fix(deps): update module github.com/containers/podman/v4 to v4.9.4 [security] - autoclosed #500
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v4.5.0
->v4.9.4
GitHub Vulnerability Alerts
CVE-2024-1753
Impact
What kind of vulnerability is it? Who is impacted?
Users running containers with root privileges allowing a container to run with read/write access to the host system files when selinux is not enabled. With selinux enabled, some read access is allowed.
Patches
From @nalind . This is a patch for Buildah (https://github.com/containers/buildah). Once fixed there, Buildah will be vendored into Podman.
Reproducer
Prior to testing, as root, add a memorable username to
/etc/passwd
via adduser or your favorite editor. Also create a memorably named file in/
. Suggest:touch /SHOULDNTSEETHIS.txt
andadduser SHOULDNTSEETHIS
. After testing, remember to remove both the file and the user from your system.Use the following Containerfile
To Test
Testing with an older version of Podman with the issue
As part of the printout from the build, you should be able to see the contents of the
/' and
/etcdirectories, including the
/SHOULDNOTSEETHIS.txtfile that you created, and the contents of the
/etc/passwdfile which will include the
SHOULDNOTSEETHISuser that you created. In addition, the file
/BIND_BREAKOUTand
/etc/BIND_BREAKOUT2` will exist on the host after the command is completed. Be sure to remove those two files between tests.Neither the
/BIND_BREAKEOUT
or/etc/BIND_BREAKOUT2
files should be created. An error should be raised during the build when both files are trying to be created. Also, errors will be raised when the build tries to display the contents of the/etc/passwd
file, and nothing will be displayed from that file.However, the files in both the
/
and/etc
directories on the host system will be displayed.Testing with the patch
Use the same commands as testing with an older version of Podman.
When running using the patched version of Podman, regardless of the
setenforce
settings, you should not see the file that you created or the user that you added. Also the/BIND_BREAKOUT
and the/etc/BIND_BREAKOUT
will not exist on the host after the test completes.NOTE: With the fix, the contents of the
/
and/etc
directories, and the/etc/passwd
file will be displayed, however, it will be the file and contents from the container image, and NOT the host system. Also the/BIND_BREAKOUT
and/etc/BIND_BREAKOUT
files will be created in the container image.Workarounds
Ensure selinux controls are in place to avoid compromising sensitive system files and systems. With "setenforce 0" set, which is not at all advised, the root file system is open for modification with this exploit. With "setenfoce 1" set, which is the recommendation, files can not be changed. However, the contents of the
/
directory can be displayed. I.e.,ls -alF /
will show the contents of the host directory.References
Unknown.
Release Notes
containers/podman (github.com/containers/podman/v4)
v4.9.4
Compare Source
Security
podman build
which allowed a user to write files to the/
directory of the host machine if selinux was not enabled.Bugfixes
v4.9.3
Compare Source
Features
podman container commit
command now features a--config
option which accepts a filename containing a JSON-encoded container configuration to be merged in to the newly-created image.v4.9.2
Compare Source
Security
Misc
v4.9.1
Compare Source
Bugfixes
--rootful
option topodman machine set
would not set the machine to use the root connection (#21195).euid != 0
and capabilities set (#20766).podman info
command would crash on if called multiple times when podman was running aseuid=0
withoutCAP_SYS_ADMIN
(#20908).podman machine
commands were not relayed to the correct machine on AppleHV (#21115).podman machine list
andpodman machine inspect
commands would not show the correctLast Up
time on AppleHV (#21244).Misc
v4.9.0
Compare Source
Features
podman farm
suite of commands for multi-architecture builds is now fully enabled and documented.Bugfixes
podman machine
did not forward the API socket to the host machine.podman kube play
could cause Podman to panic.podman system reset
could fail if non-Podman containers (e.g. containers created by Buildah) were present.Misc
podman machine
VMs now default to a PID limit of unlimited, instead of 2048.v4.8.3
Compare Source
Security
v4.8.2
Compare Source
Bugfixes
Quadlet
v4.8.1
Compare Source
Bugfixes
podman kube play --replace
, the pod is removed on the client side, not the server side (#20705).podman machine rm -f
would cause a deadlock when running with WSL.database is locked
errors with the new sqlite database backend (#20809).podman-remote exec
would fail if the server API version is older than 4.8.0 (#20821).v4.8.0
Compare Source
Features
CONTAINERS_MACHINE_PROVIDER
environment variable, or via containers.conf. HyperV requires Powershell to be run as Admin. Note that running WSL and HyperV machines at the same time is not supported.podman build
