[SUSE-SU-2022:3312-1] Security update for libcontainers-common

Severity Moderate

Affected Packages 2

CVEs 5

Security update for libcontainers-common

This update for libcontainers-common fixes the following issues:

libcontainers-common was updated:

common component was updated to 0.44.0.
storage component was updated to 1.36.0.
image component was updated to 5.16.0.
podman component was updated to 3.3.1.

3.3.1:

Bugfixes:

Fixed a bug where unit files created by podman generate systemd could not cleanup shut down containers when stopped by systemctl stop .
Fixed a bug where podman machine commands would not properly locate the gvproxy binary in some circumstances.
Fixed a bug where containers created as part of a pod using the --pod-id-file option would not join the pod's network namespace .
Fixed a bug where Podman, when using the systemd cgroups driver, could sometimes leak dbus sessions.
Fixed a bug where the until filter to podman logs and podman events was improperly handled, requiring input to be negated .
Fixed a bug where rootless containers using CNI networking run on systems using systemd-resolved for DNS would fail to start if resolved symlinked /etc/resolv.conf to an absolute path .

API:

A large number of potential file descriptor leaks from improperly closing client connections have been fixed.

3.3.0:

Features:

Containers inside VMs created by podman machine will now automatically handle port forwarding - containers in podman machine VMs that publish ports via --publish or --publish-all will have these ports not just forwarded on the VM, but also on the host system.
The podman play kube command's --network option now accepts advanced network options (e.g. --network slirp4netns:port_handler=slirp4netns) .
The podman play kube commmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks.
Podman now provides a systemd unit, podman-restart.service, which, when enabled, will restart all containers that were started with --restart=always after the system reboots.
Rootless Podman can now be configured to use CNI networking by default by using the rootless_networking option in containers.conf.
Images can now be pulled using image:tag@digest syntax (e.g. podman pull fedora:34@sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a) .
The podman container checkpoint and podman container restore commands can now be used to checkpoint containers that are in pods, and restore those containers into pods.
The podman container restore command now features a new option, --publish, to change the ports that are forwarded to a container that is being restored from an exported checkpoint.
The podman container checkpoint command now features a new option, --compress, to specify the compression algorithm that will be used on the generated checkpoint.
The podman pull command can now pull multiple images at once (e.g. podman pull fedora:34 ubi8:latest will pull both specified images).
THe podman cp command can now copy files from one container into another directly (e.g. podman cp containera:/etc/hosts containerb:/etc/) .
The podman cp command now supports a new option, --archive, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container.
The podman stats command now provides two additional metrics: Average CPU, and CPU time.
The podman pod create command supports a new flag, --pid, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace.
The podman pod create command supports a new flag, --infra-name, which allows the name of the pod's infra container to be set .
The podman auto-update command has had its output reformatted - it is now much clearer what images were pulled and what containers were updated.
The podman auto-update command now supports a new option, --dry-run, which reports what would be updated but does not actually perform the update .
The podman build command now supports a new option, --secret, to mount secrets into build containers.
The podman manifest remove command now has a new alias, podman manifest rm.
The podman login command now supports a new option, --verbose, to print detailed information about where the credentials entered were stored.
The podman events command now supports a new event, exec_died, which is produced when an exec session exits, and includes the exit code of the exec session.
The podman system connection add command now supports adding connections that connect using the tcp:// and unix:// URL schemes.
The podman system connection list command now supports a new flag, --format, to determine how the output is printed.
The podman volume prune and podman volume ls commands' --filter option now support a new filter, until, that matches volumes created before a certain time .
The podman ps --filter option's network filter now accepts a new value: container:, which matches containers that share a network namespace with a specific container .
The podman diff command can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed .
Podman can now optionally copy-up content from containers into volumes mounted into those containers earlier (at creation time, instead of at runtime) via the prepare_on_create option in containers.conf .
A new option, --gpus, has been added to podman create and podman run as a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag.
If an invalid subcommand is provided, similar commands to try will now be suggested in the error message. ### Changes
The podman system reset command now removes non-Podman (e.g. Buildah and CRI-O) containers as well.
The new port forwarding offered by podman machine requires [gvproxy] in order to function.
Podman will now automatically create the default CNI network if it does not exist, for both root and rootless users. This will only be done once per user - if the network is subsequently removed, it will not be recreated.
The install.cni makefile option has been removed. It is no longer required to distribute the default 87-podman.conflist CNI configuration file, as Podman will now automatically create it.
The --root option to Podman will not automatically clear all default storage options when set. Storage options can be set manually using --storage-opt .
The output of podman system connection list is now deterministic, with connections being sorted alpabetically by their name.
The auto-update service (podman-auto-update.service) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once.
Systemd unit files generated by podman generate systemd now depend on network-online.target by default .
Systemd unit files generated by podman generate systemd now use Type=notify by default, instead of using PID files.
The podman info command's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.

Bugfixes:

