diff --git a/0001-Backport-fix-for-CVE-2024-6104.patch b/0001-Backport-fix-for-CVE-2024-6104.patch deleted file mode 100644 index 5e640ce..0000000 --- a/0001-Backport-fix-for-CVE-2024-6104.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 1a3445769d0a3c392487ec9480c0bfad07bde063 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= -Date: Sun, 30 Jun 2024 16:09:52 +0200 -Subject: [PATCH] Backport fix for CVE-2024-6104 - -This is https://github.com/hashicorp/go-retryablehttp/pull/158 only directly -applied to the vendor/ source tree -See also https://github.com/advisories/GHSA-v6v8-xj6m-xwqh ---- - .../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++----- - 1 file changed, 21 insertions(+), 7 deletions(-) - -diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go -index 12ac50bcc..efee53c40 100644 ---- a/vendor/github.com/hashicorp/go-retryablehttp/client.go -+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go -@@ -658,9 +658,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - if logger != nil { - switch v := logger.(type) { - case LeveledLogger: -- v.Debug("performing request", "method", req.Method, "url", req.URL) -+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) - case Logger: -- v.Printf("[DEBUG] %s %s", req.Method, req.URL) -+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) - } - } - -@@ -715,9 +715,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - if err != nil { - switch v := logger.(type) { - case LeveledLogger: -- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) -+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) - case Logger: -- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) -+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) - } - } else { - // Call this here to maintain the behavior of logging all requests, -@@ -753,7 +753,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - - wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) - if logger != nil { -- desc := fmt.Sprintf("%s %s", req.Method, req.URL) -+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) - if resp != nil { - desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode) - } -@@ -818,11 +818,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - // communicate why - if err == nil { - return nil, fmt.Errorf("%s %s giving up after %d attempt(s)", -- req.Method, req.URL, attempt) -+ req.Method, redactURL(req.URL), attempt) - } - - return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w", -- req.Method, req.URL, attempt, err) -+ req.Method, redactURL(req.URL), attempt, err) - } - - // Try to read the response body so we can reuse this connection. -@@ -903,3 +903,17 @@ func (c *Client) StandardClient() *http.Client { - Transport: &RoundTripper{Client: c}, - } - } -+ -+// Taken from url.URL#Redacted() which was introduced in go 1.15. -+// We can switch to using it directly if we'll bump the minimum required go version. -+func redactURL(u *url.URL) string { -+ if u == nil { -+ return "" -+ } -+ -+ ru := *u -+ if _, has := ru.User.Password(); has { -+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") -+ } -+ return ru.String() -+} --- -2.45.2 - diff --git a/_service b/_service index 0586187..51ce820 100644 --- a/_service +++ b/_service @@ -2,7 +2,7 @@ https://github.com/containers/podman.git git - v5.1.2 + v5.2.0 @PARENT_TAG@ enable v(.*) diff --git a/_servicedata b/_servicedata index 74d8696..eb33d9f 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/containers/podman.git - 94a24974ab345324db1a1489c924af4b89d2d0e9 \ No newline at end of file + b22d5c61eef93475413724f49fd6a32980d2c746 \ No newline at end of file diff --git a/podman-5.1.2.obscpio b/podman-5.1.2.obscpio deleted file mode 100644 index f2cfbf2..0000000 --- a/podman-5.1.2.obscpio +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:86ae9f9404e0f605de8cb2f056dd61a8929038c4e6eecacb7b5fc903ad4f2471 -size 109458446 diff --git a/podman-5.2.0.obscpio b/podman-5.2.0.obscpio new file mode 100644 index 0000000..b6b3979 --- /dev/null +++ b/podman-5.2.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:af6c274fbcbd4b432e137f8ca0c43bd638d2a286bd3cb0a2455e05c22bb64a7a +size 109566478 diff --git a/podman.changes b/podman.changes index 9cacca1..7e6f858 100644 --- a/podman.changes +++ b/podman.changes @@ -1,3 +1,162 @@ +------------------------------------------------------------------- +Fri Aug 02 12:32:21 UTC 2024 - dcermak@suse.com + +- Update to version 5.2.0: + +### Features +- Podman now supports `libkrun` as a backend for creating virtual machines on + MacOS. The `libkrun` backend has the advantage of allowing GPUs to be mounted + into the virtual machine to accelerate tasks. The default backend remains + `applehv`. +- Quadlet now has support for `.build` files, which allows images to be built by + Quadlet and then used by Quadlet containers. +- Quadlet `.container` files now support two new fields, `LogOpt` to specify + container logging configuration and `StopSignal` to specify container stop + signal ([#23050](https://github.com/containers/podman/issues/23050)). +- Quadlet `.container` and `.pod` files now support a new field, `NetworkAlias`, + to add network aliases. +- Quadlet drop-in search paths have