{"affected":[{"ecosystem_specific":{"binaries":[{"podman":"2.1.1-lp151.3.25.1","podman-cni-config":"2.1.1-lp151.3.25.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.1","name":"podman","purl":"pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%2015.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.1.1-lp151.3.25.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for podman fixes the following issues:\n\nSecurity issue fixed:\n\n- This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API (bsc#1176804).\n\nNon-security issues fixed:\n\n- add dependency to timezone package or podman fails to build a \n  container (bsc#1178122)\n\n- Install new auto-update system units\n- Update to v2.1.1 (bsc#1178392):\n  * Changes\n    - The `podman info` command now includes the cgroup manager\n      Podman is using.\n  * API\n    - The REST API now includes a Server header in all responses.\n    - Fixed a bug where the Libpod and Compat Attach endpoints\n      could terminate early, before sending all output from the\n      container.\n    - Fixed a bug where the Compat Create endpoint for containers\n      did not properly handle the Interactive parameter.\n    - Fixed a bug where the Compat Kill endpoint for containers\n      could continue to run after a fatal error.\n    - Fixed a bug where the Limit parameter of the Compat List\n      endpoint for Containers did not properly handle a limit of 0\n      (returning nothing, instead of all containers) [#7722].\n    - The Libpod Stats endpoint for containers is being deprecated\n      and will be replaced by a similar endpoint with additional\n      features in a future release.\n- Changes in v2.1.0\n  * Features\n    - A new command, `podman image mount`, has been added. This\n      allows for an image to be mounted, read-only, to inspect its\n      contents without creating a container from it [#1433].\n    - The `podman save` and `podman load` commands can now create\n      and load archives containing multiple images [#2669].\n    - Rootless Podman now supports all `podman network` commands,\n      and rootless containers can now be joined to networks.\n    - The performance of `podman build` on `ADD` and `COPY`\n      instructions has been greatly improved, especially when a\n      `.dockerignore` is present.\n    - The `podman run` and `podman create` commands now support a\n      new mode for the `--cgroups` option, `--cgroups=split`.\n      Podman will create two cgroups under the cgroup it was\n      launched in, one for the container and one for Conmon. This\n      mode is useful for running Podman in a systemd unit, as it\n      ensures that all processes are retained in systemd's cgroup\n      hierarchy [#6400].\n    - The `podman run` and `podman create` commands can now specify\n      options to slirp4netns by using the `--network` option as\n      follows:  `--net slirp4netns:opt1,opt2`. This allows for,\n      among other things, switching the port forwarder used by\n      slirp4netns away from rootlessport.\n    - The `podman ps` command now features a new option,\n      `--storage`, to show containers from Buildah, CRI-O and other\n      applications.\n    - The `podman run` and `podman create` commands now feature a\n      `--sdnotify` option to control the behavior of systemd's\n      sdnotify with containers, enabling improved support for\n      Podman in `Type=notify` units.\n    - The `podman run` command now features a `--preserve-fds`\n      opton to pass file descriptors from the host into the\n      container [#6458].\n    - The `podman run` and `podman create` commands can now create\n      overlay volume mounts, by adding the `:O` option to a bind\n      mount (e.g. `-v /test:/test:O`). Overlay volume mounts will\n      mount a directory into a container from the host and allow\n      changes to it, but not write those changes back to the\n      directory on the host.\n    - The `podman play kube` command now supports the Socket\n      HostPath type [#7112].\n    - The `podman play kube` command now supports read-only mounts.\n    - The `podman play kube` command now supports setting labels on\n      pods from Kubernetes metadata labels.\n    - The `podman play kube` command now supports setting container\n      restart policy [#7656].\n    - The `podman play kube` command now properly handles\n      `HostAlias` entries.\n    - The `podman generate kube` command now adds entries to\n      `/etc/hosts` from `--host-add` generated YAML as `HostAlias`\n      entries.\n    - The `podman play kube` and `podman generate kube` commands\n      now properly support `shareProcessNamespace` to share the PID\n      namespace in pods.\n    - The `podman volume ls` command now supports the `dangling`\n      filter to identify volumes that are dangling (not attached to\n      any container).\n    - The `podman run` and `podman create` commands now feature a\n      `--umask` option to set the umask of the created container.\n    - The `podman create` and `podman run` commands now feature a\n      `--tz` option to set the timezone within the container [#5128].\n    - Environment variables for Podman can now be added in the\n      `containers.conf` configuration file.\n    - The `--mount` option of `podman run` and `podman create` now\n      supports a new mount type, `type=devpts`, to add a `devpts`\n      mount to the container. This is useful for containers that\n      want to mount `/dev/` from the host into the container, but\n      still create a terminal.