Fixed a bug where the podman play kube command did not perform SELinux relabelling of volumes specified with a mountPath that included the :z or :Z options .
Fixed a bug where the podman play kube command would ignore the USER and EXPOSE directives in images .
Fixed a bug where the podman play kube command would only accept lowercase pull policies.
Fixed a bug where named volumes mounted into containers with the :z or :Z options were not appropriately relabelled for access from the container .
Fixed a bug where the podman logs -f command, with the journald log driver, could sometimes fail to pick up the last line of output from a container .
Fixed a bug where running podman rm on a container created with the --rm option would occasionally emit an error message saying the container failed to be removed, when it was successfully removed.
Fixed a bug where starting a Podman container would segfault if the LISTEN_PID and LISTEN_FDS environment variables were set, but LISTEN_FDNAMES was not .
Fixed a bug where exec sessions in containers were sometimes not cleaned up when run without -d and when the associated podman exec process was killed before completion.
Fixed a bug where podman system service could, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up.
Fixed a bug where containers run using the REST API using the slirp4netns network mode would leave zombie processes that were not cleaned up until podman system service exited .
Fixed a bug where the podman system service command would leave zombie processes after its initial launch that were not cleaned up until it exited .
Fixed a bug where VMs created by podman machine could not be started after the host system restarted .
Fixed a bug where the podman pod ps command would not show headers for optional information (e.g. container names when the --ctr-names option was given).
Fixed a bug where the remote Podman client's podman create and podman run commands would ignore timezone configuration from the server's containers.conf file .
Fixed a bug where the remote Podman client's podman build command would only respect .containerignore and not .dockerignore files (when both are present, .containerignore will be preferred) .
Fixed a bug where the remote Podman client's podman build command would fail to send the Dockerfile being built to the server when it was excluded by the .dockerignore file, resulting in an error .
Fixed a bug where the remote Podman client's podman build command could unexpectedly stop streaming the output of the build .
Fixed a bug where the remote Podman client's podman build command would fail to build when run on Windows .
Fixed a bug where the podman manifest create command accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest).
Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container .
Fixed a bug where named volumes created using a volume plugin would be removed from Podman, even if the plugin reported a failure to remove the volume .
Fixed a bug where the remote Podman client's podman exec -i command would hang when input was provided via shell redirection (e.g. podman --remote exec -i foo cat <<<'hello') .
Fixed a bug where containers created with --rm were not immediately removed after being started by podman start if they failed to start .
Fixed a bug where the --storage-opt flag to podman create and podman run was nonfunctional .
Fixed a bug where the --device-cgroup-rule option to podman create and podman run was nonfunctional .
Fixed a bug where the --tls-verify option to podman manifest push was nonfunctional.
Fixed a bug where the podman import command could, in some circumstances, produce empty images .
Fixed a bug where images pulled using the docker-daemon: transport had the wrong registry (localhost instead of docker.io/library) .
Fixed a bug where operations that pruned images (podman image prune and podman system prune) would prune untagged images with children .
Fixed a bug where dual-stack networks created by podman network create did not properly auto-assign an IPv4 subnet when one was not explicitly specified .
Fixed a bug where port forwarding using the rootlessport port forwarder would break when a network was disconnected and then reconnected .
Fixed a bug where Podman would ignore user-specified SELinux policies for containers using the Kata OCI runtime, or containers using systemd as PID 1 .
Fixed a bug where Podman containers created using --net=host would add an entry to /etc/hosts for the container's hostname pointing to 127.0.1.1 .
Fixed a bug where the podman unpause --all command would throw an error for every container that was not paused .
Fixed a bug where timestamps for the since and until filters using Unix timestamps with a nanoseconds portion could not be parsed .
Fixed a bug where the podman info command would sometimes print the wrong path for the slirp4netns binary.
Fixed a bug where rootless Podman containers joined to a CNI network would not have functional DNS when the host used systemd-resolved without the resolved stub resolver being enabled .
Fixed a bug where podman network connect and podman network disconnect of rootless containers could sometimes break port forwarding to the container .
Fixed a bug where joining a container to a CNI network by ID and adding network aliases to this network would cause the container to fail to start . ### API
Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
Fixed a bug where the Compat Create endpoint for Containers would fail to create containers with the NetworkMode parameter set to default .
Fixed a bug where the Compat Create endpoint for Containers did not properly handle healthcheck commands .
Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred.
Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable).
Fixed a bug where the Compat List endpoint for Images omitted the ContainerConfig field .
Fixed a bug where the Compat Build endpoint for Images was too strict when validating the Content-Type header, rejecting content that Docker would have accepted .
Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided.
Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected.
Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks .
Fixed a bug where the Libpod List endpoint for Networks would return nil, instead of an empty list, when no networks were present .
The Compat and Libpod Logs endpoints for Containers now support the until query parameter .
The Compat Import endpoint for Images now supports the platform, message, and repo query parameters.
The Compat Pull endpoint for Images now supports the platform query parameter.

Misc:

Updated Buildah to v1.22.3
Updated the containers/storage library to v1.34.1
Updated the containers/image library to v5.15.2
Updated the containers/common library to v0.42.1

storage was updated to 1.36.0.

Updated image to 5.16.0.

Update podman to 3.2.3:

Security:

This release addresses CVE-2021-3602, an issue with the podman build command with the --isolation chroot flag that results in environment variables from the host leaking into build containers. (bsc#1188520)

Bugfixes:

Fixed a bug where events related to images could occur before the relevant operation had completed (e.g. an image pull event could be written before the pull was finished) .
Fixed a bug where podman save would refuse to save images with an architecture different from that of the host .
Fixed a bug where the podman import command did not correctly handle images without tags .
Fixed a bug where Podman's journald events backend would fail and prevent Podman from running when run on a host with systemd as PID1 but in an environment (e.g. a container) without systemd .
Fixed a bug where containers using rootless CNI networking would fail to start when the dnsname CNI plugin was in use and the host system's /etc/resolv.conf was a symlink ([#10855] and #10929).
Fixed a bug where containers using rootless CNI networking could fail to start due to a race in rootless CNI initialization .

Update podman to 3.2.2

3.2.2:

Podman's handling of the Architecture field of images has been relaxed. Since 3.2.0, Podman required that the architecture of the image match the architecture of the system to run containers based on an image, but images often incorrectly report architecture, causing Podman to reject valid images ([#10648] and #10682).
Podman no longer uses inotify to monitor for changes to CNI configurations. This removes potential issues where Podman cannot be run because a user has exhausted their available inotify sessions .