command now supports Containerfiles with heredoc syntax.podman login
andpodman logout
commands now support a new option,--compat-auth-file
, which allows for editing Docker-compatible config files (#18617).podman machine init
andpodman machine set
commands now support a new option,--usb
, which sets allows USB passthrough for the QEMU provider (#16707).--ulimit
option now supports setting -1 to indicate the maximum limit allowed for the current process (#19319).podman play kube
command now supports theBUILDAH_ISOLATION
environment variable to change build isolation when the--build
option is set (#20024).podman volume create
command now supports--opt o=size=XYZ
on tmpfs file systems (#20449).podman info
command for remote calls now reports client information even if the remote connection is unreachableprivileged
, to containers.conf, which sets the defaults for the--privileged
flag when creating, running or exec'ing into a container.podman kube play
command now supports setting DefaultMode for volumes (#19313).--opt
option to thepodman network create
command now accepts a new driver specific option,vrf
, which assigns a VRF to the bridge interface.--rdt-class=COS
has been added to thepodman create
andpodman run
commands that enables assigning a container to a Class Of Service (COS). The COS has to be pre-configured based on a pseudo-filesystem created by the resctrl kernel driver that enables interacting with the Intel RDT CAT feature.podman kube play
command now supports a new option,--publish-all
, which exposes all containerPorts on the host.label!=
, which filters for containers without the specified label.Upcoming Deprecations
containers.conf
settings when creating and managing containers.Changes
--help
option to thepodman push
command now shows the compression algorithm used.commit
command now shows progress messages (#19947).podman kube play
command now sets the pod hostname to the node/machine name when hostNetwork=true in k8s yaml (#19321).--tty,-t
option to thepodman exec
command now defines the TERM environment variable even if the container is not running with a terminal (#20334).helper_binaries_dir
option in containers.conf to lookup the init binary (catatonit).applehv
,qemu
,wsl
, andhyperv
are no longer valid Podman machine namesQuadlet
UIDMap
,GIDMap
,SubUIDMap
, andSubGIDMap
options in .container files.ReadOnlyTmpfs
option.ImageName
for .image files.--force
, to the stop command.oneshot
service type for .kube files, which allows yaml files without containers..image
.Bugfixes
--uts
and--network
options tohost
did not fill /etc/hostname with the host's name (#20448).build
command would incorrectly parse https paths (#20475).podman exec
command would leak sessions when the specified command does not existFixed a bug where thepodman exec
command would leak sessions when the specified command does not exist (#20392).podman history
command did not display the size of certain layers (#20375).--restart always/on-failure
would not correctly cleanup the netnsm on restart, resulting in leaked ips and network namespaces (#18615).podman top
command would incorrectly parse options (#19176).--read-only-tmpfs
option to thepodman run
command was incorrectly handled when the--read-only
option was set (#20225).--filter
option to thepodman images
command would not correctly filter ids, digests, or intermediates (#19966).--replace
option to thepodman run
command would print both the old and new container ID. Now, only the new container ID is printed.podman machine ls
command would show Creation time as LastUp time for machines that have never been booted. Now, new machines showNever
, with the json value being ZeroTime.podman build
command where the default pull policy was not set tomissing
(#20125).containers.conf
would lead to cleanup errors (#19938).podman kube play
command exposed all containerPorts on the host (#17028).podman farm update
command did not verify farm and connection existence before updating (#20080).--connection
option while theCONTAINER_HOST
environment variable was set. The active destination is not resolved with the correct priority, that is, CLI flags, env vars, ActiveService from containers.conf, RemoteURI (#15588).--env-host
option was not honoring the default from containers.confAPI
Misc
v4.7.2
Compare Source
Security
Bugfixes
podman compose
command.podman compose
to try all configured providers before throwing an error (#20502).v4.7.1
Compare Source
Bugfixes
API
v4.7.0
Compare Source
Security
Features
podman farm [create,list,remove,update]
has been created to "farm" out builds to machines running Podman for different architectures.podman compose
as a thin wrapper around an external compose provider such as docker-compose or podman-compose.podman run --device
is now supported.--module
flag for Podman.podmansh_timeout
