.4-150400.1.8 updated
- login_defs-4.8.1-150400.1.7 updated
- libsystemd0-249.16-150400.8.33.1 updated
- libmount1-2.37.2-150400.8.20.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.188.1 updated
- libxslt1-1.1.34-150400.3.3.1 added
- libdbus-1-3-1.12.2-150400.18.8.1 updated
- libicu65_1-ledata-65.1-150200.4.5.1 added
- xz-5.2.3-150000.4.7.1 added
- tar-1.34-150000.3.31.1 added
- which-2.21-2.20 added
- iproute2-5.14-150400.1.8 added
- glibc-locale-base-2.31-150300.52.2 updated
- gawk-4.2.1-150000.3.3.1 added
- systemd-rpm-macros-13-150000.7.33.1 updated
- libopenssl1_1-1.1.1l-150400.7.53.1 updated
- libcryptsetup12-2.4.3-150400.3.3.1 updated
- krb5-1.19.2-150400.3.6.1 updated
- libcurl4-8.0.1-150400.5.26.1 updated
- hostname-3.16-2.22 added
- shadow-4.8.1-150400.1.7 updated
- kbd-2.4.0-150400.5.6.1 updated
- dbus-1-1.12.2-150400.18.8.1 updated
- util-linux-2.37.2-150400.8.20.1 updated
- systemd-249.16-150400.8.33.1 updated
- util-linux-systemd-2.37.2-150400.8.20.1 added
- system-user-nobody-20170617-150400.22.33 added
- libcontainers-common-20230214-150400.3.5.2 added
- runc-1.1.4-150000.36.1 added
- slirp4netns-0.4.7-150100.3.18.1 added
- cni-0.7.1-150100.3.8.1 added
- libicu-suse65_1-65.1-150200.4.5.1 added
- container:rancher-elemental-teal-5.4-latest-- added
- container:bci-bci-busybox-15.4-- added
- container:bci-bci-busybox-latest-- removed
- container:rancher-elemental-builder-image-5.3-latest-- removed
- container:rancher-elemental-teal-5.3-latest-- removed
- libcryptsetup12-hmac-2.4.3-150400.1.110 removed
- libgcrypt20-hmac-1.9.4-150400.6.8.1 removed
- libopenssl1_1-hmac-1.1.1l-150400.7.45.1 removed
- libsemanage1-3.1-150400.1.65 removed
- libsepol1-3.1-150400.1.70 removed
- patterns-base-fips-20200124-150400.20.4.1 removed
- systemd-presets-branding-SMO-20220103-150400.2.1 removed

SUSE: 2023:3470-1 rancher/elemental-teal-iso/5.4 Security Update

October 20, 2023
The container rancher/elemental-teal-iso/5.4 was updated

Summary

Advisory ID: SUSE-SU-2019:495-1 Released: Tue Feb 26 16:42:35 2019 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc Type: security Severity: important Advisory ID: SUSE-SU-2019:748-1 Released: Tue Mar 26 14:35:56 2019 Summary: Security update for libmspack Type: security Severity: moderate Advisory ID: SUSE-SU-2019:926-1 Released: Wed Apr 10 16:33:12 2019 Summary: Security update for tar Type: security Severity: moderate Advisory ID: SUSE-SU-2019:2223-1 Released: Tue Aug 27 15:42:56 2019 Summary: Security update for podman, slirp4netns and libcontainers-common Type: security Severity: moderate Advisory ID: SUSE-SU-2019:2810-1 Released: Tue Oct 29 14:56:44 2019 Summary: Security update for runc Type: security Severity: moderate Advisory ID: SUSE-SU-2020:697-1 Released: Mon Mar 16 13:17:10 2020 Summary: Security update for cni, cni-plugins, conmon, fuse-overlayfs, podman Type: security Severity: moderate Advisory ID: SUSE-RU-2020:821-1 Released: Tue Mar 31 13:05:59 2020 Summary: Recommended update for podman, slirp4netns Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:944-1 Released: Tue Apr 7 15:49:33 2020 Summary: Security update for runc Type: security Severity: moderate Advisory ID: SUSE-SU-2020:1197-1 Released: Wed May 6 13:52:04 2020 Summary: Security update for slirp4netns Type: security Severity: important Advisory ID: SUSE-SU-2020:1493-1 Released: Wed May 27 18:55:51 2020 Summary: Security update for libmspack Type: security Severity: low Advisory ID: SUSE-SU-2020:1915-1 Released: Wed Jul 15 09:34:15 2020 Summary: Security update for slirp4netns Type: security Severity: important Advisory ID: SUSE-RU-2020:2080-1 Released: Wed Jul 29 20:09:09 2020 Summary: Recommended update for libtool Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2965-1 Released: Tue Oct 20 13:27:21 2020 Summary: Recommended update for cni, cni-plugins Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:927-1 Released: Tue Mar 23 14:07:06 2021 Summary: Recommended update for libreoffice Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:974-1 Released: Mon Mar 29 19:31:27 2021 Summary: Security update for tar Type: security Severity: low Advisory ID: SUSE-SU-2021:1954-1 Released: Fri Jun 11 10:45:09 2021 Summary: Security update for containerd, docker, runc Type: security Severity: important Advisory ID: SUSE-RU-2021:2193-1 Released: Mon Jun 28 18:38:43 2021 Summary: Recommended update for tar Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:2802-1 Released: Fri Aug 20 10:47:08 2021 Summary: Security update for libmspack Type: security Severity: moderate Advisory ID: SUSE-RU-2021:2895-1 Released: Tue Aug 31 19:40:32 2021 Summary: Recommended update for unixODBC Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:2962-1 Released: Mon Sep 6 18:23:01 2021 Summary: Recommended update for runc Type: recommended Severity: critical Advisory ID: SUSE-SU-2021:3506-1 Released: Mon Oct 25 10:20:22 2021 Summary: Security update for containerd, docker, runc Type: security Severity: important Advisory ID: SUSE-SU-2021:4171-1 Released: Thu Dec 23 09:55:13 2021 Summary: Security update for runc Type: security Severity: moderate Advisory ID: SUSE-SU-2022:69-1 Released: Thu Jan 13 15:12:30 2022 Summary: Security update for libmspack Type: security Severity: low Advisory ID: SUSE-SU-2022:943-1 Released: Thu Mar 24 12:52:54 2022 Summary: Security update for slirp4netns Type: security Severity: moderate Advisory ID: SUSE-SU-2022:1548-1 Released: Thu May 5 16:45:28 2022 Summary: Security update for tar Type: security Severity: moderate Advisory ID: SUSE-SU-2022:2341-1 Released: Fri Jul 8 16:09:12 2022 Summary: Security update for containerd, docker and runc Type: security Severity: important Advisory ID: SUSE-SU-2022:2360-1 Released: Tue Jul 12 12:01:39 2022 Summary: Security update for pcre2 Type: security Severity: important Advisory ID: SUSE-SU-2022:2566-1 Released: Wed Jul 27 15:04:49 2022 Summary: Security update for pcre2 Type: security Severity: important Advisory ID: SUSE-RU-2022:2735-1 Released: Wed Aug 10 04:31:41 2022 Summary: Recommended update for tar Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:2844-1 Released: Thu Aug 18 14:41:25 2022 Summary: Recommended update for tar Type: recommended Severity: important Advisory ID: SUSE-SU-2022:3142-1 Released: Wed Sep 7 09:54:18 2022 Summary: Security update for icu Type: security Severity: moderate Advisory ID: SUSE-RU-2022:3435-1 Released: Tue Sep 27 14:55:38 2022 Summary: Recommended update for runc Type: recommended Severity: important Advisory ID: SUSE-RU-2022:3927-1 Released: Wed Nov 9 14:55:47 2022 Summary: Recommended update for runc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:4312-1 Released: Fri Dec 2 11:16:47 2022 Summary: Recommended update for tar Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:4592-1 Released: Tue Dec 20 16:51:35 2022 Summary: Security update for cni Type: security Severity: important Advisory ID: SUSE-RU-2023:179-1 Released: Thu Jan 26 21:54:30 2023 Summary: Recommended update for tar Type: recommended Severity: low Advisory ID: SUSE-SU-2023:463-1 Released: Mon Feb 20 16:33:39 2023 Summary: Security update for tar Type: security Severity: moderate Advisory ID: SUSE-SU-2023:557-1 Released: Tue Feb 28 09:29:15 2023 Summary: Security update for libxslt Type: security Severity: important Advisory ID: SUSE-SU-2023:870-1 Released: Wed Mar 22 09:44:13 2023 Summary: Security update for slirp4netns Type: security Severity: moderate Advisory ID: SUSE-RU-2023:1774-1 Released: Wed Apr 5 13:13:19 2023 Summary: Recommended update for libcontainers-common Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:1880-1 Released: Tue Apr 18 11:11:27 2023 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: low Advisory ID: SUSE-RU-2023:2307-1 Released: Mon May 29 10:29:49 2023 Summary: Recommended update for kbd Type: recommended Severity: low Advisory ID: SUSE-RU-2023:2482-1 Released: Mon Jun 12 07:19:53 2023 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2877-1 Released: Wed Jul 19 09:43:42 2023 Summary: Security update for dbus-1 Type: security Severity: moderate Advisory ID: SUSE-SU-2023:2882-1 Released: Wed Jul 19 11:49:39 2023 Summary: Security update for perl Type: security Severity: important Advisory ID: SUSE-RU-2023:2885-1 Released: Wed Jul 19 16:58:43 2023 Summary: Recommended update for glibc Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2891-1 Released: Wed Jul 19 21:14:33 2023 Summary: Security update for curl Type: security Severity: moderate Advisory ID: SUSE-RU-2023:2918-1 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2962-1 Released: Tue Jul 25 09:34:53 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-RU-2023:3275-1 Released: Fri Aug 11 10:19:36 2023 Summary: Recommended update for apparmor Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:3286-1 Released: Fri Aug 11 10:32:03 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:3327-1 Released: Wed Aug 16 08:45:25 2023 Summary: Security update for pcre2 Type: security Severity: moderate Advisory ID: SUSE-SU-2023:3363-1 Released: Fri Aug 18 14:54:16 2023 Summary: Security update for krb5 Type: security Severity: important Advisory ID: SUSE-SU-2023:3397-1 Released: Wed Aug 23 18:35:56 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-RU-2023:3451-1 Released: Mon Aug 28 12:15:22 2023 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:3486-1 Released: Tue Aug 29 14:25:23 2023 Summary: Recommended update for lvm2 Type: recommended Severity: moderate

References

References : 1029961 1041090 1048046 1049382 1051429 1089497 1096726 1102408

1103032 1113038 1113039 1113040 1114832 1116658 1118897 1118898

1118899 1120610 1120610 1121967 1123156 1123387 1124308 1130489

1130496 1130496 1131314 1131553 1135460 1136234 1136974 1137860

1141680 1143386 1149954 1152308 1155141 1155217 1160452 1160460

1164390 1167850 1168481 1170940 1171566 1171578 1172380 1172786

1173404 1173409 1173410 1173471 1174465 1175081 1175821 1175821

1176547 1177955 1178807 1178943 1178944 1179025 1179203 1179466

1179467 1179467 1181122 1181131 1181131 1181594 1181641 1181644

1181677 1181730 1181732 1181749 1181872 1181961 1182451 1182476

1182790 1182947 1182998 1183024 1183855 1184124 1184768 1184962

1185405 1185405 1186606 1187704 1188282 1189743 1190826 1191015

1191121 1191334 1191355 1191434 1192051 1193436 1193951 1194038

1194609 1194900 1197093 1199232 1199235 1199460 1199565 1200088

1200145 1200524 1200657 1200657 1202021 1202436 1202436 1202436

1202821 1202821 1203600 1205536 1207509 1207753 1208079 1208194

1208574 1208721 1209229 1209741 1210702 1210702 1210999 1211272

1211576 1211828 1212126 1212434 1213185 1213237 1213472 1213487

1213514 1213517 1213575 1213853 1213873 1214054 1214071 CVE-2018-14679

CVE-2018-14681 CVE-2018-14682 CVE-2018-15664 CVE-2018-16873 CVE-2018-16874

CVE-2018-16875 CVE-2018-18584 CVE-2018-18585 CVE-2018-18586 CVE-2018-20482

CVE-2018-20482 CVE-2019-1010305 CVE-2019-10152 CVE-2019-16884

CVE-2019-18466 CVE-2019-19921 CVE-2019-5736 CVE-2019-6778 CVE-2019-9923

CVE-2019-9923 CVE-2020-10756 CVE-2020-1983 CVE-2020-21913 CVE-2020-29129

CVE-2020-29130 CVE-2020-29130 CVE-2021-20193 CVE-2021-20193 CVE-2021-20206

CVE-2021-21284 CVE-2021-21285 CVE-2021-21334 CVE-2021-30465 CVE-2021-30465

CVE-2021-30560 CVE-2021-32760 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092

CVE-2021-41103 CVE-2021-43784 CVE-2022-1586 CVE-2022-1587 CVE-2022-29162

CVE-2022-31030 CVE-2022-41409 CVE-2022-48303 CVE-2023-31484 CVE-2023-32001

CVE-2023-3446 CVE-2023-34969 CVE-2023-36054 CVE-2023-3817

1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:

Security issues fixed:

- CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).

- CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).

- CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).

- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container

breakout (bsc#1121967).

Other changes and fixes:

- Update shell completion to use Group: System/Shells.

- Add daemon.json file with rotation logs configuration (bsc#1114832)

- Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84.

See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.

- Update go requirements to >= go1.10

- Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).

- Remove the usage of 'cp -r' to reduce noise in the build logs.

1113038,1113039,CVE-2018-18584,CVE-2018-18585

This update for libmspack fixes the following issues:

Security issues fixed:

- CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038)

- CVE-2018-18585: chmd_read_headers accepted a filename that has '\0' as its first or second character (such as the '/\0' name). (bsc#1113039)

- Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.

1120610,1130496,CVE-2018-20482,CVE-2019-9923

This update for tar fixes the following issues:

Security issues fixed:

- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).

- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

1096726,1123156,1123387,1135460,1136974,1137860,1143386,CVE-2018-15664,CVE-2019-10152,CVE-2019-6778

This is a version update for podman to version 1.4.4 (bsc#1143386).

Additional changes by SUSE on top:

- Remove fuse-overlayfs because it's (currently) an unsatisfied dependency on

SLE (bsc#1143386)

- Update libpod.conf to use correct infra_command

- Update libpod.conf to use better versioned pause container

- Update libpod.conf to use official kubic pause container

- Update libpod.conf to match latest features set:

detach_keys, lock_type, runtime_supports_json

- Add podman-remote varlink client

Version update podman to v1.4.4:

- Features

- Podman now has greatly improved support for containers using multiple OCI

runtimes. Containers now remember if they were created with a different

runtime using --runtime and will always use that runtime

- The cached and delegated options for volume mounts are now allowed for

Docker compatability (#3340)

- The podman diff command now supports the --latest flag

- Bugfixes

- Fixed a bug where rootless Podman would attempt to use the entire root

configuration if no rootless configuration was present for the user,

breaking rootless Podman for new installations

- Fixed a bug where rootless Podman's pause process would block SIGTERM,

preventing graceful system shutdown and hanging until the system's init

send SIGKILL

- Fixed a bug where running Podman as root with sudo -E would not work after

running rootless Podman at least once

- Fixed a bug where options for tmpfs volumes added with the --tmpfs flag

were being ignored

- Fixed a bug where images with no layers could not properly be displayed

and removed by Podman

- Fixed a bug where locks were not properly freed on failure to create a

container or pod

- Fixed a bug where podman cp on a single file would create a directory at

the target and place the file in it (#3384)

- Fixed a bug where podman inspect --format '{{.Mounts}}' would print a

hexadecimal address instead of a container's mounts

- Fixed a bug where rootless Podman would not add an entry to container's

/etc/hosts files for their own hostname (#3405)

- Fixed a bug where podman ps --sync would segfault (#3411)

- Fixed a bug where podman generate kube would produce an invalid ports

configuration (#3408)

- Misc

- Updated containers/storage to v1.12.13

- Podman now performs much better on systems with heavy I/O load

- The --cgroup-manager flag to podman now shows the correct default setting

in help if the default was overridden by libpod.conf

- For backwards compatability, setting --log-driver=json-file in podman run

is now supported as an alias for --log-driver=k8s-file. This is considered

deprecated, and json-file will be moved to a new implementation in the

future ([#3363](\

d/issues/3363))

- Podman's default libpod.conf file now allows the crun OCI runtime to be

used if it is installed

Update podman to v1.4.2:

- Fixed a bug where Podman could not run containers using an older version of

Systemd as init

- Updated vendored Buildah to v1.9.0 to resolve a critical bug with

Dockerfile RUN instructions

- The error message for running podman kill on containers that are not

running has been improved

- Podman remote client can now log to a file if syslog is not available

- The podman exec command now sets its error code differently based on

whether the container does not exist, and the command in the container does

not exist

- The podman inspect command on containers now outputs Mounts JSON that matches

that of docker inspect, only including user-specified volumes and

differentiating bind mounts and named volumes

- The podman inspect command now reports the path to a container's OCI spec

with the OCIConfigPath key (only included when the container is initialized

or running)

- The podman run --mount command now supports the bind-nonrecursive option for

bind mounts

- Fixed a bug where podman play kube would fail to create containers due to an

unspecified log driver

- Fixed a bug where Podman would fail to build with musl libc

- Fixed a bug where rootless Podman using slirp4netns networking in an

environment with no nameservers on the host other than localhost would

result in nonfunctional networking

- Fixed a bug where podman import would not properly set environment

variables, discarding their values and retaining only keys

- Fixed a bug where Podman would fail to run when built with Apparmor support

but run on systems without the Apparmor kernel module loaded

- Remote Podman will now default the username it uses to log in to remote

systems to the username of the current user

- Podman now uses JSON logging with OCI runtimes that support it, allowing for

better error reporting

- Updated vendored containers/image to v2.0

- Update conmon to v0.3.0

- Support OOM Monitor under cgroup V2

- Add config binary and make target for configuring conmon with a go library

for importing values

Updated podman to version 1.4.0 (bsc#1137860) and (bsc#1135460)

- Podman checkpoint and podman restore commands can now be

used to migrate containers between Podman installations on

different systems.

- The podman cp now supports pause flag.

- The remote client now supports a configuration file for

pre-configuring connections to remote Podman installations

- CVE-2019-10152: Fixed an iproper dereference of symlinks of the

the podman cp command which introduced in version 1.1.0 (bsc#1136974).

- Fixed a bug where podman commit could improperly set environment variables

that contained = characters

- Fixed a bug where rootless podman would sometimes fail to start

containers with forwarded ports

- Fixed a bug where podman version on the remote client could

segfault

- Fixed a bug where podman container runlabel would use /proc/self/exe instead of

the path of the Podman command when printing the command being executed

- Fixed a bug where filtering images by label did not work

- Fixed a bug where specifying a bing mount or tmpfs mount over

an image volume would cause a container to be unable to start

- Fixed a bug where podman generate kube did not work with

containers with named volumes

- Fixed a bug where rootless podman would receive permission

denied errors accessing conmon.pid

- Fixed a bug where podman cp with a folder specified as target

would replace the folder, as opposed to copying into it

- Fixed a bug where rootless Podman commands could double-unlock

a lock, causing a crash

- Fixed a bug where podman incorrectly set tmpcopyup on /dev/

mounts, causing errors when using the Kata containers runtime

- Fixed a bug where podman exec would fail on older kernels

- Podman commit command is now usable with the Podman remote client

- Signature-policy flag has been deprecated

- Updated vendored containers/storage and containers/image libraries

with numerous bugfixes

- Updated vendored Buildah to v1.8.3

- Podman now requires Conmon v0.2.0

- The podman cp command is now aliased as podman container cp

- Rootless podman will now default init_path using root Podman's

configuration files (/etc/containers/libpod.conf and

/usr/share/containers/libpod.conf) if not overridden in the

rootless configuration

- Added fuse-overlayfs dependency to support overlay based rootless image

manipulations

- The podman cp command can now read input redirected to STDIN, and output to

STDOUT instead of a file, using - instead of an argument.

- The podman remote client now displays version information from both the

client and server in podman version

- The podman unshare command has been added, allowing easy entry into the

user namespace set up by rootless Podman (allowing the removal of files

created by rootless podman, among other things)

- Fixed a bug where Podman containers with the --rm flag were removing

created volumes when they were automatically removed

- Fixed a bug where container and pod locks were incorrectly marked as

released after a system reboot, causing errors on container and pod removal

- Fixed a bug where Podman pods could not be removed if any container in the

pod encountered an error during removal

- Fixed a bug where Podman pods run with the cgroupfs CGroup driver would encounter

a race condition during removal, potentially failing to remove the pod CGroup

- Fixed a bug where the podman container checkpoint and podman container

restore commands were not visible in the remote client

- Fixed a bug where podman remote ps --ns would not print the container's namespaces

- Fixed a bug where removing stopped containers with healthchecks could cause an error

- Fixed a bug where the default libpod.conf file was causing parsing errors

- Fixed a bug where pod locks were not being freed when pods were removed,

potentially leading to lock exhaustion

- Fixed a bug where 'podman run' with SD_NOTIFY set could, on short-running

containers, create an inconsistent state rendering the container unusable

- The remote Podman client now uses the Varlink bridge to establish remote

connections by default

- Fixed an issue with apparmor_parser (bsc#1123387)

- Update to libpod v1.4.0 (bsc#1137860):

- The podman checkpoint and podman restore commands can now be

used to migrate containers between Podman installations on

different systems

- The podman cp command now supports a pause flag to pause

containers while copying into them

- The remote client now supports a configuration file for

pre-configuring connections to remote Podman installations

- Fixed CVE-2019-10152 - The podman cp command improperly

dereferenced symlinks in host context

- Fixed a bug where podman commit could improperly set

environment variables that contained = characters

- Fixed a bug where rootless Podman would sometimes fail to start

containers with forwarded ports

- Fixed a bug where podman version on the remote client could

segfault

- Fixed a bug where podman container runlabel would use

/proc/self/exe instead of the path of the Podman command when

printing the command being executed

- Fixed a bug where filtering images by label did not work

- Fixed a bug where specifying a bing mount or tmpfs mount over

an image volume would cause a container to be unable to start

- Fixed a bug where podman generate kube did not work with

containers with named volumes

- Fixed a bug where rootless Podman would receive permission

denied errors accessing conmon.pid

- Fixed a bug where podman cp with a folder specified as target

would replace the folder, as opposed to copying into it

- Fixed a bug where rootless Podman commands could double-unlock

a lock, causing a crash

- Fixed a bug where Podman incorrectly set tmpcopyup on /dev/

mounts, causing errors when using the Kata containers runtime

- Fixed a bug where podman exec would fail on older kernels

- The podman commit command is now usable with the Podman remote

client

- The --signature-policy flag (used with several image-related

commands) has been deprecated

- The podman unshare command now defines two environment

variables in the spawned shell: CONTAINERS_RUNROOT and

CONTAINERS_GRAPHROOT, pointing to temporary and permanent

storage for rootless containers

- Updated vendored containers/storage and containers/image

libraries with numerous bugfixes

- Updated vendored Buildah to v1.8.3

- Podman now requires Conmon v0.2.0

- The podman cp command is now aliased as podman container cp

- Rootless Podman will now default init_path using root Podman's

configuration files (/etc/containers/libpod.conf and

/usr/share/containers/libpod.conf) if not overridden in the

rootless configuration

- Update to image v1.5.1

- Vendor in latest containers/storage

- docker/docker_client: Drop redundant Domain(ref.ref) call

- pkg/blobinfocache: Split implementations into subpackages

- copy: progress bar: show messages on completion

- docs: rename manpages to *.5.command

- add container-certs.d.md manpage

- pkg/docker/config: Bring auth tests from

docker/docker_client_test

- Don't allocate a sync.Mutex separately

Update to storage v1.12.10:

- Add function to parse out mount options from graphdriver

- Merge the disparate parts of all of the Unix-like lockfiles

- Fix unix-but-not-Linux compilation

- Return XDG_RUNTIME_DIR as RootlessRuntimeDir if set

- Cherry-pick moby/moby #39292 for CVE-2018-15664 fixes

- lockfile: add RecursiveLock() API

- Update generated files

- Fix crash on tesing of aufs code

- Let consumers know when Layers and Images came from read-only stores

- chown: do not change owner for the mountpoint

- locks: correctly mark updates to the layers list

- CreateContainer: don't worry about mapping layers unless necessary

- docs: fix manpage for containers-storage.conf

- docs: sort configuration options alphabetically

- docs: document OSTree file deduplication

- Add missing options to man page for containers-storage

- overlay: use the layer idmapping if present

- vfs: prefer layer custom idmappings

- layers: propagate down the idmapping settings

- Recreate symlink when not found

- docs: fix manpage for configuration file

- docs: add special handling for manpages in sect 5

- overlay: fix single-lower test

- Recreate symlink when not found

- overlay: propagate errors from mountProgram

- utils: root in a userns uses global conf file

- Fix handling of additional stores

- Correctly check permissions on rootless directory

- Fix possible integer overflow on 32bit builds

- Evaluate device path for lvm

- lockfile test: make concurrent RW test determinisitc

- lockfile test: make concurrent read tests deterministic

- drivers.DirCopy: fix filemode detection

- storage: move the logic to detect rootless into utils.go

- Don't set (struct flock).l_pid

- Improve documentation of getLockfile

- Rename getLockFile to createLockerForPath, and document it

- Add FILES section to containers-storage.5 man page

- add digest locks

- drivers/copy: add a non-cgo fallback

slirp4netns was updated to 0.3.0:

- CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() (bsc#1123156)

This update also includes:

- fuse3 and fuse-overlayfs to support rootless containers.

1131314,1131553,1152308,CVE-2019-16884

This update for runc fixes the following issues:

Security issue fixed:

- CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)

Non-security issues fixed:

- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).

1155217,1160460,1164390,CVE-2019-18466

This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues:

podman was updated to 1.8.0:

- CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the

host when copying a symlink in the container that included a

glob operator (#3829 bsc#1155217)

- The name of the cni-bridge in the default config changed from

'cni0' to 'podman-cni0' with podman-1.6.0. Add a %trigger to

rename the bridge in the system to the new default if it exists.

The trigger is only excuted when updating podman-cni-config

from something older than 1.6.0. This is mainly needed for SLE

where we're updating from 1.4.4 to 1.8.0 (bsc#1160460).

Update podman to v1.8.0 (bsc#1160460):

* Features

- The podman system service command has been added, providing a

preview of Podman's new Docker-compatible API. This API is

still very new, and not yet ready for production use, but is

available for early testing

- Rootless Podman now uses Rootlesskit for port forwarding,

which should greatly improve performance and capabilities

- The podman untag command has been added to remove tags from

images without deleting them

- The podman inspect command on images now displays previous

names they used

- The podman generate systemd command now supports a --new

option to generate service files that create and run new

containers instead of managing existing containers

- Support for --log-opt tag= to set logging tags has been added

to the journald log driver

- Added support for using Seccomp profiles embedded in images

for podman run and podman create via the new --seccomp-policy

CLI flag

- The podman play kube command now honors pull policy

* Bugfixes

- Fixed a bug where the podman cp command would not copy the

contents of directories when paths ending in /. were given

- Fixed a bug where the podman play kube command did not

properly locate Seccomp profiles specified relative to

localhost

- Fixed a bug where the podman info command for remote Podman

did not show registry information

- Fixed a bug where the podman exec command did not support

having input piped into it

- Fixed a bug where the podman cp command with rootless Podman

on CGroups v2 systems did not properly determine if the

container could be paused while copying

- Fixed a bug where the podman container prune --force command

could possible remove running containers if they were started

while the command was running

- Fixed a bug where Podman, when run as root, would not

properly configure slirp4netns networking when requested

- Fixed a bug where podman run --userns=keep-id did not work

when the user had a UID over 65535

- Fixed a bug where rootless podman run and podman create with

the --userns=keep-id option could change permissions on

/run/user/$UID and break KDE

- Fixed a bug where rootless Podman could not be run in a

systemd service on systems using CGroups v2

- Fixed a bug where podman inspect would show CPUShares as 0,

instead of the default (1024), when it was not explicitly set

- Fixed a bug where podman-remote push would segfault

- Fixed a bug where image healthchecks were not shown in the

output of podman inspect

- Fixed a bug where named volumes created with containers from

pre-1.6.3 releases of Podman would be autoremoved with their

containers if the --rm flag was given, even if they were

given names

- Fixed a bug where podman history was not computing image

sizes correctly

- Fixed a bug where Podman would not error on invalid values to

the --sort flag to podman images

- Fixed a bug where providing a name for the image made by

podman commit was mandatory, not optional as it should be

- Fixed a bug where the remote Podman client would append an

extra ' to %PATH

- Fixed a bug where the podman build command would sometimes

ignore the -f option and build the wrong Containerfile

- Fixed a bug where the podman ps --filter command would only

filter running containers, instead of all containers, if

--all was not passed

- Fixed a bug where the podman load command on compressed

images would leave an extra copy on disk

- Fixed a bug where the podman restart command would not

properly clean up the network, causing it to function

differently from podman stop; podman start

- Fixed a bug where setting the --memory-swap flag to podman

create and podman run to -1 (to indicate unlimited) was not

supported

* Misc

- Initial work on version 2 of the Podman remote API has been

merged, but is still in an alpha state and not ready for use.

Read more here

- Many formatting corrections have been made to the manpages

- The changes to address (#5009) may cause anonymous volumes

created by Podman versions 1.6.3 to 1.7.0 to not be removed

when their container is removed

- Updated vendored Buildah to v1.13.1

- Updated vendored containers/storage to v1.15.8

- Updated vendored containers/image to v5.2.0

- Add apparmor-abstractions as required runtime dependency to

have `tunables/global` available.

- fixed the --force flag for the 'container prune' command.

(d/issues/4844)

Update podman to v1.7.0

* Features

- Added support for setting a static MAC address for containers

- Added support for creating macvlan networks with podman

network create, allowing Podman containers to be attached

directly to networks the host is connected to

- The podman image prune and podman container prune commands

now support the --filter flag to filter what will be pruned,

and now prompts for confirmation when run without --force

(#4410 and #4411)

- Podman now creates CGroup namespaces by default on systems

using CGroups v2 (#4363)

- Added the podman system reset command to remove all Podman

files and perform a factory reset of the Podman installation

- Added the --history flag to podman images to display previous

names used by images (#4566)

- Added the --ignore flag to podman rm and podman stop to not

error when requested containers no longer exist

- Added the --cidfile flag to podman rm and podman stop to read

the IDs of containers to be removed or stopped from a file

- The podman play kube command now honors Seccomp annotations

(#3111)

- The podman play kube command now honors RunAsUser,

RunAsGroup, and selinuxOptions

- The output format of the podman version command has been

changed to better match docker version when using the

--format flag

- Rootless Podman will no longer initialize containers/storage

twice, removing a potential deadlock preventing Podman

commands from running while an image was being pulled (#4591)

- Added tmpcopyup and notmpcopyup options to the --tmpfs and

--mount type=tmpfs flags to podman create and podman run to

control whether the content of directories are copied into

tmpfs filesystems mounted over them

- Added support for disabling detaching from containers by

setting empty detach keys via --detach-keys=''

- The podman build command now supports the --pull and

--pull-never flags to control when images are pulled during a

build

- The podman ps -p command now shows the name of the pod as

well as its ID (#4703)

- The podman inspect command on containers will now display the

command used to create the container

- The podman info command now displays information on registry

mirrors (#4553)

* Bugfixes

- Fixed a bug where Podman would use an incorrect runtime

directory as root, causing state to be deleted after root

logged out and making Podman in systemd services not function

properly

- Fixed a bug where the --change flag to podman import and

podman commit was not being parsed properly in many cases

- Fixed a bug where detach keys specified in libpod.conf were

not used by the podman attach and podman exec commands, which

always used the global default ctrl-p,ctrl-q key combination

(#4556)

- Fixed a bug where rootless Podman was not able to run podman

pod stats even on CGroups v2 enabled systems (#4634)

- Fixed a bug where rootless Podman would fail on kernels

without the renameat2 syscall (#4570)

- Fixed a bug where containers with chained network namespace

dependencies (IE, container A using --net container=B and

container B using --net container=C) would not properly mount

/etc/hosts and /etc/resolv.conf into the container (#4626)

- Fixed a bug where podman run with the --rm flag and without

-d could, when run in the background, throw a 'container does

not exist' error when attempting to remove the container

after it exited

- Fixed a bug where named volume locks were not properly

reacquired after a reboot, potentially leading to deadlocks

when trying to start containers using the volume (#4605 and

#4621)

- Fixed a bug where Podman could not completely remove

containers if sent SIGKILL during removal, leaving the

container name unusable without the podman rm --storage

command to complete removal (#3906)

- Fixed a bug where checkpointing containers started with --rm

was allowed when --export was not specified (the container,

and checkpoint, would be removed after checkpointing was

complete by --rm) (#3774)

- Fixed a bug where the podman pod prune command would fail if

containers were present in the pods and the --force flag was

not passed (#4346)

- Fixed a bug where containers could not set a static IP or

static MAC address if they joined a non-default CNI network

(#4500)

- Fixed a bug where podman system renumber would always throw

an error if a container was mounted when it was run

- Fixed a bug where podman container restore would fail with

containers using a user namespace

- Fixed a bug where rootless Podman would attempt to use the

journald events backend even on systems without systemd

installed

- Fixed a bug where podman history would sometimes not properly

identify the IDs of layers in an image (#3359)

- Fixed a bug where containers could not be restarted when

Conmon v2.0.3 or later was used

- Fixed a bug where Podman did not check image OS and

Architecture against the host when starting a container

- Fixed a bug where containers in pods did not function

properly with the Kata OCI runtime (#4353)

- Fixed a bug where `podman info --format '{{ json . }}' would

not produce JSON output (#4391)

- Fixed a bug where Podman would not verify if files passed to

--authfile existed (#4328)

- Fixed a bug where podman images --digest would not always

print digests when they were available

- Fixed a bug where rootless podman run could hang due to a

race with reading and writing events

- Fixed a bug where rootless Podman would print warning-level

logs despite not be instructed to do so (#4456)

- Fixed a bug where podman pull would attempt to fetch from

remote registries when pulling an unqualified image using the

docker-daemon transport (#4434)