Bugfixes

Fixed a bug where the podman cp would, when given a directory as its source and a target that existed and was a file, copy the contents of the directory into the parent directory of the file; this now results in an error.
Fixed a bug where the podman logs command would, when following a running container's logs, not include the last line of output from the container when it exited when the k8s-file driver was in use .
Fixed a bug where Podman would fail to run containers if systemd-resolved was incorrectly detected as the system's DNS server .
Fixed a bug where the podman exec -t command would only resize the exec session's TTY after the session started, leading to a race condition where the terminal would initially not have a size set .
Fixed a bug where Podman containers using the slirp4netns network mode would add an incorrect entry to /etc/hosts pointing the container's hostname to the wrong IP address.
Fixed a bug where Podman would create volumes specified by images with incorrect permissions ([#10188] and #10606).
Fixed a bug where Podman would not respect the uid and gid options to podman volume create -o .
Fixed a bug where the podman run command could panic when parsing the system's cgroup configuration .
Fixed a bug where the remote Podman client's podman build -f - ... command did not read a Containerfile from STDIN .
Fixed a bug where the podman container restore --import command would fail to restore checkpoints created from privileged containers .
Fixed a bug where Podman was not respecting the TMPDIR environment variable when pulling images .
Fixed a bug where a number of Podman commands did not properly support using Go templates as an argument to the --format option.

API:

Fixed a bug where the Compat Inspect endpoint for Containers did not include information on container healthchecks .
Fixed a bug where the Libpod and Compat Build endpoints for Images did not properly handle the devices query parameter .

Misc:

Fixed a bug where the Makefile's make podman-remote-static target to build a statically-linked podman-remote binary was instead producing dynamic binaries .
Updated the containers/common library to v0.38.11

3.2.1:

Changes:
- Podman now allows corrupt images (e.g. from restarting the system during an image pull) to be replaced by a podman pull of the same image (instead of requiring they be removed first, then re-pulled).

Bugfixes:

Fixed a bug where Podman would fail to start containers if a Seccomp profile was not available at /usr/share/containers/seccomp.json .
Fixed a bug where the podman machine start command failed on OS X machines with the AMD64 architecture and certain QEMU versions .
Fixed a bug where Podman would always use the slow path for joining the rootless user namespace.
Fixed a bug where the podman stats command would fail on Cgroups v1 systems when run on a container running systemd .
Fixed a bug where pre-checkpoint support for podman container checkpoint did not function correctly.
Fixed a bug where the remote Podman client's podman build command did not properly handle the -f option .
Fixed a bug where the remote Podman client's podman run command would sometimes not resize the container's terminal before execution began .
Fixed a bug where the --filter option to the podman image prune command was nonfunctional.
Fixed a bug where the podman logs -f command would exit before all output for a container was printed when the k8s-file log driver was in use .
Fixed a bug where Podman would not correctly detect that systemd-resolved was in use on the host and adjust DNS servers in the container appropriately under some circumstances .
Fixed a bug where the podman network connect and podman network disconnect commands acted improperly when containers were in the Created state, marking the changes as done but not actually performing them.

API:

Fixed a bug where the Compat and Libpod Prune endpoints for Networks returned null, instead of an empty array, when nothing was pruned.
Fixed a bug where the Create API for Images would continue to pull images even if a client closed the connection mid-pull .
Fixed a bug where the Events API did not include some information (including labels) when sending events.
Fixed a bug where the Events API would, when streaming was not requested, send at most one event .

3.2.0:

Features:

Docker Compose is now supported with rootless Podman .
The podman network connect, podman network disconnect, and podman network reload commands have been enabled for rootless Podman.
An experimental new set of commands, podman machine, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman.
The podman generate kube command can now be run on Podman named volumes (generating PersistentVolumeClaim YAML), in addition to pods and containers.
The podman play kube command now supports two new options, --ip and --mac, to set static IPs and MAC addresses for created pods ([#8442] and #9731).
The podman play kube command's support for PersistentVolumeClaim YAML has been greatly improved.
The podman generate kube command now preserves the label used by podman auto-update to identify containers to update as a Kubernetes annotation, and the podman play kube command will convert this annotation back into a label. This allows podman auto-update to be used with containers created by podman play kube.
The podman play kube command now supports Kubernetes secretRef YAML (using the secrets support from podman secret) for environment variables.
Secrets can now be added to containers as environment variables using the type=env option to the --secret flag to podman create and podman run.
The podman start command now supports the --all option, allowing all containers to be started simultaneously with a single command. The --filter option has also been added to filter which containers to start when --all is used.
Filtering containers with the --filter option to podman ps and podman start now supports a new filter, restart-policy, to filter containers based on their restart policy.
The --group-add option to rootless podman run and podman create now accepts a new value, keep-groups, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with the crun OCI runtime.
The podman run and podman create commands now support a new option, --timeout. This sets a maximum time the container is allowed to run, after which it is killed .
The podman run and podman create commands now support a new option, --pidfile. This will create a file when the container is started containing the PID of the first process in the container.
The podman run and podman create commands now support a new option, --requires. The --requires option adds dependency containers - containers that must be running before the current container. Commands like podman start will automatically start the requirements of a container before starting the container itself.
Auto-updating containers can now be done with locally-built images, not just images hosted on a registry, by creating containers with the io.containers.autoupdate label set to local.
Podman now supports the Container Device Interface standard.
Podman now adds an entry to /etc/hosts, host.containers.internal, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) .
The podman ps, podman pod ps, podman network list, podman secret list, and podman volume list commands now support a --noheading option, which will cause Podman to omit the heading line including column names.
The podman unshare command now supports a new flag, --rootless-cni, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking.
The --security-opt unmask= option to podman run and podman create now supports glob operations to unmask a group of paths at once (e.g. podman run --security-opt unmask=/proc/* ... will unmask all paths in /proc in the container).
The podman network prune command now supports a --filter option to filter which networks will be pruned. ### Changes
The change in Podman 3.1.2 where the :z and :Z mount options for volumes were ignored for privileged containers has been reverted after discussion in [#10209].
Podman's rootless CNI functionality no longer requires a sidecar container! The removal of the requirement for the rootless-cni-infra container means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image .
The Image handling code used by Podman has seen a major rewrite to improve code sharing with our other projects, Buildah and CRI-O. This should result in fewer bugs and performance gains in the long term. Work on this is still ongoing.
The podman auto-update command now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates .
The podman play kube now treats environment variables configured as references to a ConfigMap as mandatory unless the optional parameter was set; this better matches the behavior of Kubernetes.
Podman now supports the --context=default flag from Docker as a no-op for compatibility purposes.
When Podman is run as root, but without CAP_SYS_ADMIN being available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright).
The podman info command now includes the path of the Seccomp profile Podman is using, available cgroup controllers, and whether Podman is connected to a remote service or running containers locally.
Containers created with the --rm option now automatically use the volatile storage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance.
The podman generate systemd --new command will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment.
Podman now requires that Conmon v2.0.24 be available.