option in containers.conf.podman build
command now supports two new options:--layer-label
and--cw
.podman kube generate
command now supports generation of k8s DaemonSet kind (#18899).podman kube generate
andpodman kube play
commands now support the k8sTerminationGracePeriodSeconds
field (RH BZ#2218061).podman kube generate
andpodman kube play
commands now supportsecurityContext.procMount: Unmasked
(#19881).podman generate kube
command now supports a--podman-only
flag to allow podman-only reserved annotations to be used in the generated YAML file. These annotations cannot be used by Kubernetes.podman kube generate
now supports a--no-trunc
flag that supports YAML files with annotations longer than 63 characters. Warning: if an annotation is longer than 63 chars, then the generated yaml file is not Kubernetes compatible.io.podman.annotations.infra.name
is added in the generated yaml when thepod create
command has--infra-name
set. This annotation can also be used withkube play
when wanting to customize the infra container name (#18312).--uidmap
and--gidmap
has been extended to lookup the parent user namespace and to extend default mappings (#18333).podman kube
commands now support theList
kind (#19052).podman kube play
command now supports environment variables in kube.yaml (#15983).podman push
andpodman manifest push
commands now support the--force-compression
optionto prevent reusing other blobs (#18860).podman manifest push
command now supports--add-compression
to push with compressed variants.podman manifest push
command now honors theadd_compression
field from containers.conf if--add-compression
is not set.podman run
andpodman create --mount
commands now support theramfs
type (#19659).--add-host
option now accepts the special stringhost-gateway
instead of an IP Address, which will be mapped to the host IP address.podman generate systemd
command is deprecated. Use Quadlet for running containers and pods under systemd.podman secret rm
command now supports an--ignore
option.--env-file
option now supports multiline variables (#18724).--read-only-tmpfs
flag now affects /dev and /dev/shm as well as /run, /tmp, /var/tmp (#12937).--mount
option now supports bind mounts passed as globs.--mount
option can now be specified in containers.conf using themounts
field.podman stats
now has an--all
option to get all containers stats (#19252).--sdnotify=healthy
policy where Podman sends the READY message once the container turns healthy (#6160)./var/tmp
will automatically be cleaned up on reboot.since
forpodman volume ls
andpodman volume prune
(#19228).podman inspect
command now has tab-completion support (#18672).podman kube play
command now has support for the use of reserved annotations in the generated YAML.podman secret inspect
command supports a new option--showsecret
which will output the actual secret.podman secret create
now supports a--replace
option, which allows you to modify secrets without replacing containers.podman login
command can now read the secret for a registry from its secret database created withpodman secret create
(#18667).podman play kube
command now works with the--userns
option (#17392).Changes
/tmp
and/var/tmp
inside of apodman kube play
will no longer benoexec
.podman kube play
has been improved to only pull a newer image for the "latest" tag (#19801).oci
transport will use the optional name for naming the image.podman info
command will always display the existence of the Podman socket.podman generate systemd
.podman auto-update
manpage and documentation has been updated and now includes references to Quadlet.Quadlet
Volume
andNetwork
units via theVolumeName
andNetworkName
directives, respectively.Bugfixes
podman kill
.podman rm -af
could fail to remove containers under some circumstances (#18874).--hostuser
was being parsed in base 8 instead of base 10 (#19800).kube down
would error when an object did not exist (#19711).podman exec
to set umask to match the container it's execing into (#19713).podman kube play
failed to set a container's Umask to the default0022
.podman top
would sometimes not print the full output (#19504).podman logs --tail
could return incorrect lines when the k8s-file logger is used (#19545).podman stop
did not ignore cidfile not existing when user specified --ignore flag (#19546).--volumes-from
option that used the same path could not be created (#19529).podman cp
via STDIN did not delete temporary files (#19496).podman run --rmi
did not remove the container (#15640).podman inspect
to show a.NetworkSettings.SandboxKey
path for containers created with --net=none (#16716).podman machine start
using the QEMU provider (#18662).podman run
andpodman create
where the command fails if the user specifies a non-existent authfile path (#18938).podman info
output (#19340)..HostConfig.PublishAllPorts
always evaluates tofalse
when inspecting a container created with--publish-all
.podman image trust