- Fixed a bug where podman cp would not work if STDIN was a

pipe

- Fixed a bug where podman exec could stop accepting input if

anything was typed between the command being run and the exec

session starting (#4397)

- Fixed a bug where podman logs --tail 0 would print all lines

of a container's logs, instead of no lines (#4396)

- Fixed a bug where the timeout for slirp4netns was incorrectly

set, resulting in an extremely long timeout (#4344)

- Fixed a bug where the podman stats command would print CPU

utilizations figures incorrectly (#4409)

- Fixed a bug where the podman inspect --size command would not

print the size of the container's read/write layer if the

size was 0 (#4744)

- Fixed a bug where the podman kill command was not properly

validating signals before use (#4746)

- Fixed a bug where the --quiet and --format flags to podman ps

could not be used at the same time

- Fixed a bug where the podman stop command was not stopping

exec sessions when a container was created without a PID

namespace (--pid=host)

- Fixed a bug where the podman pod rm --force command was not

removing anonymous volumes for containers that were removed

- Fixed a bug where the podman checkpoint command would not

export all changes to the root filesystem of the container if

performed more than once on the same container (#4606)

- Fixed a bug where containers started with --rm would not be

automatically removed on being stopped if an exec session was

running inside the container (#4666)

* Misc

- The fixes to runtime directory path as root can cause strange

behavior if an upgrade is performed while containers are

running

- Updated vendored Buildah to v1.12.0

- Updated vendored containers/storage library to v1.15.4

- Updated vendored containers/image library to v5.1.0

- Kata Containers runtimes (kata-runtime, kata-qemu, and

kata-fc) are now present in the default libpod.conf, but will

not be available unless Kata containers is installed on the

system

- Podman previously did not allow the creation of containers

with a memory limit lower than 4MB. This restriction has been

removed, as the crun runtime can create containers with

significantly less memory

Update podman to v1.6.4

- Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher

- Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers

- Suppress spurious log messages when running rootless Podman

- Update vendored containers/storage to v1.13.6

- Fix a deadlock related to writing events

- Do not use the journald event logger when it is not available

Update podman to v1.6.2

* Features

- Added a --runtime flag to podman system migrate to allow the

OCI runtime for all containers to be reset, to ease transition

to the crun runtime on CGroups V2 systems until runc gains full

support

- The podman rm command can now remove containers in broken

states which previously could not be removed

- The podman info command, when run without root, now shows

information on UID and GID mappings in the rootless user

namespace

- Added podman build --squash-all flag, which squashes all layers

(including those of the base image) into one layer

- The --systemd flag to podman run and podman create now accepts

a string argument and allows a new value, always, which forces

systemd support without checking if the the container

entrypoint is systemd

* Bugfixes

- Fixed a bug where the podman top command did not work on

systems using CGroups V2 (#4192)

- Fixed a bug where rootless Podman could double-close a file,

leading to a panic

- Fixed a bug where rootless Podman could fail to retrieve some

containers while refreshing the state

- Fixed a bug where podman start --attach --sig-proxy=false would

still proxy signals into the container

- Fixed a bug where Podman would unconditionally use a

non-default path for authentication credentials (auth.json),

breaking podman login integration with skopeo and other tools

using the containers/image library

- Fixed a bug where podman ps --format=json and podman images

--format=json would display null when no results were returned,

instead of valid JSON

- Fixed a bug where podman build --squash was incorrectly

squashing all layers into one, instead of only new layers

- Fixed a bug where rootless Podman would allow volumes with

options to be mounted (mounting volumes requires root),

creating an inconsistent state where volumes reported as

mounted but were not (#4248)

- Fixed a bug where volumes which failed to unmount could not be

removed (#4247)

- Fixed a bug where Podman incorrectly handled some errors

relating to unmounted or missing containers in

containers/storage

- Fixed a bug where podman stats was broken on systems running

CGroups V2 when run rootless (#4268)

- Fixed a bug where the podman start command would print the

short container ID, instead of the full ID

- Fixed a bug where containers created with an OCI runtime that

is no longer available (uninstalled or removed from the config

file) would not appear in podman ps and could not be removed

via podman rm

- Fixed a bug where containers restored via podman container

restore --import would retain the CGroup path of the original

container, even if their container ID changed; thus, multiple

containers created from the same checkpoint would all share the

same CGroup

* Misc

- The default PID limit for containers is now set to 4096. It can

be adjusted back to the old default (unlimited) by passing

--pids-limit 0 to podman create and podman run

- The podman start --attach command now automatically attaches

STDIN if the container was created with -i

- The podman network create command now validates network names

using the same regular expression as container and pod names

- The --systemd flag to podman run and podman create will now

only enable systemd mode when the binary being run inside the

container is /sbin/init, /usr/sbin/init, or ends in systemd

(previously detected any path ending in init or systemd)

- Updated vendored Buildah to 1.11.3

- Updated vendored containers/storage to 1.13.5

- Updated vendored containers/image to 4.0.1

Update podman to v1.6.1

* Features

- The podman network create, podman network rm, podman network

inspect, and podman network ls commands have been added to

manage CNI networks used by Podman

- The podman volume create command can now create and mount

volumes with options, allowing volumes backed by NFS, tmpfs,

and many other filesystems

- Podman can now run containers without CGroups for better

integration with systemd by using the --cgroups=disabled flag

with podman create and podman run. This is presently only

supported with the crun OCI runtime

- The podman volume rm and podman volume inspect commands can now

refer to volumes by an unambiguous partial name, in addition to

full name (e.g. podman volume rm myvol to remove a volume named

myvolume) (#3891)

- The podman run and podman create commands now support the

--pull flag to allow forced re-pulling of images (#3734)

- Mounting volumes into a container using --volume, --mount, and

--tmpfs now allows the suid, dev, and exec mount options (the

inverse of nosuid, nodev, noexec) (#3819)

- Mounting volumes into a container using --mount now allows the

relabel=Z and relabel=z options to relabel mounts.

- The podman push command now supports the --digestfile option to

save a file containing the pushed digest

- Pods can now have their hostname set via podman pod create

--hostname or providing Pod YAML with a hostname set to podman

play kube (#3732)

- The podman image sign command now supports the --cert-dir flag

- The podman run and podman create commands now support the

--security-opt label=filetype:$LABEL flag to set the SELinux

label for container files

- The remote Podman client now supports healthchecks

* Bugfixes

- Fixed a bug where remote podman pull would panic if a Varlink

connection was not available (#4013)

- Fixed a bug where podman exec would not properly set terminal

size when creating a new exec session (#3903)

- Fixed a bug where podman exec would not clean up socket

symlinks on the host (#3962)

- Fixed a bug where Podman could not run systemd in containers

that created a CGroup namespace

- Fixed a bug where podman prune -a would attempt to prune images

used by Buildah and CRI-O, causing errors (#3983)

- Fixed a bug where improper permissions on the ~/.config

directory could cause rootless Podman to use an incorrect

directory for storing some files

- Fixed a bug where the bash completions for podman import threw

errors

- Fixed a bug where Podman volumes created with podman volume

create would not copy the contents of their mountpoint the

first time they were mounted into a container (#3945)

- Fixed a bug where rootless Podman could not run podman exec

when the container was not run inside a CGroup owned by the

user (#3937)

- Fixed a bug where podman play kube would panic when given Pod

YAML without a securityContext (#3956)

- Fixed a bug where Podman would place files incorrectly when

storage.conf configuration items were set to the empty string

(#3952)

- Fixed a bug where podman build did not correctly inherit

Podman's CGroup configuration, causing crashed on CGroups V2

systems (#3938)

- Fixed a bug where remote podman run --rm would exit before the

container was completely removed, allowing race conditions when

removing container resources (#3870)

- Fixed a bug where rootless Podman would not properly handle

changes to /etc/subuid and /etc/subgid after a container was

launched

- Fixed a bug where rootless Podman could not include some

devices in a container using the --device flag (#3905)

- Fixed a bug where the commit Varlink API would segfault if

provided incorrect arguments (#3897)

- Fixed a bug where temporary files were not properly cleaned up

after a build using remote Podman (#3869)

- Fixed a bug where podman remote cp crashed instead of reporting

it was not yet supported (#3861)

- Fixed a bug where podman exec would run as the wrong user when

execing into a container was started from an image with

Dockerfile USER (or a user specified via podman run --user)

(#3838)

- Fixed a bug where images pulled using the oci: transport would

be improperly named

- Fixed a bug where podman varlink would hang when managed by

systemd due to SD_NOTIFY support conflicting with Varlink

(#3572)

- Fixed a bug where mounts to the same destination would

sometimes not trigger a conflict, causing a race as to which

was actually mounted

- Fixed a bug where podman exec --preserve-fds caused Podman to

hang (#4020)

- Fixed a bug where removing an unmounted container that was

unmounted might sometimes not properly clean up the container

(#4033)

- Fixed a bug where the Varlink server would freeze when run in a

systemd unit file (#4005)

- Fixed a bug where Podman would not properly set the $HOME

environment variable when the OCI runtime did not set it

- Fixed a bug where rootless Podman would incorrectly print

warning messages when an OCI runtime was not found (#4012)

- Fixed a bug where named volumes would conflict with, instead of

overriding, tmpfs filesystems added by the --read-only-tmpfs

flag to podman create and podman run

- Fixed a bug where podman cp would incorrectly make the target

directory when copying to a symlink which pointed to a

nonexistent directory (#3894)

- Fixed a bug where remote Podman would incorrectly read STDIN

when the -i flag was not set (#4095)

- Fixed a bug where podman play kube would create an empty pod

when given an unsupported YAML type (#4093)

- Fixed a bug where podman import --change improperly parsed CMD

(#4000)

- Fixed a bug where rootless Podman on systems using CGroups V2

would not function with the cgroupfs CGroups manager

- Fixed a bug where rootless Podman could not correctly identify

the DBus session address, causing containers to fail to start

(#4162)

- Fixed a bug where rootless Podman with slirp4netns networking

would fail to start containers due to mount leaks

* Misc

- Significant changes were made to Podman volumes in this

release. If you have pre-existing volumes, it is strongly

recommended to run podman system renumber after upgrading.

- Version 0.8.1 or greater of the CNI Plugins is now required for

Podman

- Version 2.0.1 or greater of Conmon is strongly recommended

- Updated vendored Buildah to v1.11.2

- Updated vendored containers/storage library to v1.13.4

- Improved error messages when trying to create a pod with no

name via podman play kube

- Improved error messages when trying to run podman pause or

podman stats on a rootless container on a system without

CGroups V2 enabled

- TMPDIR has been set to /var/tmp by default to better handle

large temporary files

- podman wait has been optimized to detect stopped containers

more rapidly

- Podman containers now include a ContainerManager annotation

indicating they were created by libpod

- The podman info command now includes information about

slirp4netns and fuse-overlayfs if they are available

- Podman no longer sets a default size of 65kb for tmpfs

filesystems

- The default Podman CNI network has been renamed in an attempt

to prevent conflicts with CRI-O when both are run on the same

system. This should only take effect on system restart

- The output of podman volume inspect has been more closely

matched to docker volume inspect

- Add katacontainers as a recommended package, and include it as an

additional OCI runtime in the configuration.