Bugfixes:

Fixed a bug where the remote Podman client's podman build command did not support the --arch, --platform, and --os, options.
Fixed a bug where the remote Podman client's podman build command ignored the --rm=false option .
Fixed a bug where the remote Podman client's podman build --iidfile command could include extra output (in addition to just the image ID) in the image ID file written .
Fixed a bug where the remote Podman client's podman build command did not preserve hardlinks when moving files into the container via COPY instructions .
Fixed a bug where the podman generate systemd --new command could generate extra --iidfile arguments if the container was already created with one.
Fixed a bug where the podman generate systemd --new command would generate unit files that did not include RequiresMountsFor lines .
Fixed a bug where the podman generate kube command produced incorrect YAML for containers which bind-mounted both / and /root from the host system into the container .
Fixed a bug where pods created by podman play kube from YAML that specified ShareProcessNamespace would only share the PID namespace (and not also the UTS, Network, and IPC namespaces) .
Fixed a bug where the podman network reload command could generate spurious error messages when iptables-nft was in use.
Fixed a bug where rootless Podman could fail to attach to containers when the user running Podman had a large UID.
Fixed a bug where the podman ps command could fail with a no such container error due to a race condition with container removal .
Fixed a bug where containers using the slirp4netns network mode and setting a custom slirp4netns subnet while using the rootlesskit port forwarder would not be able to forward ports .
Fixed a bug where the --filter ancestor= option to podman ps did not require an exact match of the image name/ID to include a container in its results.
Fixed a bug where the --filter until= option to podman image prune would prune images created after the specified time (instead of before).
Fixed a bug where setting a custom Seccomp profile via the seccomp_profile option in containers.conf had no effect, and the default profile was used instead.
Fixed a bug where the --cgroup-parent option to podman create and podman run was ignored in rootless Podman on cgroups v2 systems with the cgroupfs cgroup manager .
Fixed a bug where the IMAGE and NAME variables in podman container runlabel were not being correctly substituted .
Fixed a bug where Podman could freeze when creating containers with a specific combination of volumes and working directory .
Fixed a bug where rootless Podman containers restarted by restart policy (e.g. containers created with --restart=always) would lose networking after being restarted .
Fixed a bug where the podman cp command could not copy files into containers created with the --pid=host flag .
Fixed a bug where filters to the podman events command could not be specified twice (if a filter is specified more than once, it will match if any of the given values match - logical or) .
Fixed a bug where Podman would include IPv6 nameservers in resolv.conf in containers without IPv6 connectivity .
Fixed a bug where containers could not be created with static IP addresses when connecting to a network using the macvlan driver . ### API
Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set .
Fixed a bug where the Compat Create endpoint for Containers ignored static IP information provided in the IPAMConfig block .
Fixed a bug where the Compat Inspect endpoint for Containers returned null (instead of an empty list) for Networks when the container was not joined to a CNI network .
Fixed a bug where the Compat Wait endpoint for Containers could miss containers exiting if they were immediately restarted.
Fixed a bug where the Compat Create endpoint for Volumes required that the user provide a name for the new volume .
Fixed a bug where the Libpod Info handler would sometimes not return the correct path to the Podman API socket.
Fixed a bug where the Compat Events handler used the wrong name for container exited events (died instead of die) .
Fixed a bug where the Compat Push endpoint for Images could leak goroutines if the remote end closed the connection prematurely.

Update storage to 1.32.5

Update podman to 3.1.2

3.1.2:

Bugfixes:

Fixed a bug where images with empty layers were stored incorrectly, causing them to be unable to be pushed or saved.
Fixed a bug where the podman rmi command could fail to remove corrupt images from storage.
Fixed a bug where the remote Podman client's podman save command did not support the oci-dir and docker-dir formats .
Fixed a bug where volume mounts from podman play kube created with a trailing / in the container path were were not properly superceding named volumes from the image .
Fixed a bug where Podman could fail to build on 32-bit architectures.

Update podman to 3.1.1

Podman now recognizes trace as a valid argument to the --log-level command. Trace logging is now the most verbose level of logging available.
The :z and :Z options for volume mounts are now ignored when the container is privileged or is run with SELinux isolation disabled (--security-opt label=disable). This matches better matches Docker's behavior in this case.

Bugfixes

Fixed a bug where pruning images with the podman image prune or podman system prune commands could cause Podman to panic.
Fixed a bug where the podman save command did not properly error when the --compress flag was used with incompatible format types.
Fixed a bug where the --security-opt and --ulimit options to the remote Podman client's podman build command were nonfunctional.
Fixed a bug where the --log-rusage option to the remote Podman client's podman build command was nonfunctional .
Fixed a bug where the podman build command could, in some circumstances, use the wrong OCI runtime .
Fixed a bug where the remote Podman client's podman build command could return 0 despite failing .
Fixed a bug where the podman container runlabel command did not properly expand the IMAGE and NAME variables in the label .
Fixed a bug where poststop OCI hooks would be executed twice on containers started with the --rm argument .
Fixed a bug where rootless Podman could fail to launch containers on cgroups v2 systems when the cgroupfs cgroup manager was in use.
Fixed a bug where the podman stats command could error when statistics tracked exceeded the maximum size of a 32-bit signed integer .
Fixed a bug where rootless Podman containers run with --userns=keepid (without a --user flag in addition) would grant exec sessions run in them too many capabilities .
Fixed a bug where the --authfile option to podman build did not validate that the path given existed .
Fixed a bug where the --storage-opt option to Podman was appending to, instead of overriding (as is documented), the default storage options.
Fixed a bug where the podman system service connection did not function properly when run in a socket-activated systemd unit file as a non-root user.
Fixed a bug where the --network option to the podman play kube command of the remote Podman client was being ignored .
Fixed a bug where the --log-driver option to the podman play kube command was nonfunctional .