\n    - The `--security-opt` flag to `podman run` and `podman create`\n      now supports a new option, `proc-opts`, to specify options\n      for the container's `/proc` filesystem.\n    - Podman with the `crun` OCI runtime now supports a new option\n      to `podman run` and `podman create`, `--cgroup-conf`, which\n      allows for advanced configuration of cgroups on cgroups v2\n      systems.\n    - The `podman create` and `podman run` commands now support a\n      `--override-variant` option, to override the architecture\n      variant of the image that will be pulled and ran.\n    - A new global option has been added to Podman,\n      `--runtime-flags`, which allows for setting flags to use when\n      the OCI runtime is called.\n    - The `podman manifest add` command now supports the\n      `--cert-dir`, `--auth-file`, `--creds`, and `--tls-verify`\n      options.\n  * Security\n    - This release resolves CVE-2020-14370, in which environment\n      variables could be leaked between containers created using\n      the Varlink API.\n  * Changes\n    - Podman will now retry pulling an image 3 times if a pull\n      fails due to network errors.\n    - The `podman exec` command would previously print error\n      messages (e.g. `exec session exited with non-zero exit code\n      -1`) when the command run exited with a non-0 exit code. It\n      no longer does this. The `podman exec` command will still\n      exit with the same exit code as the command run in the\n      container did.\n    - Error messages when creating a container or pod with a name\n      that is already in use have been improved.\n    - For read-only containers running systemd init, Podman creates\n      a tmpfs filesystem at `/run`. This was previously limited to\n      65k in size and mounted `noexec`, but is now unlimited size\n      and mounted `exec`.\n    - The `podman system reset` command no longer removes\n      configuration files for rootless Podman.\n  * API\n    - The Libpod API version has been bumped to v2.0.0 due to a\n      breaking change in the Image List API.\n    - Docker-compatible Volume Endpoints (Create, Inspect, List,\n      Remove, Prune) are now available!\n    - Added an endpoint for generating systemd unit files for\n      containers.\n    - The `last` parameter to the Libpod container list endpoint\n      now has an alias, `limit` [#6413].\n    - The Libpod image list API new returns timestamps in Unix\n      format, as integer, as opposed to as strings\n    - The Compat Inspect endpoint for containers now includes port\n      information in NetworkSettings.\n    - The Compat List endpoint for images now features limited\n      support for the (deprecated) `filter` query parameter [#6797].\n    - Fixed a bug where the Compat Create endpoint for containers\n      was not correctly handling bind mounts.\n    - Fixed a bug where the Compat Create endpoint for containers\n      would not return a 404 when the requested image was not\n      present.\n    - Fixed a bug where the Compat Create endpoint for containers\n      did not properly handle Entrypoint and Command from images.\n    - Fixed a bug where name history information was not properly\n      added in the Libpod Image List endpoint.\n    - Fixed a bug where the Libpod image search endpoint improperly\n      populated the Description field of responses.\n    - Added a `noTrunc` option to the Libpod image search endpoint.\n    - Fixed a bug where the Pod List API would return null, instead\n      of an empty array, when no pods were present [#7392].\n    - Fixed a bug where endpoints that hijacked would do perform\n      the hijack too early, before being ready to send and receive\n      data [#7195].\n    - Fixed a bug where Pod endpoints that can operate on multiple\n      containers at once (e.g. Kill, Pause, Unpause, Stop) would\n      not forward errors from individual containers that failed.\n    - The Compat List endpoint for networks now supports filtering\n      results [#7462].\n    - Fixed a bug where the Top endpoint for pods would return both\n      a 500 and 404 when run on a non-existent pod.\n    - Fixed a bug where Pull endpoints did not stream progress back\n      to the client.\n    - The Version endpoints (Libpod and Compat) now provide version\n      in a format compatible with Docker.\n    - All non-hijacking responses to API requests should not\n      include headers with the version of the server.\n    - Fixed a bug where Libpod and Compat Events endpoints did not\n      send response headers until the first event occurred [#7263].\n    - Fixed a bug where the Build endpoints (Compat and Libpod) did\n      not stream progress to the client.\n    - Fixed a bug where the Stats endpoints (Compat and Libpod) did\n      not properly handle clients disconnecting.\n    - Fixed a bug where the Ignore parameter to the Libpod Stop\n      endpoint was not performing properly.\n    - Fixed a bug where the Compat Logs endpoint for containers did\n      not stream its output in the correct format [#7196].\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.","id":"openSUSE-SU-2020:2039-1","modified":"2020-11-26T15:28:10Z","published":"2020-11-26T15:28:10Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4AHS44MM5VJQEFYSAEM4XLRKSPLU53H7/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1176804"},{"type":"REPORT","url":"https://bugzilla.suse.com/1178122"},{"type":"REPORT","url":"https://bugzilla.suse.com/1178392"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-14370"}],"related":["CVE-2020-14370"],"summary":"Security update for podman","upstream":["CVE-2020-14370"]}