Update podman to v1.5.1

* Features

- The hostname of pods is now set to the pod's name

* Bugfixes

- Fixed a bug where podman run and podman create did not honor the --authfile

option (#3730)

- Fixed a bug where containers restored with podman container restore

--import would incorrectly duplicate the Conmon PID file of the original container

- Fixed a bug where podman build ignored the default OCI runtime configured

in libpod.conf

- Fixed a bug where podman run --rm (or force-removing any running container

with podman rm --force) were not retrieving the correct exit code (#3795)

- Fixed a bug where Podman would exit with an error if any configured hooks

directory was not present

- Fixed a bug where podman inspect and podman commit would not use the

correct CMD for containers run with podman play kube

- Fixed a bug created pods when using rootless Podman and CGroups V2 (#3801)

- Fixed a bug where the podman events command with the --since or --until

options could take a very long time to complete

* Misc

- Rootless Podman will now inherit OCI runtime configuration from the root

configuration (#3781)

- Podman now properly sets a user agent while contacting registries (#3788)

- Add zsh completion for podman commands

Update podman to v1.5.0

* Features

- Podman containers can now join the user namespaces of other

containers with --userns=container:$ID, or a user namespace at

an arbitary path with --userns=ns:$PATH

- Rootless Podman can experimentally squash all UIDs and GIDs in

an image to a single UID and GID (which does not require use of

the newuidmap and newgidmap executables) by passing

--storage-opt ignore_chown_errors

- The podman generate kube command now produces YAML for any bind

mounts the container has created (#2303)

- The podman container restore command now features a new flag,

--ignore-static-ip, that can be used with --import to import a

single container with a static IP multiple times on the same

host

- Added the ability for podman events to output JSON by

specifying --format=json

- If the OCI runtime or conmon binary cannot be found at the

paths specified in libpod.conf, Podman will now also search for

them in the calling user's path

- Added the ability to use podman import with URLs (#3609)

- The podman ps command now supports filtering names using

regular expressions (#3394)

- Rootless Podman containers with --privileged set will now mount

in all host devices that the user can access

- The podman create and podman run commands now support the

--env-host flag to forward all environment variables from the

host into the container

- Rootless Podman now supports healthchecks (#3523)

- The format of the HostConfig portion of the output of podman

inspect on containers has been improved and synced with Docker

- Podman containers now support CGroup namespaces, and can create

them by passing --cgroupns=private to podman run or podman

create

- The podman create and podman run commands now support the

--ulimit=host flag, which uses any ulimits currently set on the

host for the container

- The podman rm and podman rmi commands now use different exit

codes to indicate 'no such container' and 'container is

running' errors

- Support for CGroups V2 through the crun OCI runtime has been

greatly improved, allowing resource limits to be set for

rootless containers when the CGroups V2 hierarchy is in use

* Bugfixes

- Fixed a bug where a race condition could cause podman restart

to fail to start containers with ports

- Fixed a bug where containers restored from a checkpoint would

not properly report the time they were started at

- Fixed a bug where podman search would return at most 25

results, even when the maximum number of results was set higher

- Fixed a bug where podman play kube would not honor capabilities

set in imported YAML (#3689)

- Fixed a bug where podman run --env, when passed a single key

(to use the value from the host), would set the environment

variable in the container even if it was not set on the host

(#3648)

- Fixed a bug where podman commit --changes would not properly

set environment variables

- Fixed a bug where Podman could segfault while working with

images with no history

- Fixed a bug where podman volume rm could remove arbitrary

volumes if given an ambiguous name (#3635)

- Fixed a bug where podman exec invocations leaked memory by not

cleaning up files in tmpfs

- Fixed a bug where the --dns and --net=container flags to podman

run and podman create were not mutually exclusive (#3553)

- Fixed a bug where rootless Podman would be unable to run

containers when less than 5 UIDs were available

- Fixed a bug where containers in pods could not be removed

without removing the entire pod (#3556)

- Fixed a bug where Podman would not properly clean up all CGroup

controllers for created cgroups when using the cgroupfs CGroup

driver

- Fixed a bug where Podman containers did not properly clean up

files in tmpfs, resulting in a memory leak as containers

stopped

- Fixed a bug where healthchecks from images would not use

default settings for interval, retries, timeout, and start

period when they were not provided by the image (#3525)

- Fixed a bug where healthchecks using the HEALTHCHECK CMD format

where not properly supported (#3507)

- Fixed a bug where volume mounts using relative source paths

would not be properly resolved (#3504)

- Fixed a bug where podman run did not use authorization

credentials when a custom path was specified (#3524)

- Fixed a bug where containers checkpointed with podman container

checkpoint did not properly set their finished time

- Fixed a bug where running podman inspect on any container not

created with podman run or podman create (for example, pod

infra containers) would result in a segfault (#3500)

- Fixed a bug where healthcheck flags for podman create and

podman run were incorrectly named (#3455)

- Fixed a bug where Podman commands would fail to find targets if

a partial ID was specified that was ambiguous between a

container and pod (#3487)

- Fixed a bug where restored containers would not have the

correct SELinux label

- Fixed a bug where Varlink endpoints were not working properly

if more was not correctly specified

- Fixed a bug where the Varlink PullImage endpoint would crash if

an error occurred (#3715)

- Fixed a bug where the --mount flag to podman create and podman

run did not allow boolean arguments for its ro and rw options

(#2980)

- Fixed a bug where pods did not properly share the UTS

namespace, resulting in incorrect behavior from some utilities

which rely on hostname (#3547)

- Fixed a bug where Podman would unconditionally append

ENTRYPOINT to CMD during podman commit (and when reporting CMD

in podman inspect) (#3708)

- Fixed a bug where podman events with the journald events

backend would incorrectly print 6 previous events when only new

events were requested (#3616)

- Fixed a bug where podman port would exit prematurely when a

port number was specified (#3747)

- Fixed a bug where passing . as an argument to the --dns-search

flag to podman create and podman run was not properly clearing

DNS search domains in the container

* Misc

- Updated vendored Buildah to v1.10.1

- Updated vendored containers/image to v3.0.2

- Updated vendored containers/storage to v1.13.1

- Podman now requires conmon v2.0.0 or higher

- The podman info command now displays the events logger being in

use

- The podman inspect command on containers now includes the ID of

the pod a container has joined and the PID of the container's

conmon process

- The -v short flag for podman --version has been re-added

- Error messages from podman pull should be significantly clearer

- The podman exec command is now available in the remote client

- The podman-v1.5.0.tar.gz file attached is podman packaged for

MacOS. It can be installed using Homebrew.

- Update libpod.conf to support latest path discovery feature for

`runc` and `conmon` binaries.

conmon was included in version 2.0.10. (bsc#1160460, bsc#1164390, jsc#ECO-1048, jsc#SLE-11485, jsc#SLE-11331):

fuse-overlayfs was updated to v0.7.6 (bsc#1160460)

- do not look in lower layers for the ino if there is no origin

xattr set

- attempt to use the file path if the operation on the fd fails

with ENXIO

- do not expose internal xattrs through listxattr and getxattr

- fix fallocate for deleted files.

- ignore O_DIRECT. It causes issues with libfuse not using an

aligned buffer, causing write(2) to fail with EINVAL.

- on copyup, do not copy the opaque xattr.

- fix a wrong lookup for whiteout files, that could happen on a

double unlink.

- fix possible segmentation fault in direct_fsync()

- use the data store to create missing whiteouts

- after a rename, force a directory reload

- introduce inodes cache

- correctly read inode for unix sockets

- avoid hash map lookup when possible

- use st_dev for the ino key

- check whether writeback is supported

- set_attrs: don't require write to S_IFREG

- ioctl: do not reuse fi->fh for directories

- fix skip whiteout deletion optimization

- store the new mode after chmod

- support fuse writeback cache and enable it by default

- add option to disable fsync

- add option to disable xattrs

- add option to skip ino number check in lower layers

- fix fd validity check

- fix memory leak

- fix read after free

- fix type for flistxattr return

- fix warnings reported by lgtm.com

- enable parallel dirops

cni was updated to 0.7.1:

- Set correct CNI version for 99-loopback.conf

Update to version 0.7.1 (bsc#1160460):

* Library changes:

+ invoke : ensure custom envs of CNIArgs are prepended to process envs

+ add GetNetworkListCachedResult to CNI interface

+ delegate : allow delegation funcs override CNI_COMMAND env automatically in heritance

* Documentation & Convention changes:

+ Update cnitool documentation for spec v0.4.0

+ Add cni-route-override to CNI plugin list

Update to version 0.7.0:

* Spec changes:

+ Use more RFC2119 style language in specification (must, should...)

+ add notes about ADD/DEL ordering

+ Make the container ID required and unique.

+ remove the version parameter from ADD and DEL commands.

+ Network interface name matters

+ be explicit about optional and required structure members

+ add CHECK method

+ Add a well-known error for 'try again'

+ SPEC.md: clarify meaning of 'routes'

* Library changes:

+ pkg/types: Makes IPAM concrete type

+ libcni: return error if Type is empty

+ skel: VERSION shouldn't block on stdin

+ non-pointer instances of types.Route now correctly marshal to JSON

+ libcni: add ValidateNetwork and ValidateNetworkList functions

+ pkg/skel: return error if JSON config has no network name

+ skel: add support for plugin version string

+ libcni: make exec handling an interface for better downstream testing

+ libcni: api now takes a Context to allow operations to be timed out or cancelled

+ types/version: add helper to parse PrevResult

+ skel: only print about message, not errors

+ skel,invoke,libcni: implementation of CHECK method

+ cnitool: Honor interface name supplied via CNI_IFNAME environment variable.

+ cnitool: validate correct number of args

+ Don't copy gw from IP4.Gateway to Route.GW When converting from 0.2.0

+ add PrintTo method to Result interface

+ Return a better error when the plugin returns none

- Install sleep binary into CNI plugin directory

cni-plugins was updated to 0.8.4:

Update to version 0.8.4 (bsc#1160460):

* add support for mips64le

* Add missing cniVersion in README example

* bump go-iptables module to v0.4.5

* iptables: add idempotent functions

* portmap doesn't fail if chain doesn't exist

* fix portmap port forward flakiness

* Add Bruce Ma and Piotr Skarmuk as owners

Update to version 0.8.3:

* Enhancements:

* static: prioritize the input sources for IPs (#400).

* tuning: send gratuitous ARP in case of MAC address update (#403).

* bandwidth: use uint64 for Bandwidth value (#389).

* ptp: only override DNS conf if DNS settings provided (#388).

* loopback: When prevResults are not supplied to loopback plugin, create results to return (#383).

* loopback support CNI CHECK and result cache (#374).

* Better input validation:

* vlan: add MTU validation to loadNetConf (#405).

* macvlan: add MTU validation to loadNetConf (#404).

* bridge: check vlan id when loading net conf (#394).

* Bugfixes:

* bugfix: defer after err check, or it may panic (#391).

* portmap: Fix dual-stack support (#379).

* firewall: don't return error in DEL if prevResult is not found (#390).

* bump up libcni back to v0.7.1 (#377).

* Docs:

* contributing doc: revise test script name to run (#396).

* contributing doc: describe cnitool installation (#397).

Update plugins to v0.8.2

+ New features:

* Support 'args' in static and tuning

* Add Loopback DSR support, allow l2tunnel networks

to be used with the l2bridge plugin

* host-local: return error if same ADD request is seen twice

* bandwidth: fix collisions

* Support ips capability in static and mac capability in tuning

* pkg/veth: Make host-side veth name configurable

+ Bug fixes:

* Fix: failed to set bridge addr: could not add IP address to 'cni0': file exists

* host-device: revert name setting to make retries idempotent (#357).

* Vendor update go-iptables. Vendor update go-iptables to

obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10

* Update go.mod & go.sub

* Remove link Down/Up in MAC address change to prevent route flush (#364).

* pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall

error message is 'invalid argument' not 'file exists'

* bump containernetworking/cni to v0.7.1

Updated plugins to v0.8.1:

+ Bugs:

* bridge: fix ipMasq setup to use correct source address

* fix compilation error on 386

* bandwidth: get bandwidth interface in host ns through

container interface

+ Improvements:

* host-device: add pciBusID property

Updated plugins to v0.8.0:

+ New plugins:

* bandwidth - limit incoming and outgoing bandwidth

* firewall - add containers to firewall rules

* sbr - convert container routes to source-based routes

* static - assign a fixed IP address

* win-bridge, win-overlay: Windows plugins

+ Plugin features / changelog:

* CHECK Support

* macvlan:

- Allow to configure empty ipam for macvlan

- Make master config optional

* bridge:

- Add vlan tag to the bridge cni plugin

- Allow the user to assign VLAN tag

- L2 bridge Implementation.

* dhcp:

- Include Subnet Mask option parameter in DHCPREQUEST

- Add systemd unit file to activate socket with systemd

- Add container ifName to the dhcp clientID, making the

clientID value

* flannel:

- Pass through runtimeConfig to delegate

* host-local:

- host-local: add ifname to file tracking IP address used

* host-device:

- Support the IPAM in the host-device

- Handle empty netns in DEL for loopback and host-device

* tuning:

- adds 'ip link' command related feature into tuning

+ Bug fixes & minor changes

* Correctly DEL on ipam failure for all plugins

* Fix bug on ip revert if cmdAdd fails on macvlan and host-device

* host-device: Ensure device is down before rename

* Fix -hostprefix option

* some DHCP servers expect to request for explicit router options

* bridge: release IP in case of error

* change source of ipmasq rule from ipn to ip

from version v0.7.5:

+ This release takes a minor change to the portmap plugin:

* Portmap: append, rather than prepend, entry rules

+ This fixes a potential issue where firewall rules may

be bypassed by port mapping

1167850

This update for podman, slirp4netns fixes the following issues:

slirp4netns was updated to 0.4.4 (bsc#1167850):

* libslirp: Update to v4.2.0:

* New API function slirp_add_unix: add a forward rule to a Unix

socket.

* New API function slirp_remove_guestfwd: remove a forward rule

previously added by slirp_add_exec, slirp_add_unix or

slirp_add_guestfwd

* New SlirpConfig.outbound_addr{,6} fields to bind output

socket to a specific address

* socket: do not fallback on host loopback if get_dns_addr()

failed or the address is in slirp network

* ncsi: fix checksum OOB memory access

* tcp_emu(): fix OOB accesses

* tftp: restrict relative path access

* state: fix loading of guestfwd state

Update to 0.4.3:

* api: raise an error if the socket path is too long

* libslirp: update to v4.1.0: Including the fix for libslirp

sends RST to app in response to arriving FIN when containerized

socket is shutdown() with SHUT_WR

* Fix create_sandbox error

Update to 0.4.2:

* Do not propagate mounts to the parent ns in sandbox

Update to 0.4.1:

* Support specifying netns path (slirp4netns --netns-type=path PATH

TAPNAME)

* Support specifying --userns-path

* Vendor https://gitlab.freedesktop.org/slirp/libslirp (QEMU v4.1+)

* Bring up loopback device when --configure is specified

* Support sandboxing by creating a mount namespace

(--enable-sandbox)

* Support seccomp (--enable-seccomp)

- Add new build dependencies libcap-devel and libseccomp-devel

Update to 0.3.3:

* Fix use-after-free in libslirp

Update to 0.3.2:

* Fix heap overflow in `ip_reass` on big packet input

Update to 0.3.1:

* Fix use-after-free

Changes in podman:

- Fixed dependency on slirp4netns. We need at least 0.4.0 now (bsc#1167850)

1149954,1160452,CVE-2019-19921

This update for runc fixes the following issues:

runc was updated to v1.0.0~rc10

- CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).

- Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).

1170940,CVE-2020-1983

This update for slirp4netns fixes the following issues:

Security issue fixed:

- CVE-2020-1983: Fixed a use-after-free in ip_reass (bsc#1170940).

1130489,1141680,CVE-2019-1010305

This update for libmspack fixes the following issues:

Security issue fixed:

- CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file

which could have led to information disclosure (bsc#1141680).

Other issue addressed:

- Enable build-time tests (bsc#1130489)

1172380,CVE-2020-10756

This update for slirp4netns fixes the following issues:

- Update to 0.4.7 (bsc#1172380)

* libslirp: update to v4.3.1 (Fix CVE-2020-10756)

* Fix config_from_options() to correctly enable ipv6

1171566

This update for libtool provides missing the libltdl 32bit library. (bsc#1171566)

1172786

This update ships cni and cni-plugins to the Public Cloud Module of SUSE Linux Enterprise 15 SP2.

1041090,1049382,1116658,1136234,1155141,1173404,1173409,1173410,1173471,1174465,1176547,1177955,1178807,1178943,1178944,1179025,1179203,1181122,1181644,1181872,1182790

This update for libreoffice provides the upgrade from version 6.4.5.2 to 7.1.1.2 (jsc#ECO-3150, bsc#1182790)

libreoffice:

- Image shown with different aspect ratio (bsc#1176547)

- Text changes are reproducibly lost on PPTX with SmartArt (bsc#1181644)

- Adjust to new Box2D and enable KDE on SUSE Linux Enterprise 15-SP3 or newer (jsc#ECO-3375)

- Wrong bullet points in Impress (bsc#1174465)

- SmartArt: text wrongly aligned, background boxes not quite right (bsc#1177955)

- Update the SUSE color palette to reflect the new SUSE branding. (bsc#1181122, bsc#1173471)

- SUSE Mint

- SUSE Midnight Blue

- SUSE Waterhole Blue

- SUSE Persimmon

- Fix a crash opening a PPTX. (bsc#1179025)

- Fix text box from PowerPoint renders vertically instead of horizontally (bsc#1178807)

- Shadow effects for table completely missing (bsc#1178944, bsc#1178943)

- Disable firebird integration for the time being (bsc#1179203)

- Fixes hang on Writer on scrolling/saving of a document (bsc#1136234)

- Wrong rendering of bulleted lists in PPTX document (bsc#1155141)

- Sidebar: paragraph widget: numeric fields become inactive/unaccessible after saving (bsc#1173404)

- Crash of Writer opening any document having 'invalid' python file in home directory (bsc#1116658)

libixion:

Update to 0.16.1:

- fixed a build issue on 32-bit linux platforms, caused by slicing of integer string ID values.

- worked around floating point rounding errors which prevented two theoretically-equal numeric values from being

evaluated as equal in test code.

- added new function to allow printing of single formula tokens.

- added method for setting cached results on formula cells in model_context.

- changed the model_context design to ensure that all sheets are of the same size.

- added an accessor method to formula_model_access interface (and implicitly in model_context) that directly returns

a string value from cell.

- added cell_access class for querying of cell states without knowing its type ahead of time.

- added document class which provides a layer on top of model_context, to abstract away the handling of formula

calculations.

- deprecated model_context::erase_cell() in favor of empty_cell().

- added support for 3D references - references that contain multiple sheets.

- added support for the exponent (^) and concatenation (&) operators.

- fixed incorrect handling of range references containing whole columns such as A:A.

- added support for unordered range references - range references whose start row or column is greater than

their end position counterparts, such as A3:A1.

- fixed a bug that prevented nested formula functions from working properly.

- implemented Calc A1 style reference resolver.

- formula results now directly store the string values when the results are of string type.

They previously stored string ID values after interning the original strings.

- Removed build-time dependency on spdlog.

libmwaw:

Update to 0.3.17:

- add a parser for Jazz(Lotus) writer and spreasheet files. The writer parser can only be called if the file

still contains its resource fork

- add a parser for Canvas 3 and 3.5 files

- AppleWorks parser: try to retrieve more Windows presentation

- add a parser for Drawing Table files

- add a parser for Canvas 2 files

- API: add new reserved enums in MWAWDocument.hxx `MWAW_T_RESERVED10..MWAW_T_RESERVED29`

and add a new define in libmwaw.hxx `MWAW_INTERFACE_VERSION` to check if these enums are defined

- remove the QuarkXPress parser (must be in libqxp)

- retrieve the annotation in MsWord 5 document

- try to better understand RagTime 5-6 document

libnumbertext:

Update to 1.0.6

liborcus:

Update to 0.16.1

- Add upstream changes to fix build with GCC 11 (bsc#1181872)

libstaroffice:

Update to 0.0.7:

- fix `text:sender-lastname` when creating meta-data

libwps:

Update to 0.4.11:

- XYWrite: add a parser to .fil v2 and v4 files

- wks,wk1: correct some problems when retrieving cell's reference.

glfw:

New package provided on version 3.3.2:

- See also: https://www.glfw.org/changelog.html

- Sort list of input files to geany for reproducible builds (bsc#1049382, bsc#1041090)

* Require pkgconfig(gl) for the devel package to supply needed include GL/gl.h

* glfwFocusWindow could terminate on older WMs or without a WM

* Creating an undecorated window could fail with BadMatch

* Querying a disconnected monitor could segfault

* Video modes with a duplicate screen area were discarded

* The CMake files did not check for the XInput headers

* Key names were not updated when the keyboard layout changed

* Decorations could not be enabled after window creation

* Content scale fallback value could be inconsistent

* Disabled cursor mode was interrupted by indicator windows

* Monitor physical dimensions could be reported as zero mm

* Window position events were not emitted during resizing

* Added on-demand loading of Vulkan and context creation API libraries

* [X11] Bugfix: Window size limits were ignored if the minimum or maximum size was

set to `GLFW_DONT_CARE`

* [X11] Bugfix: Input focus was set before window was visible,

causing BadMatch on some non-reparenting WMs

* [X11] Bugfix: glfwGetWindowPos and glfwSetWindowPos operated on

the window frame instead of the client area

* [WGL] Added reporting of errors from `WGL_ARB_create_context` extension

* [EGL] Added lib prefix matching between EGL and OpenGL ES library binaries

* [EGL] Bugfix: Dynamically loaded entry points were not verified

- Made build of geany-tags optional.

Box2D:

New package provided on version 2.4.1:

* Extended distance joint to have a minimum and maximum limit.

* `B2_USER_SETTINGS` and `b2_user_settings.h` can control user

data, length units, and maximum polygon vertices.

* Default user data is now uintptr_t instead of void*

* b2FixtureDef::restitutionThreshold lets you set the

restitution velocity threshold per fixture.

* Collision

* Chain and edge shape must now be one-sided to eliminate ghost

collisions

* Broad-phase optimizations

* Added b2ShapeCast for linear shape casting

* Dynamics

* Joint limits are now predictive and not stateful

* Experimental 2D cloth (rope)

* b2Body::SetActive -> b2Body::SetEnabled

* Better support for running multiple worlds

* Handle zero density better

* The body behaves like a static body

* The body is drawn with a red color

* Added translation limit to wheel joint

* World dump now writes to box2d_dump.inl

* Static bodies are never awake

* All joints with spring-dampers now use stiffness and damping

* Added utility functions to convert frequency and damping

ratio to stiffness and damping

* Polygon creation now computes the convex hull.

* The convex hull code will merge vertices closer than dm_linearSlop.

1181131,CVE-2021-20193

This update for tar fixes the following issues:

CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183855,1184768,1184962,1185405,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334,CVE-2021-30465

This update for containerd, docker, runc fixes the following issues:

Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)

* Switch version to use -ce suffix rather than _ce to avoid confusing other

tools (bsc#1182476).

* CVE-2021-21284: Fixed a potential privilege escalation when the root user in

the remapped namespace has access to the host filesystem (bsc#1181732)

* CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest

crashes the dockerd daemon (bsc#1181730).

* btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)

runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962).

* Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).

* Fixed /dev/null is not available (bsc#1168481).

* CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).

containerd was updated to v1.4.4

* CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).