API

Fixed a bug where the Libpod Create endpoint for Manifests did not properly validate the image the manifest was being created with.
Fixed a bug where the Libpod DF endpoint could, in error cases, append an extra null to the JSON response, causing decode errors.
Fixed a bug where the Libpod and Compat Top endpoint for Containers would return process names that included extra whitespace.
Fixed a bug where the Compat Prune endpoint for Containers accepted too many types of filter.

Update podman to 3.1.0

Features:

A set of new commands has been added to manage secrets! The podman secret create, podman secret inspect, podman secret ls and podman secret rm commands have been added to handle secrets, along with the --secret option to podman run and podman create to add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release.
A new command to prune networks, podman network prune, has been added .
The -v option to podman run and podman create now supports a new volume option, :U, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues .
Three new commands, podman network exists, podman volume exists, and podman manifest exists, have been added to check for the existence of networks, volumes, and manifest lists.
The podman cp command can now copy files into directories mounted as tmpfs in a running container.
The podman volume prune command will now list volumes that will be pruned when prompting the user whether to continue and perform the prune .
The Podman remote client's podman build command now supports the --disable-compression, --excludes, and --jobs options.
The Podman remote client's podman push command now supports the --format option.
The Podman remote client's podman rm command now supports the --all and --ignore options.
The Podman remote client's podman search command now supports the --no-trunc and --list-tags options.
The podman play kube command can now read in Kubernetes YAML from STDIN when - is specified as file name (podman play kube -), allowing input to be piped into the command for scripting .
The podman generate systemd command now supports a --no-header option, which disables creation of the header comment automatically added by Podman to generated unit files.
The podman generate kube command can now generate PersistentVolumeClaim YAML for Podman named volumes .
The podman generate kube command can now generate YAML files containing multiple resources (pods or deployments) .

Security:

This release resolves CVE-2021-20291, a deadlock vulnerability in the storage library caused by pulling a specially-crafted container image. (bsc#1196497)

Changes:

The Podman remote client's podman build command no longer allows the -v flag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines.
The podman kill and podman stop commands now print the name given by the user for each container, instead of the full ID.
When the --security-opt unmask=ALL or --security-opt unmask=/sys/fs/cgroup options to podman create or podman run are given, Podman will mount cgroups into the container as read-write, instead of read-only .
The podman rmi command has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls.
The podman rename command has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable.
Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved .
The hidden --trace option to podman has been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time.
The podman generate systemd command now generates RequiresMountsFor lines to ensure necessary storage directories are mounted before systemd starts Podman.
Podman will now emit a warning when --tty and --interactive are both passed, but STDIN is not a TTY. This will be made into an error in the next major Podman release some time next year. ### Bugfixes
Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports .
Fixed a bug where podman network create with the --macvlan flag did not honor the --gateway, --subnet, and --opt options .
Fixed a bug where the podman generate kube command generated invalid YAML for privileged containers .
Fixed a bug where the podman generate kube command could not be used with containers that were not running.
Fixed a bug where the podman generate systemd command could duplicate some parameters to Podman in generated unit files .
Fixed a bug where Podman did not add annotations specified in containers.conf to containers.
Foxed a bug where Podman did not respect the no_hosts default in containers.conf when creating containers.
Fixed a bug where the --tail=0, --since, and --follow options to the podman logs command did not function properly when using the journald log backend.
Fixed a bug where specifying more than one container to podman logs when the journald log backend was in use did not function correctly.
Fixed a bug where the podman run and podman create commands would panic if a memory limit was set, but the swap limit was set to unlimited .
Fixed a bug where the --network option to podman run, podman create, and podman pod create would error if the user attempted to specify CNI networks by ID, instead of name .
Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the podman stats command .
Fixed a bug where the podman cp did not properly handle cases where /dev/stdout was specified as the destination (it was treated identically to -) .
Fixed a bug where the podman cp command would create files with incorrect ownership .
Fixed a bug where the podman cp command did not properly handle cases where the destination directory did not exist.
Fixed a bug where the podman cp command did not properly evaluate symlinks when copying out of containers.
Fixed a bug where the podman rm -fa command would error when attempting to remove containers created with --rm .
Fixed a bug where the ordering of capabilities was nondeterministic in the CapDrop field of the output of podman inspect on a container .
Fixed a bug where the podman network connect command could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with --net=host) .
Fixed a bug where DNS search domains required by the dnsname CNI plugin were not being added to container's resolv.conf under some circumstances.
Fixed a bug where the --ignorefile option to podman build was nonfunctional .
Fixed a bug where the --timestamp option to podman build was nonfunctional .
Fixed a bug where the --iidfile option to podman build could cause Podman to panic if an error occurred during the build.
Fixed a bug where the --dns-search option to podman build was nonfunctional .
Fixed a bug where the --pull-never option to podman build was nonfunctional .
Fixed a bug where the --build-arg option to podman build would, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) .
Fixed a bug where the --isolation option to podman build in the remote Podman client was nonfunctional.
Fixed a bug where the podman network disconnect command could cause errors when the container that had a network removed was stopped and its network was cleaned up .
Fixed a bug where the podman network rm command did not properly check what networks a container was present in, resulting in unexpected behavior if podman network connect or podman network disconnect had been used with the network .
Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable stopping state .
Fixed a bug where the podman load command could return 0 even in cases where an error occurred .
Fixed a bug where specifying storage options to Podman using the --storage-opt option would override all storage options. Instead, storage options are now overridden only when the --storage-driver option is used to override the current graph driver .
Fixed a bug where containers created with --privileged could request more capabilities than were available to Podman.
Fixed a bug where podman commit did not use the TMPDIR environment variable to place temporary files created during the commit .
Fixed a bug where remote Podman could error when attempting to resize short-lived containers .
Fixed a bug where Podman was unusable on kernels built without CONFIG_USER_NS.
Fixed a bug where the ownership of volumes created by podman volume create and then mounted into a container could be incorrect .
Fixed a bug where Podman volumes using a volume plugin could not pass certain options, and could not be used as non-root users.
Fixed a bug where the --tz option to podman create and podman run did not properly validate its input. ### API
Fixed a bug where the X-Registry-Auth header did not accept null as a valid value.
A new compat endpoint, /auth, has been added. This endpoint validates credentials against a registry .
Fixed a bug where the compat Build endpoint for Images specified labels using the wrong type (array vs map). Both formats will be accepted now.
Fixed a bug where the compat Build endpoint for Images did not report that it successfully tagged the built image in its response.
Fixed a bug where the compat Create endpoint for Images did not provide progress information on pulling the image in its response.
Fixed a bug where the compat Push endpoint for Images did not properly handle the destination (used a query parameter, instead of a path parameter).
Fixed a bug where the compat Push endpoint for Images did not send the progress of the push and the digest of the pushed image in the response body.
Fixed a bug where the compat List endpoint for Networks returned null, instead of an empty array ([]), when no networks were present .
Fixed a bug where the compat List endpoint for Networks returned nulls, instead of empty maps, for networks that do not have Labels and/or Options.
The Libpod Inspect endpoint for networks (/libpod/network/$ID/json) now has an alias at /libpod/network/$ID .
Fixed a bug where the libpod Inspect endpoint for Networks returned a 1-size array of results, instead of a single result .
The Compat List endpoint for Networks now supports the legacy format for filters in parallel with the current filter format .
Fixed a bug where the compat Create endpoint for Containers did not properly handle tmpfs filesystems specified with options .
Fixed a bug where the compat Create endpoint for Containers did not create bind-mount source directories .
Fixed a bug where the compat Create endpoint for Containers did not properly handle the NanoCpus option .
Fixed a bug where the Libpod create endpoint for Containers has a misnamed field in its JSON.
Fixed a bug where the compat List endpoint for Containers did not populate information on forwarded ports
Fixed a bug where the compat List endpoint for Containers did not populate information on container CNI networks .
Fixed a bug where the compat and libpod Stop endpoints for Containers would ignore a timeout of 0.
Fixed a bug where the compat and libpod Resize endpoints for Containers did not set the correct terminal sizes (dimensions were reversed) .
Fixed a bug where the compat Remove endpoint for Containers would not return 404 when attempting to remove a container that does not exist .
Fixed a bug where the compat Prune endpoint for Volumes would still prune even if an invalid filter was specified.
Numerous bugs related to filters have been addressed.