been expanded to include top-level type + drop-ins (`container.d`, `pod.d`) and truncated unit drop-ins + (`unit-.container.d`) + ([#23158](https://github.com/containers/podman/issues/23158)). +- Podman now supports a new command, `podman system check`, which will identify + (and, if possible, correct) corruption within local container storage. +- The `podman machine reset` command will now reset all providers available on + the current operating system (e.g. ensuring that both HyperV and WSL `podman + machine` VMs will be removed on Windows). + +### Changes +- Podman now requires the new kernel mount API, introducing a dependency on + Linux Kernel v5.2 or higher. +- Quadlet `.image` units now have a dependency on `network-online.target` + ([#21873](https://github.com/containers/podman/issues/21873)). +- The `--device` option to `podman create` and `podman run` is no longer ignored + when `--privileged` is also specified + ([#23132](https://github.com/containers/podman/issues/23132)). +- The `podman start` and `podman stop` commands no longer print the full ID of + the pod started/stopped, but instead the user's input used to specify the pod + (e.g. `podman pod start b` will print `b` instead of the pod's full ID) + ([#22590](https://github.com/containers/podman/issues/22590)). +- Virtual machines created by `podman machine` on Linux now use `virtiofs` + instead of `9p` for mounting host filesystems. Existing mounts will be + transparently changed on machine restart or recreation. This should improve + performance and reliability of host mounts. This requires the installation of + `virtiofsd` on the host system to function. +- Using both the `--squash` and `--layers=false` options to `podman build` at + the same time is now allowed. +- Podman now passes container's stop timeout to systemd when creating cgroups, + causing it to be honored when systemd stops the scope. This should prevent + hangs on system shutdown due to running Podman containers. +- The `--volume-driver` option to `podman machine init` is now deprecated. + +### Bugfixes +- Fixed a bug where rootless containers created with the `--sdnotify=healthy` + option could panic when started + ([#22651](https://github.com/containers/podman/issues/22651)). +- Fixed a bug where containers created with the `--sdnotify=healthy` option that + exited quickly would sometimes return an error instead of notifying that the + container was ready + ([#22760](https://github.com/containers/podman/issues/22760)). +- Fixed a bug where the `podman system reset` command did not remove the + containers/image blob cache + ([#22825](https://github.com/containers/podman/issues/22825)). +- Fixed a bug where Podman would sometimes create a cgroup for itself even when + the `--cgroups=disabled` option was specified at container creation time + ([#20910](https://github.com/containers/podman/issues/20910)). +- Fixed a bug where the `/etc/hosts` file in a container was not created with a + newline at the end of the file + ([#22729](https://github.com/containers/podman/issues/22729)). +- Fixed a bug where the `podman start` command could sometimes panic when + starting a container in the stopped state. +- Fixed a bug where the `podman system renumber` command would fail if volumes + existed when using the `sqlite` database backend + ([#23052](https://github.com/containers/podman/issues/23052)). +- Fixed a bug where the `podman container restore` command could not + successfully restore a container in a pod. +- Fixed a bug where an error message from `podman diff` would suggest using the + `--latest` option when using the remote Podman client + ([#23038](https://github.com/containers/podman/issues/23038)). +- Fixed a bug where user could assign more memory to a Podman machine than + existed on the host + ([#18206](https://github.com/containers/podman/issues/18206)). +- Fixed a bug where the `podman events` command was rarely unable to report + errors that occurred + ([#23165](https://github.com/containers/podman/issues/23165)). +- Fixed a bug where containers run in systemd units would sometimes not be + removed correctly on exit when using the `--cidfile` option. +- Fixed a bug where the first Podman command run after a reboot could cause hang + when using transient mode + ([#22984](https://github.com/containers/podman/issues/22984)). +- Fixed a bug where Podman could throw errors about a database configuration + mismatch if certain paths did not exist on the host. +- Fixed a bug where the `podman run` and `podman start` commands could throw + strange errors if another Podman process stopped the container at a midpoint + in the process of starting + ([#23246](https://github.com/containers/podman/issues/23246)). +- Fixed a bug where the `podman system service` command could leak a mount on + termination. +- Fixed a bug where the Podman remote client would panic if an invalid image + filter was passed to `podman images` + ([#23120](https://github.com/containers/podman/issues/23120)). +- Fixed a bug where the `podman auto-update` and `podman system df` commands + could fail when a container was removed while the command was running + ([#23279](https://github.com/containers/podman/issues/23279)). +- Fixed