* Handle a requirement from docker (bsc#1181594).

1184124

This update for tar fixes the following issues:

- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)

1103032,CVE-2018-14679,CVE-2018-14681,CVE-2018-14682

This update for libmspack fixes the following issues:

- CVE-2018-14681: Bad KWAJ file header extensions could cause a one or two byte overwrite. (bsc#1103032)

- CVE-2018-14682: There is an off-by-one error in the TOLOWER() macro for CHM decompression. (bsc#1103032)

- CVE-2018-14679: There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service. (bsc#1103032)

This update for unixODBC fixes the following issues:

- ECO: Update unixODBC to 2.3.9 in SLE 15. (jsc#SLE-18004)

- Fix incorrect permission for documentation files.

- Update requires and baselibs for new libodbc2.

- Employ shared library packaging guideline: new subpacakge libodbc2.

- Update to 2.3.9:

* Remove '#define UNIXODBC_SOURCE' from unixodbc_conf.h

- Update to 2.3.8:

* Add configure support for editline

* SQLDriversW was ignoring user config

* SQLDataSources Fix termination character

* Fix for pooling seg fault

* Make calling SQLSetStmtAttrW call the W function in the driver is its there

* Try and fix race condition clearing system odbc.ini file

* Remove trailing space from isql/iusql SQL

* When setting connection attributes set before connect also check if the W entry poins can be used

* Try calling the W error functions first if available in the driver

* Add iconvperdriver configure option to allow calling unicode_setup in SQLAllocHandle

* iconv handles was being lost when reusing pooled connection

* Catch null copy in iniPropertyInsert

* Fix a few leaks

- Update to 2.3.7:

* Fix for pkg-config file update on no linux platforms

* Add W entry for GUI work

* Various fixes for SQLBrowseConnect/W, SQLGetConnectAttr/W,and SQLSetConnectAttr/W

* Fix buffer overflows in SQLConnect/W and refine behaviour of SQLGet/WritePrivateProfileString

* SQLBrowseConnect/W allow disconnecting a started browse session after error

* Add --with-stats-ftok-name configure option to allow the selection of a file name

used to generate the IPC id when collecting stats. Default is the system odbc.ini file

* Improve diag record handling with the behavior of Windows DM and export SQLCancelHandle

* bug fix when SQLGetPrivateProfileString() is called to get a list of sections or a list of keys

* Connection pooling: Fix liveness check for Unicode drivers

1189743

This update for runc fixes the following issues:

- Fixed an issue when toolbox container fails to start. (bsc#1189743)

1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103

This update for containerd, docker, runc fixes the following issues:

Docker was updated to 20.10.9-ce. (bsc#1191355)

See upstream changelog in the packaged

/usr/share/doc/packages/docker/CHANGELOG.md.

CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103

container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

- CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)

- Install systemd service file as well (bsc#1190826)

Update to runc v1.0.2. Upstream changelog is available from

https://github.com/opencontainers/runc/releases/tag/v1.0.2

* Fixed a failure to set CPU quota period in some cases on cgroup v1.

* Fixed the inability to start a container with the 'adding seccomp filter

rule for syscall ...' error, caused by redundant seccomp rules (i.e. those

that has action equal to the default one). Such redundant rules are now

skipped.

* Made release builds reproducible from now on.

* Fixed a rare debug log race in runc init, which can result in occasional

harmful 'failed to decode ...' errors from runc run or exec.

* Fixed the check in cgroup v1 systemd manager if a container needs to be

frozen before Set, and add a setting to skip such freeze unconditionally.

The previous fix for that issue, done in runc 1.0.1, was not working.

Update to runc v1.0.1. Upstream changelog is available from

https://github.com/opencontainers/runc/releases/tag/v1.0.1

* Fixed occasional runc exec/run failure ('interrupted system call') on an

Azure volume.

* Fixed 'unable to find groups ... token too long' error with /etc/group

containing lines longer than 64K characters.

* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is

frozen. This is a regression in 1.0.0, not affecting runc itself but some

of libcontainer users (e.g Kubernetes).

* cgroupv2: bpf: Ignore inaccessible existing programs in case of

permission error when handling replacement of existing bpf cgroup

programs. This fixes a regression in 1.0.0, where some SELinux

policies would block runc from being able to run entirely.

* cgroup/systemd/v2: don't freeze cgroup on Set.

* cgroup/systemd/v1: avoid unnecessary freeze on Set.

- fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

Update to runc v1.0.0. Upstream changelog is available from

https://github.com/opencontainers/runc/releases/tag/v1.0.0

! The usage of relative paths for mountpoints will now produce a warning

(such configurations are outside of the spec, and in future runc will

produce an error when given such configurations).

* cgroupv2: devices: rework the filter generation to produce consistent

results with cgroupv1, and always clobber any existing eBPF

program(s) to fix runc update and avoid leaking eBPF programs

(resulting in errors when managing containers).

* cgroupv2: correctly convert 'number of IOs' statistics in a

cgroupv1-compatible way.

* cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.

* cgroupv2: wait for freeze to finish before returning from the freezing

code, optimize the method for checking whether a cgroup is frozen.

* cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94

* cgroups/systemd: fixed returning 'unit already exists' error from a systemd

cgroup manager (regression in rc94)

+ cgroupv2: support SkipDevices with systemd driver

+ cgroup/systemd: return, not ignore, stop unit error from Destroy

+ Make 'runc --version' output sane even when built with go get or

otherwise outside of our build scripts.

+ cgroups: set SkipDevices during runc update (so we don't modify

cgroups at all during runc update).

+ cgroup1: blkio: support BFQ weights.

+ cgroupv2: set per-device io weights if BFQ IO scheduler is available.

Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95

This release of runc contains a fix for CVE-2021-30465, and users are

strongly recommended to update (especially if you are providing

semi-limited access to spawn containers to untrusted users). (bsc#1185405)

Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94

Breaking Changes:

* cgroupv1: kernel memory limits are now always ignored, as kmemcg has

been effectively deprecated by the kernel. Users should make use of regular

memory cgroup controls.

Regression Fixes:

* seccomp: fix 32-bit compilation errors

* runc init: fix a hang caused by deadlock in seccomp/ebpf loading code

* runc start: fix 'chdir to cwd: permission denied' for some setups

1193436,CVE-2021-43784

This update for runc fixes the following issues:

Update to runc v1.0.3.

* CVE-2021-43784: Fixed a potential vulnerability related to the internal usage

of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)

* Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.

* Fixed inability to start when read-only /dev in set in spec.

* Fixed not removing sub-cgroups upon container delete, when rootless cgroup

v2 is used with older systemd.

* Fixed returning error from GetStats when hugetlb is unsupported (which

causes excessive logging for kubernetes).

1113040,CVE-2018-18586

This update for libmspack fixes the following issues:

- CVE-2018-18586: Fixed directory traversal in chmextract by adding anti '../' and leading slash protection (bsc#1113040).

1179467,CVE-2020-29130

This update for slirp4netns fixes the following issues:

- CVE-2020-29130: Fixed an invalid memory access while processing ARP packets (bsc#1179467).

1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193

This update for tar fixes the following issues:

- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).

- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).

- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

- Update to GNU tar 1.34:

* Fix extraction over pipe

* Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)

* Fix extraction when . and .. are unreadable

* Gracefully handle duplicate symlinks when extracting

* Re-initialize supplementary groups when switching to user

privileges

- Update to GNU tar 1.33:

* POSIX extended format headers do not include PID by default

* --delay-directory-restore works for archives with reversed

member ordering

* Fix extraction of a symbolic link hardlinked to another

symbolic link

* Wildcards in exclude-vcs-ignore mode don't match slash

* Fix the --no-overwrite-dir option

* Fix handling of chained renames in incremental backups

* Link counting works for file names supplied with -T

* Accept only position-sensitive (file-selection) options in file

list files

- prepare usrmerge (bsc#1029961)

- Update to GNU 1.32

* Fix the use of --checkpoint without explicit --checkpoint-action

* Fix extraction with the -U option

* Fix iconv usage on BSD-based systems

* Fix possible NULL dereference (savannah bug #55369)

[bsc#1130496] [CVE-2019-9923]

* Improve the testsuite

- Update to GNU 1.31

* Fix heap-buffer-overrun with --one-top-level, bug introduced

with the addition of that option in 1.28

* Support for zstd compression

* New option '--zstd' instructs tar to use zstd as compression

program. When listing, extractng and comparing, zstd compressed

archives are recognized automatically. When '-a' option is in

effect, zstd compression is selected if the destination archive

name ends in '.zst' or '.tzst'.

* The -K option interacts properly with member names given in the

command line. Names of members to extract can be specified along

with the '-K NAME' option. In this case, tar will extract NAME

and those of named members that appear in the archive after it,

which is consistent with the semantics of the option. Previous

versions of tar extracted NAME, those of named members that

appeared before it, and everything after it.

* Fix CVE-2018-20482 - When creating archives with the --sparse

option, previous versions of tar would loop endlessly if a

sparse file had been truncated while being archived.

1192051,1199460,1199565,1200088,1200145,CVE-2022-29162,CVE-2022-31030

This update for containerd, docker and runc fixes the following issues:

containerd:

- CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145)

docker:

- Update to Docker 20.10.17-ce. See upstream changelog online at

https://docs.docker.com/engine/release-notes/25.0/. (bsc#1200145)

runc:

Update to runc v1.1.3.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3.

* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on

s390 and s390x. This solves the issue where syscalls the host kernel did not

support would return `-EPERM` despite the existence of the `-ENOSYS` stub

code (this was due to how s390x does syscall multiplexing).

* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as

intended; this fix does not affect runc binary itself but is important for

libcontainer users such as Kubernetes.

* Inability to compile with recent clang due to an issue with duplicate

constants in libseccomp-golang.

* When using systemd cgroup driver, skip adding device paths that don't exist,

to stop systemd from emitting warnings about those paths.

* Socket activation was failing when more than 3 sockets were used.

* Various CI fixes.

* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.

- Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by

that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565)

Update to runc v1.1.2.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.2.

Security issue fixed:

- CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with

non-empty inheritable Linux process capabilities, creating an atypical Linux

environment. (bsc#1199460)

- `runc spec` no longer sets any inheritable capabilities in the created

example OCI spec (`config.json`) file.

Update to runc v1.1.1.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.1.

* runc run/start can now run a container with read-only /dev in OCI spec,

rather than error out. (#3355)

* runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)

libcontainer systemd v2 manager no longer errors out if one of the files

listed in /sys/kernel/cgroup/delegate do not exist in container's

cgroup. (#3387, #3404)

* Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported'

error. (#3406)

* libcontainer/cgroups no longer panics in cgroup v1 managers if stat

of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)

Update to runc v1.1.0.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0.

- libcontainer will now refuse to build without the nsenter package being

correctly compiled (specifically this requires CGO to be enabled). This

should avoid folks accidentally creating broken runc binaries (and

incorrectly importing our internal libraries into their projects). (#3331)

Update to runc v1.1.0~rc1.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.

+ Add support for RDMA cgroup added in Linux 4.11.

* runc exec now produces exit code of 255 when the exec failed.

This may help in distinguishing between runc exec failures

(such as invalid options, non-running container or non-existent

binary etc.) and failures of the command being executed.

+ runc run: new --keep option to skip removal exited containers artefacts.

This might be useful to check the state (e.g. of cgroup controllers) after

the container hasexited.

+ seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD

(the latter is just an alias for SCMP_ACT_KILL).

+ seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows

users to create sophisticated seccomp filters where syscalls can be

efficiently emulated by privileged processes on the host.

+ checkpoint/restore: add an option (--lsm-mount-context) to set

a different LSM mount context on restore.