Update podman to 3.0.1

3.0.1:

Changes:

Several frequently-occurring WARN level log messages have been downgraded to INFO or DEBUG to not clutter terminal output.

Bugfixes:

Fixed a bug where the Created field of podman ps --format=json was formatted as a string instead of an Unix timestamp (integer) .
Fixed a bug where failing lookups of individual layers during the podman images command would cause the whole command to fail without printing output.
Fixed a bug where --cgroups=split did not function properly on cgroups v1 systems.
Fixed a bug where mounting a volume over an directory in the container that existed, but was empty, could fail .
Fixed a bug where mounting a volume over a directory in the container that existed could copy the entirety of the container's rootfs, instead of just the directory mounted over, into the volume .
Fixed a bug where Podman would treat the --entrypoint=[''] option to podman run and podman create as a literal empty string in the entrypoint, when instead it should have been ignored .
Fixed a bug where Podman would set the HOME environment variable to '' when the container ran as a user without an assigned home directory .
Fixed a bug where specifying a pod infra image that had no tags (by using its ID) would cause podman pod create to panic .
Fixed a bug where the --runtime option was not properly handled by the podman build command .
Fixed a bug where Podman would incorrectly print an error message related to the remote API when the remote API was not in use and starting Podman failed.
Fixed a bug where Podman would change ownership of a container's working directory, even if it already existed .
Fixed a bug where the podman generate systemd --new command would incorrectly escape %t when generating the path for the PID file .
Fixed a bug where Podman could, when run inside a Podman container with the host's containers/storage directory mounted into the container, erroneously detect a reboot and reset container state if the temporary directory was not also mounted in .
Fixed a bug where some options of the podman build command (including but not limited to --jobs) were nonfunctional . ### API
Fixed a breaking change to the Libpod Wait API for Containers where the Conditions parameter changed type in Podman v3.0 .
Fixed a bug where the Compat Create endpoint for Containers did not properly handle forwarded ports that did not specify a host port.
Fixed a bug where the Libpod Wait endpoint for Containers could write duplicate headers after an error occurred.
Fixed a bug where the Compat Create endpoint for Images would not pull images that already had a matching tag present locally, even if a more recent version was available at the registry .
The Compat Create endpoint for Images has had its compatibility with Docker improved, allowing its use with the docker-java library. ### Misc
Updated Buildah to v1.19.4
Updated the containers/storage library to v1.24.6

3.0.0:

Features:

Podman now features initial support for Docker Compose.
Added the podman rename command, which allows containers to be renamed after they are created .
The Podman remote client now supports the podman copy command.
A new command, podman network reload, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. via firewall-cmd --reload).
Podman networks now have IDs. They can be seen in podman network ls and can be used when removing and inspecting networks. Existing networks receive IDs automatically.
Podman networks now also support labels. They can be added via the --label option to network create, and podman network ls can filter labels based on them.
The podman network create command now supports setting bridge MTU and VLAN through the --opt option .
The podman container checkpoint and podman container restore commands can now checkpoint and restore containers that include volumes.
The podman container checkpoint command now supports the --with-previous and --pre-checkpoint options, and the podman container restore command now support the --import-previous option. These add support for two-step checkpointing with lowered dump times.
The podman push command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails.
The podman generate kube command can now be run on multiple containers at once, and will generate a single pod containing all of them.
The podman generate kube and podman play kube commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML .
The podman generate kube command now properly supports generating YAML for containers and pods creating using host networking (--net=host) .
The podman kill command now supports a --cidfile option to kill containers given a file containing the container's ID .
The podman pod create command now supports the --net=none option .
The podman volume create command can now specify volume UID and GID as options with the UID and GID fields passed to the the --opt option.
Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in containers.conf and use them to create volumes with podman volume create --driver.
The podman run and podman create commands now support a new option, --platform, to specify the platform of the image to be used when creating the container.
The --security-opt option to podman run and podman create now supports the systempaths=unconfined option to unrestrict access to all paths in the container, as well as mask and unmask options to allow more granular restriction of container paths.
The podman stats --format command now supports a new format specified, MemUsageBytes, which prints the raw bytes of memory consumed by a container without human-readable formatting [#8945].
The podman ps command can now filter containers based on what pod they are joined to via the pod filter .
The podman pod ps command can now filter pods based on what networks they are joined to via the network filter.
The podman pod ps command can now print information on what networks a pod is joined to via the .Networks specifier to the --format option.
The podman system prune command now supports filtering what containers, pods, images, and volumes will be pruned.
The podman volume prune commands now supports filtering what volumes will be pruned.
The podman system prune command now includes information on space reclaimed .
The podman info command will now properly print information about packages in use on Gentoo and Arch systems.
The containers.conf file now contains an option for disabling creation of a new kernel keyring on container creation .
The podman image sign command can now sign multi-arch images by producing a signature for each image in a given manifest list.
The podman image sign command, when run as rootless, now supports per-user registry configuration files in $HOME/.config/containers/registries.d.
Configuration options for slirp4netns can now be set system-wide via the NetworkCmdOptions configuration option in containers.conf.
The MTU of slirp4netns can now be configured via the mtu= network command option (e.g. podman run --net slirp4netns:mtu=9000).

Security:

A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue. (bsc#1181640)

Changes:

Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.
The podman load command no longer accepts a NAME[:TAG] argument. The presence of this argument broke CLI compatibility with Docker by making docker load commands unusable with Podman .
The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more [here].
The legacy Varlink API has been completely removed from Podman.
The default log level for Podman has been changed from Error to Warn.
The podman network create command can now create macvlan networks using the --driver macvlan option for Docker compatibility. The existing --macvlan flag has been deprecated and will be removed in Podman 4.0 some time next year.
The podman inspect command has had the LogPath and LogTag fields moved into the LogConfig structure (from the root of the Inspect structure). The maximum size of the log file is also included.
The podman generate systemd command no longer generates unit files using the deprecated KillMode=none option .
The podman stop command now releases the container lock while waiting for it to stop - as such, commands like podman ps will no longer block until podman stop completes .
Networks created with podman network create --internal no longer use the dnsname plugin. This configuration never functioned as expected.
Error messages for the remote Podman client have been improved when it cannot connect to a Podman service.
Error messages for podman run when an invalid SELinux is specified have been improved.
Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace.
Pod infra containers now respect default sysctls specified in containers.conf allowing for advanced configuration of the namespaces they will share.
SSH public key handling for remote Podman has been improved. ### Bugfixes
Fixed a bug where the podman history --no-trunc command would truncate the Created By field .
Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the Networks field of the output of podman inspect .
Fixed a bug where, under some circumstances, container working directories specified by the image (via the WORKDIR instruction) but not present in the image, would not be created .
Fixed a bug where the podman generate systemd command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{ and }}), e.g. --log-opt-tag={{.Name}} .
Fixed a bug where the podman generate systemd --new command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. podman run -dt) .
Fixed a bug where the podman generate systemd --new command could generate unit files that did not handle Podman commands including some special characters (e.g. $) ([#9176]
Fixed a bug where rootless containers joining CNI networks could not set a static IP address .
Fixed a bug where rootless containers joining CNI networks could not set network aliases .
Fixed a bug where the remote client could, under some circumstances, not include the Containerfile when sending build context to the server .
Fixed a bug where rootless Podman did not mount /sys as a new sysfs in some circumstances where it was acceptable.
Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error.
Fixed a bug where the podman play kube command did not properly handle CMD and ARGS from images .
Fixed a bug where the podman play kube command did not properly handle environment variables from images .
Fixed a bug where the podman play kube command did not properly print errors that occurred when starting containers.
Fixed a bug where the podman play kube command errored when hostNetwork was used .
Fixed a bug where the podman play kube command would always pull images when the :latest tag was specified, even if the image was available locally .
Fixed a bug where the podman play kube command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable .
Fixed a bug where the podman generate kube command incorrectly populated the args and command fields of generated YAML .
Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared /etc/hosts file every time the container restarted .
Fixed a bug where the podman search --list-tags command did not support the --format option .
Fixed a bug where the http_proxy option in containers.conf was not being respected, and instead was set unconditionally to true .
Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers .
Fixed a bug where the podman images command would break and fail to display any images if an empty manifest list was present in storage .
Fixed a bug where locale environment variables were not properly passed on to Conmon.
Fixed a bug where Podman would not build on the MIPS architecture .
Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a --uidmap option that included a mapping beginning with UID 0.
Fixed a bug where the podman logs command using the k8s-file backend did not properly handle partial log lines with a length of 1 .
Fixed a bug where the podman logs command with the --follow option did not properly handle log rotation .
Fixed a bug where user-specified HOSTNAME environment variables were overwritten by Podman .
Fixed a bug where Podman would applied default sysctls from containers.conf in too many situations (e.g. applying network sysctls when the container shared its network with a pod).
Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores .
Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container's PID file was not accessible to systemd on the host .
Fixed a bug where the --privileged option to podman run and podman create would, under some circumstances, not disable Seccomp .
Fixed a bug where the podman exec command did not properly add capabilities when the container or exec session were run with --privileged.
Fixed a bug where rootless Podman would use the --enable-sandbox option to slirp4netns unconditionally, even when pivot_root was disabled, rendering slirp4netns unusable when pivot_root was disabled .
Fixed a bug where podman build --logfile did not actually write the build's log to the logfile.
Fixed a bug where the podman system service command did not close STDIN, and could display user-interactive prompts .
Fixed a bug where the podman system reset command could, under some circumstances, remove all the contents of the XDG_RUNTIME_DIR directory .
Fixed a bug where the podman network create command created CNI configurations that did not include a default gateway .
Fixed a bug where the podman.service systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started .
Fixed a bug where, if the TMPDIR environment variable was set for the container engine in containers.conf, it was being ignored.
Fixed a bug where the podman events command did not properly handle future times given to the --until option .
Fixed a bug where the podman logs command wrote container STDERR logs to STDOUT instead of STDERR .
Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag .
Fixed a bug where container capabilities were not set properly when the --cap-add=all and --user options to podman create and podman run were combined.
Fixed a bug where the --layers option to podman build was nonfunctional .
Fixed a bug where the podman system prune command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call to podman system prune .
Fixed a bug where the --publish option to podman run and podman create did not properly handle ports specified as a range of ports with no host port specified .
Fixed a bug where --format did not support JSON output for individual fields .
Fixed a bug where the podman stats command would fail when run on root containers using the slirp4netns network mode .
Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication .
Fixed a bug where the podman stats command would fail if the system did not support one or more of the cgroup controllers Podman supports .
Fixed a bug where the --mount option to podman create and podman run did not ignore the consistency mount option.
Fixed a bug where failures during the resizing of a container's TTY would print the wrong error.
Fixed a bug where the podman network disconnect command could cause the podman inspect command to fail for a container until it was restarted .
Fixed a bug where containers created from a read-only rootfs (using the --rootfs option to podman create and podman run) would fail .
Fixed a bug where specifying Go templates to the --format option to multiple Podman commands did not support the join function .
Fixed a bug where the podman rmi command could, when run in parallel on multiple images, return layer not known errors .
Fixed a bug where the podman inspect command on containers displayed unlimited ulimits incorrectly .
Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories . ### API
All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error .
The Compat API for Containers now supports the Rename and Copy APIs.
Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses.
Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a 'no such file' error if an invalid executable was passed)
Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored .
Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g. container:, correctly.
Fixed a bug where the Compat Create API for Containers did not set container name properly.
Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging (the default specified in containers.conf is now used).
Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker.
Fixed a bug where Podman did not properly clean up after calls to the Events API when the journald backend was in use, resulting in a leak of file descriptors .
Fixed a bug where the Libpod Pull endpoint for Images could fail with an index out of range error under certain circumstances .
Fixed a bug where the Libpod Exists endpoint for Images could panic.
Fixed a bug where the Compat List API for Containers did not support all filters .
Fixed a bug where the Compat List API for Containers did not properly populate the Status field.
Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters .
Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response .
Fixed a bug where the Compat Load API for Images did not properly clean up temporary files.
Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified.
Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope.
Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did.

Package	Affected Version
pkg:rpm/suse/libcontainers-common?arch=noarch&distro=sles-15&sp=2	< 20210626-150100.3.15.1
pkg:rpm/suse/libcontainers-common?arch=noarch&distro=sles-15&sp=1	< 20210626-150100.3.15.1

ID

SUSE-SU-2022:3312-1

Severity

moderate

URL

https://www.suse.com/support/update/announcement/2022/suse-su-20223312-1/

Published

2022-09-19T15:36:55
(2 years ago)

Modified

2022-09-19T15:36:55
(2 years ago)

Rights

Other Advisories

Source	Name	URL
Suse	SUSE ratings	https://www.suse.com/support/security/rating/
Suse	URL of this CSAF notice	https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3312-1.json
Suse	URL for SUSE-SU-2022:3312-1	https://www.suse.com/support/update/announcement/2022/suse-su-20223312-1/
Suse	E-Mail link for SUSE-SU-2022:3312-1	https://lists.suse.com/pipermail/sle-security-updates/2022-September/012287.html
Bugzilla	SUSE Bug 1176804	https://bugzilla.suse.com/1176804
Bugzilla	SUSE Bug 1177598	https://bugzilla.suse.com/1177598
Bugzilla	SUSE Bug 1181640	https://bugzilla.suse.com/1181640
Bugzilla	SUSE Bug 1182998	https://bugzilla.suse.com/1182998
Bugzilla	SUSE Bug 1188520	https://bugzilla.suse.com/1188520
Bugzilla	SUSE Bug 1189893	https://bugzilla.suse.com/1189893
CVE	SUSE CVE CVE-2020-14370 page	https://www.suse.com/security/cve/CVE-2020-14370/
CVE	SUSE CVE CVE-2020-15157 page	https://www.suse.com/security/cve/CVE-2020-15157/
CVE	SUSE CVE CVE-2021-20199 page	https://www.suse.com/security/cve/CVE-2021-20199/
CVE	SUSE CVE CVE-2021-20291 page	https://www.suse.com/security/cve/CVE-2021-20291/
CVE	SUSE CVE CVE-2021-3602 page	https://www.suse.com/security/cve/CVE-2021-3602/

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:rpm/suse/libcontainers-common?arch=noarch&distro=sles-15&sp=2	suse	libcontainers-common	< 20210626-150100.3.15.1	sles-15	noarch
Affected	pkg:rpm/suse/libcontainers-common?arch=noarch&distro=sles-15&sp=1	suse	libcontainers-common	< 20210626-150100.3.15.1	sles-15	noarch

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date