a bug where the `podman machine init` command could panic when trying to + decompress an empty file when preparing the VM image + ([#23281](https://github.com/containers/podman/issues/23281)). +- Fixed a bug where the `podman ps --pod` and `podman pod stats` commands could + sometimes fail when a pod was removed while the command was running + ([#23282](https://github.com/containers/podman/issues/23282)). +- Fixed a bug where the `podman stats` and `podman pod stats` commands would + sometimes exit with a `container is stopped` error when showing all containers + (or pod containers, for `pod stats`) if a container stopped while the command + was running ([#23334](https://github.com/containers/podman/issues/23334)). +- Fixed a bug where the output of container healthchecks was not properly logged + if it did not include a final newline + ([#23332](https://github.com/containers/podman/issues/23332)). +- Fixed a bug where the port forwarding firewall rules of an existing container + could be be overwritten when starting a second container which forwarded the + same port on the host even if the second container failed to start as the + port was already bound. +- Fixed a bug where the containers created by the `podman play kube` command + could sometimes not properly clean up their network stacks + ([#21569](https://github.com/containers/podman/issues/21569)). + +### API +- The Build API for Images now accepts a comma-separated list in the Platform + query parameter, allowing a single API call to built an image for multiple + architectures ([#22071](https://github.com/containers/podman/issues/22071)). +- Fixed a bug where the Remove endpoint for Volumes would return an incorrectly + formatted error when called with an ambiguous volume name + ([#22616](https://github.com/containers/podman/issues/22616)). +- Fixed a bug where the Stats endpoint for Containers would return an + incorrectly formatted error when called on a container that did not exist + ([#22612](https://github.com/containers/podman/issues/22612)). +- Fixed a bug where the Start endpoint for Pods would return a 409 error code in + cases where a 500 error code should have been returned + ([#22989](https://github.com/containers/podman/issues/22989)). +- Fixed a bug where the Top endpoint for Pods would return a 200 status code and + then subsequently an error + ([#22986](https://github.com/containers/podman/issues/22986)). + +### Misc +- Podman no longer requires all parent directories of its root and runroot to be + world-executable + ([#23028](https://github.com/containers/podman/issues/23028)). +- Error messages from the `podman build` command when the `-f` option is given, + but points to a file that does not exist, have been improved + ([#22940](https://github.com/containers/podman/issues/22940)). +- The Podman windows installer is now built using WiX 5. +- Updated the gvisor-tap-vsock library to v0.7.4. This release contains a fix + for a gvproxy crash on macOS when there is heavy network traffic on a fast + link. +- Updated Buildah to v1.37.0 +- Updated the containers/image library to v5.32.0 +- Updated the containers/storage library to v1.55.0 +- Updated the containers/common library to v0.60.0 + +- Remove patch: 0001-Backport-fix-for-CVE-2024-6104.patch (merged upstream) + ------------------------------------------------------------------- Thu Jul 11 07:34:21 UTC 2024 - danish.prakash@suse.com diff --git a/podman.obsinfo b/podman.obsinfo index b8e7743..a9b8695 100644 --- a/podman.obsinfo +++ b/podman.obsinfo @@ -1,4 +1,4 @@ name: podman -version: 5.1.2 -mtime: 1720614055 -commit: 94a24974ab345324db1a1489c924af4b89d2d0e9 +version: 5.2.0 +mtime: 1722533522 +commit: b22d5c61eef93475413724f49fd6a32980d2c746 diff --git a/podman.spec b/podman.spec index 087fd4b..675e9e1 100644 --- a/podman.spec +++ b/podman.spec @@ -22,7 +22,7 @@ %bcond_without apparmor Name: podman -Version: 5.1.2 +Version: 5.2.0 Release: 0 Summary: Daemon-less container engine for managing containers, pods and images License: Apache-2.0 @@ -30,7 +30,6 @@ Group: System/Management URL: https://%{project} Source0: %{name}-%{version}.tar.gz Source1: podman.conf -Patch0: 0001-Backport-fix-for-CVE-2024-6104.patch BuildRequires: man BuildRequires: bash-completion BuildRequires: device-mapper-devel @@ -222,6 +221,7 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1} %{_userunitdir}/podman-kube@.service %{_userunitdir}/podman-restart.service %{_userunitdir}/podman-auto-update.timer +%{_userunitdir}/podman-clean-transient.service %{_systemdusergeneratordir}/podman-user-generator %{_systemdgeneratordir}/podman-system-generator %ghost /run/podman @@ -263,10 +263,10 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1} %preun %service_del_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service -%systemd_user_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer +%systemd_user_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service %postun %service_del_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service -%systemd_user_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer +%systemd_user_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service %changelog