command to allow using the local policy.json file (#19073).--syslog
flag was not passed to the cleanup process.API
Misc
v4.6.2
Compare Source
Changes
podman system df
command should see a significant performance improvement (#19467).Bugfixes
API
Misc
v4.6.1
Compare Source
Quadlet
API
Misc
v4.6.0
Compare Source
Features
podman manifest inspect
command now supports the--authfile
option, for authentication purposes.podman wait
command now supports--condition={healthy,unhealthy}
, allowing waits on successful health checks.podman push
command now supports a new option,--compression-level
, which specifies the compression level to use (#18939).podman machine start
command, when run with--log-level=debug
, now creates a console window to display the virtual machine while booting.--imagestore
, which allows images to be stored in a different directory than the graphroot.--ip-range
option to thepodman network create
command now accepts a new syntax,<startIP>-<endIP>
, which allows more flexibility when limiting the ip range that Podman assigns.podmansh
, has been added, which executes a user shell within a container when the user logs into the system. The container that the users get added to can be defined via a Podman Quadlet file. This feature is currently aTech Preview
which means it's ready for users to try out but changes can be expected in upcoming versions.podman network create
command supports a new--option
,bclim
, for themacvlan
driver.podman network create
command now supports adding static routes using the--route
option.podman network create
command supports a new--option
,no_default_route
for all drivers.podman info
command now prints network information about the binary path, package version, program version and DNS information (#18443).podman info
command now displays the number of free locks available, helping to debug lock exhaustion scenarios.podman info
command now outputs information about pasta, if it exists in helper_binaries_dir or $PATH.podman build
command now accepts Containerfiles that are not in the context directory (#18239).podman play kube
command now supports the--configmap
option (#17513).podman kube play
command now supports multi-doc YAML files for configmap arguments. (#18537).podman pod create
command now supports a new flag,--restart
, which sets the restart policy for all the containers in a pod.--format={{.Restarts}}
option to thepodman ps
command now shows the number of times a container has been restarted based on its restart policy.--format={{.Restarts}}
option to thepodman pod ps
command now shows the total number of container restarts in a pod.CONTAINERS_MACHINE_PROVIDER
environment variable, as well as via theprovider
field incontainers.conf
(#17116).containers.conf
viapasta_options
.podman machine init
andpodman machine set
commands now support a new option,--user-mode-networking
, which improves interops with VPN configs that drop traffic from WSL networking, on Windows.podman push
command now supports the--digestfile
option (#18216).--out
, that allows redirection or suppression of STDOUT (#18120).Changes
podman system service
command now emits a warning when binding to a TCP socket. This is not a secure configuration and the Podman team recommends against using it.podman top
command no longer depends on ps(1) being present in the container image and now uses the one from the host (#19001).--filter id=xxx
option will now treatxxx
as a CID prefix, and not as a regular expression (#18471).--filter
option now requires multiple--filter
flags to specify multiple filters. It will no longer support the comma syntax (--filter label=a,label=b
).slirp4netns
binary for will now be searched for in paths specified by thehelper_binaries_dir
option incontainers.conf
(#18239)./run/docker.sock
within the guest to be consistent with its rootless/rootful setting (#18480).podman system df
command now counts files which podman generates for use with specific containers as part of the disk space used by those containers, and which can be reclaimed by removing those containers. It also counts space used by files it associates with specific images and volumes as being used by those images and volumes.podman build
command now returns a clearer error message when the Containerfile cannot be found. (#16354).--pid=host
will no longer print errors on podman stop (#18460).podman manifest push
command no longer requires a destination to be specified. If a destination is not provided, the source is used as the destination (#18360).podman system reset
command now warns the user that the graphroot and runroot directories will be deleted (#18349), (#18295).package
andpackage-install
targets in Makefile have now been fixed and also renamed torpm
andrpm-install
respectively for clarity (#18817).Quadlet
/etc/containers/systemd/users
directory.AutoUpdate
option.Mask
andUnmask
options.WorkingDir
option, which specifies the default working dir in a container.Sysctl
option, which sets namespaced kernel parameters for containers (#18727).SecurityLabelNetsted=true
option, which allows nested SELinux containers.Pull
option in.container
files (#18779).ExitCode
field in.kube
files, which reflects the exit codes of failed containers.PodmanArgs
field.HostName
field, which sets the container's host name, in.container
files (#18486).Bugfixes
podman machine start
command would fail with a 255 exit code. It now waits for systemd-user sessions to be up, and for SSH to be ready, addressing the flaky machine starts (#17403).podman auto update
command did not correctly use authentication files when contacting container registries.--label
option to thepodman volume ls
command would return volumes that matched any of the filters, not all of them (#19219).podman kube play
command did not recognize containerPort names inside Kubernetes liveness probes. Now, liveness probes support both containerPort names as well as port numbers (#18645).--dns
option to thepodman run
command was ignored for macvlan networks (#19169).podman system service
command where setting LISTEN_FDS when listening on TCP would misbehave.podman pod run
command would error after a reboot on a non-systemd system (#19175).--syslog
option returned a fatal error when no syslog server was found (#19075).--mount
option would parse thereadonly
option incorrectly (#18995).podman run
command set an incorrect working directory. It now sets the correct working directory pointing to the container bundle directory (#18907).-device-cgroup-rule
option was silently ignored in rootless mode (#18698).--force
option to thepodman kube down
command would not remove volumes (#18797).--list-tags
option in thepodman search
command would cause the command to ignore the--format
option (#18939).podman machine start
command did not properly translate the proxy IP.podman auto-update
command would not restart dependent units (specified viaRequires=
) on auto update (#18926).podman pull
command would print ids multiple times when using additional stores (#18647).podman rm -fa
command could fail to remove dependency containers such as pod infra containers (#18180).--tz
option to thepodman create
andpodman run
commands would not create a proper localtime symlink to the zoneinfo file, which was causing some applications (e.g. java) to not read the timezone correctly.--filter volume=
option to thepodman events
command would not display the relevant events (#18618).podman wait
command where containers created with the--restart=always
option would result in the container staying in a stopped state.podman stats
command returned an incorrect memory limit after acontainer update
. (#18621).podman run
command where thePODMAN_USERNS
environment variable was not ignored when the--pod
option was set, resulting in a container created in a different user namespace than its pod (#18580).podman run
command would not create the/run/.containerenv
when the tmpfs is mounted on/run
(#18531).$HOME
environment variable would be configured inconsistently between container starts if a new passwd entry had to be created for the container.podman play kube
command would restart initContainers based on the restart policy of the pod. initContainers should never be restarted.build
command where an invalid platform would be set.podman history
command did not display tags (#17763).podman machine init
command would create invalid machines when run with certain UIDs (#17893).podman manifest push
command where an error encountered during the push incorrectly claimed that the error occurred while adding an item to the list.podman machine rm
command would remove the machine connection before the user confirms the removal of the machine (#18330).starting
state (#16945).--network=container:
option would fail when the target container uses the host network mode. The same also now works for the other namespace options (--pid
,--uts
,--cgroupns
,--ipc
) (#18027).--format {{.State}}
option to thepodman ps
command would display the status rather than the state (#18244).podman commit
command where setting a--message
while also specifying--format=docker
options would incorrectly warn that setting a message is incompatible with OCI image formats (#17773).--format
option to thepodman history
command, where the{{.CreatedAt}}
and{{.Size}}
fields were inconsistent with Docker’s output (#17767), (#17768).API
online_cpus
field was not set correctly (#15754).sha256:
(#17762).platform
parameter (#18951).noprune
query parameter, which ensures that dangling parents of the specified image are not removedMisc
podman system service
command is now supported on FreeBSD.v4.5.1
Compare Source
Security
Quadlet
Bugfixes
make package
did not work on RHEL 8 environments (#18421).podman network create --dns
andConfiguration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.