+ intelrdt: support ClosID parameter.

+ runc exec --cgroup: an option to specify a (non-top) in-container cgroup

to use for the process being executed.

+ cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1

machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc

run/exec now adds the container to the appropriate cgroup under it).

+ sysctl: allow slashes in sysctl names, to better match sysctl(8)'s

behaviour.

+ mounts: add support for bind-mounts which are inaccessible after switching

the user namespace. Note that this does not permit the container any

additional access to the host filesystem, it simply allows containers to

have bind-mounts configured for paths the user can access but have

restrictive access control settings for other users.

+ Add support for recursive mount attributes using mount_setattr(2). These

have the same names as the proposed mount(8) options -- just prepend r

to the option name (such as rro).

+ Add runc features subcommand to allow runc users to detect what features

runc has been built with. This includes critical information such as

supported mount flags, hook names, and so on. Note that the output of this

command is subject to change and will not be considered stable until runc

1.2 at the earliest. The runtime-spec specification for this feature is

being developed in opencontainers/runtime-spec#1130.

* system: improve performance of /proc/$pid/stat parsing.

* cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change

the ownership of certain cgroup control files (as per

/sys/kernel/cgroup/delegate) to allow for proper deferral to the container

process.

* runc checkpoint/restore: fixed for containers with an external bind mount

which destination is a symlink.

* cgroup: improve openat2 handling for cgroup directory handle hardening.

runc delete -f now succeeds (rather than timing out) on a paused

container.

* runc run/start/exec now refuses a frozen cgroup (paused container in case of

exec). Users can disable this using --ignore-paused.

- Update version data embedded in binary to correctly include the git commit of the release.

1199232,CVE-2022-1586

This update for pcre2 fixes the following issues:

- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

1199235,CVE-2022-1587

This update for pcre2 fixes the following issues:

- CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).

1200657

This update for tar fixes the following issues:

- Fix race condition while creating intermediate subdirectories (bsc#1200657)

1202436

This update for tar fixes the following issues:

- A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)

1193951,CVE-2020-21913

This update for icu fixes the following issues:

- CVE-2020-21913: Fixed a memory safetey issue that could lead to use

after free (bsc#1193951).

1202821

This update for runc fixes the following issues:

- Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the

cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd.

- Fix 'permission denied' error from runc run on noexec fs

- Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821)

1202021,1202821

This update for runc fixes the following issues:

- Update to runc v1.1.4 (bsc#1202021)

- Fix failed exec after systemctl daemon-reload (bsc#1202821)

- Fix mounting via wrong proc

- Fix 'permission denied' error from runc run on noexec filesystem

1200657,1203600

This update for tar fixes the following issues:

- Fix unexpected inconsistency when making directory (bsc#1203600)

- Update race condition fix (bsc#1200657)

1181961,CVE-2021-20206

This update for cni fixes the following issues:

- CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).

1202436

This update for tar fixes the following issue:

- Fix hang when unpacking test tarball (bsc#1202436)

1202436,1207753,CVE-2022-48303

This update for tar fixes the following issues:

- CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753).

Bug fixes:

- Fix hang when unpacking test tarball (bsc#1202436).

1208574,CVE-2021-30560

This update for libxslt fixes the following issues:

- CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).

1179466,1179467,CVE-2020-29129,CVE-2020-29130

This update for slirp4netns fixes the following issues:

- CVE-2020-29129: Fixed out-of-bounds access while processing NCSI packets (bsc#1179466).

- CVE-2020-29130: Fixed out-of-bounds access while processing ARP packets (bsc#1179467).

1171578,1175821,1182998,1197093,1200524,1205536,1207509

This update for libcontainers-common fixes the following issues:

- Add registry.suse.com to the unqualified-search-registries (bsc#1205536)

- New upstream release 20230214

- bump c/storage to 1.45.3

- bump c/image to 5.24.1

- bump c/common to 0.51.0

- containers.conf:

- add commented out options containers.read_only, engine.platform_to_oci_runtime,

engine.events_container_create_inspect_data, network.volume_plugin_timeout, engine.runtimes.youki, machine.provider

- remove deprecated setting containers.userns_size

- add youki to engine.runtime_supports_json

- shortnames.conf: pull in latest upstream version

- storage.conf: add commented out option storage.transient_store

- correct license to APACHE-2.0

- Changes introduced to c/storage's storage.conf which adds a driver_priority attribute would break consumers of

libcontainer-common as long as those packages are vendoring an older c/storage version. (bsc#1207509)

- storage.conf: Unset 'driver' and set 'driver_priority' to allow podman to use 'btrfs' if available and fallback to

'overlay' if not.

- .spec: rm %post script to set 'btrfs' as storage driver in storage.conf

- Remove registry.suse.com from search unqualified-search-registries

- add requires on util-linux-systemd for findmnt in profile script

- only set storage_driver env when no libpod exists

- add container-storage-driver.sh (bsc#1197093)

- postinstall script: slight cleanup, no functional change

- set detached sigstore attachments for the SUSE controlled registries

- Fix obvious typo in containers.conf

- Resync containers.conf / storage.conf with Fedora

- Create /etc/containers/registries.conf.d and add 000-shortnames.conf to it.

- Use $() again in %post, but with a space for POSIX compliance

- Add missing Requires(post): sed (bsc#1200524)

- Make %post compatible with dash

- Switch registries.conf to v2 format

- Reintroduce SLE specific mounts config, to avoid errors on non-SLE systems

- Require util-linux-systemd for %post scripts (bsc#1182998, jsc#SLE-12122, bsc#1175821)

- Update default registry (bsc#1171578)

1208079

This update for systemd-rpm-macros fixes the following issue:

- Don't emit a warning when the flag file in /var/lib/systemd/migrated/ is not present as it's expected (bsc#1208079).

1210702

This update for kbd fixes the following issue:

- Add 'ara' vc keymap, 'ara' is slightly better than 'arabic' as it matches the name of its X11 layout counterpart. (bsc#1210702)

1211272

This update for systemd-rpm-macros fixes the following issues:

- Adjust functions so they are disabled when called from a chroot (bsc#1211272)

1212126,CVE-2023-34969

This update for dbus-1 fixes the following issues:

- CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).

1210999,CVE-2023-31484

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

1208721,1209229,1211828

This update for glibc fixes the following issues:

- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)

- Exclude static archives from preparation for live patching (bsc#1208721)

- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

1213237,CVE-2023-32001

This update for curl fixes the following issues:

- CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).

1089497

This update for gpgme fixes the following issues:

gpgme:

- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

libassuan:

- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

1213487,CVE-2023-3446

This update for openssl-1_1 fixes the following issues:

- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

1213472

This update for apparmor fixes the following issues:

- Add pam_apparmor README (bsc#1213472)

1194038,1194900

This update for util-linux fixes the following issues:

- Fix blkid for floppy drives (bsc#1194900)

- Fix rpmbuild %checks fail when @ in the directory path (bsc#1194038)

1213514,CVE-2022-41409

This update for pcre2 fixes the following issues:

- CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).

1214054,CVE-2023-36054

This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

1213517,1213853,CVE-2023-3817

This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

- Don't pass zero length input to EVP_Cipher because s390x assembler optimized AES cannot handle zero size. (bsc#1213517)

1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873

This update for systemd fixes the following issues:

- Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)

- Decrease devlink priority for iso disks (bsc#1213185)

- Do not ignore mount point paths longer than 255 characters (bsc#1208194)

- Refuse hibernation if there's no possible way to resume (bsc#1186606)

- Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)

- Drop some entries no longer needed by YaST (bsc#1194609)

- The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)

- Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)

1214071

This update for lvm2 fixes the following issues:

- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)

The following package changes have been done:

- kbd-legacy-2.4.0-150400.5.6.1 updated

- filesystem-15.0-150400.1.1 updated

- glibc-2.31-150300.52.2 updated

- perl-base-5.26.1-150300.17.14.1 updated

- libuuid1-2.37.2-150400.8.20.1 updated

- libudev1-249.16-150400.8.33.1 updated

- libsmartcols1-2.37.2-150400.8.20.1 updated

- libpcre2-8-0-10.39-150400.4.9.1 added

- libblkid1-2.37.2-150400.8.20.1 updated

- libaudit1-3.0.6-150400.4.13.1 updated

- libapparmor1-3.0.4-150400.5.6.1 updated

- libfdisk1-2.37.2-150400.8.20.1 updated

- libxtables12-1.8.7-1.1 added

- libmspack0-0.6-3.14.1 added

- libltdl7-2.4.6-3.4.1 added

- libassuan0-2.5.5-150000.4.5.2 updated

- file-5.32-7.14.1 added

- libmnl0-1.0.4-1.25 added

- libgdbm4-1.12-1.418 added

- libselinux1-3.4-150400.1.8 updated

- login_defs-4.8.1-150400.1.7 updated

- libsystemd0-249.16-150400.8.33.1 updated

- libmount1-2.37.2-150400.8.20.1 updated

- libdevmapper1_03-2.03.05_1.02.163-150400.188.1 updated

- libxslt1-1.1.34-150400.3.3.1 added

- libdbus-1-3-1.12.2-150400.18.8.1 updated

- libicu65_1-ledata-65.1-150200.4.5.1 added

- xz-5.2.3-150000.4.7.1 added

- tar-1.34-150000.3.31.1 added

- which-2.21-2.20 added

- iproute2-5.14-150400.1.8 added

- glibc-locale-base-2.31-150300.52.2 updated

- gawk-4.2.1-150000.3.3.1 added

- systemd-rpm-macros-13-150000.7.33.1 updated

- libopenssl1_1-1.1.1l-150400.7.53.1 updated

- libcryptsetup12-2.4.3-150400.3.3.1 updated

- krb5-1.19.2-150400.3.6.1 updated

- libcurl4-8.0.1-150400.5.26.1 updated

- hostname-3.16-2.22 added

- shadow-4.8.1-150400.1.7 updated

- kbd-2.4.0-150400.5.6.1 updated

- dbus-1-1.12.2-150400.18.8.1 updated

- util-linux-2.37.2-150400.8.20.1 updated

- systemd-249.16-150400.8.33.1 updated

- util-linux-systemd-2.37.2-150400.8.20.1 added

- system-user-nobody-20170617-150400.22.33 added

- libcontainers-common-20230214-150400.3.5.2 added

- runc-1.1.4-150000.36.1 added

- slirp4netns-0.4.7-150100.3.18.1 added

- cni-0.7.1-150100.3.8.1 added

- libicu-suse65_1-65.1-150200.4.5.1 added

- container:rancher-elemental-teal-5.4-latest-- added

- container:bci-bci-busybox-15.4-- added

- container:bci-bci-busybox-latest-- removed

- container:rancher-elemental-builder-image-5.3-latest-- removed

- container:rancher-elemental-teal-5.3-latest-- removed

- libcryptsetup12-hmac-2.4.3-150400.1.110 removed

- libgcrypt20-hmac-1.9.4-150400.6.8.1 removed

- libopenssl1_1-hmac-1.1.1l-150400.7.45.1 removed

- libsemanage1-3.1-150400.1.65 removed

- libsepol1-3.1-150400.1.70 removed

- patterns-base-fips-20200124-150400.20.4.1 removed

- systemd-presets-branding-SMO-20220103-150400.2.1 removed

Severity
Container Advisory ID : SUSE-CU-2023:3470-1
Container Tags : rancher/elemental-teal-iso/5.4:1.2.2 , rancher/elemental-teal-iso/5.4:1.2.2-3.2.1 , rancher/elemental-teal-iso/5.4:latest
Container Release : 3.2.1
Severity : critical
Type : security

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo