Compare commits
251 Commits
Author | SHA256 | Date | |
---|---|---|---|
85685f99f4 | |||
86358c6980 | |||
85dc450fcd | |||
8ed6984f2b | |||
88234b8254 | |||
7d45484815 | |||
093bbffbf5 | |||
e8ef26eba5 | |||
902106aead | |||
003311f43f | |||
b55c1fe90d | |||
e2c09975b0 | |||
51ab57bc4b | |||
aac5e10045 | |||
28913f8dab | |||
23021cbff2 | |||
c3f999b2d2 | |||
599c04e4e3 | |||
a3f27f9595 | |||
4ccce3961a | |||
0fa257aa97 | |||
2b0f7a0d2b | |||
5fb0186cc0 | |||
43b78fcddc | |||
2abf39e669 | |||
d1f99539d6 | |||
86b2e222c4 | |||
5e9d5f327b | |||
8febc99cb0 | |||
fb0cdcd1d0 | |||
a43118a5d8 | |||
c23c352cd3 | |||
a93bc1c9f5 | |||
b55d8b9e1d | |||
69a7d556c8 | |||
b2a27392e1 | |||
b7414bbdd2 | |||
3b26becbec | |||
184364f9fe | |||
cddcb6f3ea | |||
6c033a57ba | |||
4646514f46 | |||
0b9bbc5289 | |||
dea8b3a22f | |||
a7b22dc3e3 | |||
39658542b2 | |||
1bcb1e1cee | |||
7e9687f604 | |||
70eb240191 | |||
fea60c3bce | |||
4b08ef97e7 | |||
a405609bbd | |||
b844209e63 | |||
eec94c8598 | |||
333c9919b6 | |||
7234f2b4df | |||
8be27cc2a4 | |||
8813c2398b | |||
dc6a58d90a | |||
d59a607510 | |||
19816d6b31 | |||
823d98c36d | |||
6e8d14358a | |||
84ea237c48 | |||
6c165c536d | |||
2fefeb8299 | |||
a4393a94b5 | |||
9b945e0461 | |||
1c8a639455 | |||
ce109071c9 | |||
890a883cc3 | |||
3eea8a2aa2 | |||
0c4574d087 | |||
0a987a8aeb | |||
4445670410 | |||
18c656ec5a | |||
dbbdc9c9eb | |||
eba4a5b6f6 | |||
62b6830a36 | |||
1a98568a52 | |||
12a87f0f58 | |||
8e84ccfc5d | |||
92884acfe1 | |||
2e8452ce14 | |||
b5df054cab | |||
4e16aa5178 | |||
2fc331ce47 | |||
|
4387772598 | ||
5c90b2a82e | |||
28990be434 | |||
ddc79677fb | |||
52f35dc79a | |||
|
a3178611dc | ||
3ffa24e78a | |||
ce21851006 | |||
a67d576f04 | |||
407f2cb962 | |||
027447873f | |||
f7c25df87d | |||
f661026fd3 | |||
ae312e0a79 | |||
687c2d9f01 | |||
419d97de67 | |||
|
582ba49a4d | ||
ad41bdf6fa | |||
5ff6196336 | |||
282ddcbd0f | |||
2010e43700 | |||
9147f89e5e | |||
c7eca5d396 | |||
e7c1fcb2fc | |||
b9f985739f | |||
11a0d2404b | |||
8ebf8b14dd | |||
28acaf26c4 | |||
5fff852a2e | |||
f209a5a46d | |||
1329928edd | |||
07d7b25837 | |||
e3e7a1ef54 | |||
cf7a023c51 | |||
|
3078d3d8ec | ||
d883ac7f24 | |||
37106e5603 | |||
5745c7d71a | |||
185fd9c9f5 | |||
44f8ac7d1d | |||
cf9a43bd1e | |||
d37753e66a | |||
9f953b6e73 | |||
fa7145b229 | |||
f38540f762 | |||
|
6d6bcc24a1 | ||
37e0b5e3ef | |||
1b2b3d5a2a | |||
|
0044a48b01 | ||
c8fc9789bc | |||
|
cdefaa36b0 | ||
9bb26caaf8 | |||
777b2b5cf8 | |||
f139a7c83c | |||
5747b072a4 | |||
d73f060088 | |||
|
68096f89da | ||
ef252a9528 | |||
3d7160c361 | |||
67f7978050 | |||
89bd527874 | |||
9aaae99778 | |||
f2f5dbfdcc | |||
|
6d8ec17dc5 | ||
894fbe5128 | |||
|
0935567c30 | ||
e6e6fc6361 | |||
136dec2e5e | |||
298f933dbd | |||
|
c6ef1bc2ee | ||
6489f8f8af | |||
453893c430 | |||
118a72cb93 | |||
155f3a1c17 | |||
564cfd2afa | |||
046584535e | |||
8a27238881 | |||
d404550436 | |||
eda421f622 | |||
9e01233ad7 | |||
10897e73cc | |||
cf76835f6b | |||
1bdf52b2b0 | |||
e6a94dc6dc | |||
fa88ddd59f | |||
e7bf78856a | |||
41e0b501f2 | |||
f4b4b807f1 | |||
|
981f5e3d28 | ||
|
e9a93b5705 | ||
29d76f0404 | |||
bcebdd5c4a | |||
884e637aea | |||
efe96398d1 | |||
ce455fe894 | |||
95d63ad45d | |||
a00780b220 | |||
0e76a14a8f | |||
76d449a828 | |||
63eb9ffa99 | |||
94f7342a8c | |||
c08ac6d17a | |||
e610415191 | |||
b322f97904 | |||
6b472a7039 | |||
97208f0a9f | |||
8c406e8a17 | |||
4fe22ad70c | |||
397ee40307 | |||
e1a15b2060 | |||
21a4ac9b84 | |||
d90dd67229 | |||
75b893ed42 | |||
cd3d2c182d | |||
92a80312cf | |||
c6d0f9bc11 | |||
a1f6893c83 | |||
bb438b3b6c | |||
bd79c63122 | |||
7f6897127b | |||
84950fc359 | |||
4be4c72a11 | |||
5bf5430b1b | |||
6cf35c19a4 | |||
2173e02175 | |||
aa618aaf5a | |||
|
31ce80db64 | ||
|
3a94c1ec3d | ||
05dc1ca9e5 | |||
206247e598 | |||
3d3c858db7 | |||
d5a55585e6 | |||
938085e915 | |||
09e07e8326 | |||
e1d82ac4e5 | |||
f86d9431e4 | |||
a2d6be2fa2 | |||
ef346ff5e3 | |||
a49f39d00d | |||
81acd94024 | |||
eeae9e0491 | |||
764afe4c72 | |||
ccee6ed292 | |||
eddbc6a0df | |||
1f1df8a9b4 | |||
b4e2330c81 | |||
83637c883c | |||
23aac6a00a | |||
0b8830979f | |||
d52052a852 | |||
586ea34d39 | |||
0c005e28b5 | |||
d49ed462ed | |||
0a91c7d7ca | |||
9b7d102bda | |||
08113714bb | |||
96c178a12d | |||
0887f99d61 | |||
ef013948ed | |||
7372377059 | |||
6ecca759b3 | |||
9c0699d3a9 | |||
30c47e1268 | |||
bc0f80b980 |
@@ -1,84 +0,0 @@
|
||||
From 1a3445769d0a3c392487ec9480c0bfad07bde063 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
|
||||
Date: Sun, 30 Jun 2024 16:09:52 +0200
|
||||
Subject: [PATCH] Backport fix for CVE-2024-6104
|
||||
|
||||
This is https://github.com/hashicorp/go-retryablehttp/pull/158 only directly
|
||||
applied to the vendor/ source tree
|
||||
See also https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
|
||||
---
|
||||
.../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++-----
|
||||
1 file changed, 21 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
index 12ac50bcc..efee53c40 100644
|
||||
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
@@ -658,9 +658,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if logger != nil {
|
||||
switch v := logger.(type) {
|
||||
case LeveledLogger:
|
||||
- v.Debug("performing request", "method", req.Method, "url", req.URL)
|
||||
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
|
||||
case Logger:
|
||||
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
|
||||
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -715,9 +715,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if err != nil {
|
||||
switch v := logger.(type) {
|
||||
case LeveledLogger:
|
||||
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
|
||||
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
|
||||
case Logger:
|
||||
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
|
||||
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
|
||||
}
|
||||
} else {
|
||||
// Call this here to maintain the behavior of logging all requests,
|
||||
@@ -753,7 +753,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
|
||||
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
|
||||
if logger != nil {
|
||||
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
|
||||
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
|
||||
if resp != nil {
|
||||
desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
|
||||
}
|
||||
@@ -818,11 +818,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
// communicate why
|
||||
if err == nil {
|
||||
return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
|
||||
- req.Method, req.URL, attempt)
|
||||
+ req.Method, redactURL(req.URL), attempt)
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
|
||||
- req.Method, req.URL, attempt, err)
|
||||
+ req.Method, redactURL(req.URL), attempt, err)
|
||||
}
|
||||
|
||||
// Try to read the response body so we can reuse this connection.
|
||||
@@ -903,3 +903,17 @@ func (c *Client) StandardClient() *http.Client {
|
||||
Transport: &RoundTripper{Client: c},
|
||||
}
|
||||
}
|
||||
+
|
||||
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
|
||||
+// We can switch to using it directly if we'll bump the minimum required go version.
|
||||
+func redactURL(u *url.URL) string {
|
||||
+ if u == nil {
|
||||
+ return ""
|
||||
+ }
|
||||
+
|
||||
+ ru := *u
|
||||
+ if _, has := ru.User.Password(); has {
|
||||
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
|
||||
+ }
|
||||
+ return ru.String()
|
||||
+}
|
||||
--
|
||||
2.45.2
|
||||
|
@@ -1,134 +0,0 @@
|
||||
From 7766adad2e935fcf5fec3ec3b1bb0a0169fdf4c3 Mon Sep 17 00:00:00 2001
|
||||
From: Nicola Murino <nicola.murino@gmail.com>
|
||||
Date: Wed, 12 Mar 2025 19:54:12 +0530
|
||||
Subject: [PATCH] CVE-2025-22869: ssh: limit the size of the internal packet
|
||||
queue while waiting for KEX
|
||||
|
||||
In the SSH protocol, clients and servers execute the key exchange to
|
||||
generate one-time session keys used for encryption and authentication.
|
||||
The key exchange is performed initially after the connection is
|
||||
established and then periodically after a configurable amount of data.
|
||||
While a key exchange is in progress, we add the received packets to an
|
||||
internal queue until we receive SSH_MSG_KEXINIT from the other side.
|
||||
This can result in high memory usage if the other party is slow to
|
||||
respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a
|
||||
malicious client never responds to an SSH_MSG_KEXINIT packet during a
|
||||
large file transfer.
|
||||
We now limit the internal queue to 64 packets: this means 2MB with the
|
||||
typical 32KB packet size.
|
||||
When the internal queue is full we block further writes until the
|
||||
pending key exchange is completed or there is a read or write error.
|
||||
|
||||
Thanks to Yuichi Watanabe for reporting this issue.
|
||||
|
||||
Fixes: CVE-2025-22869
|
||||
Bugs: bsc#1239330
|
||||
|
||||
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
|
||||
---
|
||||
vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
|
||||
1 file changed, 37 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
|
||||
index 56cdc7c21c3b..a68d20f7f396 100644
|
||||
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
|
||||
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
|
||||
@@ -25,6 +25,11 @@ const debugHandshake = false
|
||||
// quickly.
|
||||
const chanSize = 16
|
||||
|
||||
+// maxPendingPackets sets the maximum number of packets to queue while waiting
|
||||
+// for KEX to complete. This limits the total pending data to maxPendingPackets
|
||||
+// * maxPacket bytes, which is ~16.8MB.
|
||||
+const maxPendingPackets = 64
|
||||
+
|
||||
// keyingTransport is a packet based transport that supports key
|
||||
// changes. It need not be thread-safe. It should pass through
|
||||
// msgNewKeys in both directions.
|
||||
@@ -73,11 +78,19 @@ type handshakeTransport struct {
|
||||
incoming chan []byte
|
||||
readError error
|
||||
|
||||
- mu sync.Mutex
|
||||
- writeError error
|
||||
- sentInitPacket []byte
|
||||
- sentInitMsg *kexInitMsg
|
||||
- pendingPackets [][]byte // Used when a key exchange is in progress.
|
||||
+ mu sync.Mutex
|
||||
+ // Condition for the above mutex. It is used to notify a completed key
|
||||
+ // exchange or a write failure. Writes can wait for this condition while a
|
||||
+ // key exchange is in progress.
|
||||
+ writeCond *sync.Cond
|
||||
+ writeError error
|
||||
+ sentInitPacket []byte
|
||||
+ sentInitMsg *kexInitMsg
|
||||
+ // Used to queue writes when a key exchange is in progress. The length is
|
||||
+ // limited by pendingPacketsSize. Once full, writes will block until the key
|
||||
+ // exchange is completed or an error occurs. If not empty, it is emptied
|
||||
+ // all at once when the key exchange is completed in kexLoop.
|
||||
+ pendingPackets [][]byte
|
||||
writePacketsLeft uint32
|
||||
writeBytesLeft int64
|
||||
|
||||
@@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
|
||||
|
||||
config: config,
|
||||
}
|
||||
+ t.writeCond = sync.NewCond(&t.mu)
|
||||
t.resetReadThresholds()
|
||||
t.resetWriteThresholds()
|
||||
|
||||
@@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
|
||||
defer t.mu.Unlock()
|
||||
if t.writeError == nil && err != nil {
|
||||
t.writeError = err
|
||||
+ t.writeCond.Broadcast()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -362,6 +377,8 @@ write:
|
||||
}
|
||||
}
|
||||
t.pendingPackets = t.pendingPackets[:0]
|
||||
+ // Unblock writePacket if waiting for KEX.
|
||||
+ t.writeCond.Broadcast()
|
||||
t.mu.Unlock()
|
||||
}
|
||||
|
||||
@@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
|
||||
}
|
||||
|
||||
if t.sentInitMsg != nil {
|
||||
- // Copy the packet so the writer can reuse the buffer.
|
||||
- cp := make([]byte, len(p))
|
||||
- copy(cp, p)
|
||||
- t.pendingPackets = append(t.pendingPackets, cp)
|
||||
- return nil
|
||||
+ if len(t.pendingPackets) < maxPendingPackets {
|
||||
+ // Copy the packet so the writer can reuse the buffer.
|
||||
+ cp := make([]byte, len(p))
|
||||
+ copy(cp, p)
|
||||
+ t.pendingPackets = append(t.pendingPackets, cp)
|
||||
+ return nil
|
||||
+ }
|
||||
+ for t.sentInitMsg != nil {
|
||||
+ // Block and wait for KEX to complete or an error.
|
||||
+ t.writeCond.Wait()
|
||||
+ if t.writeError != nil {
|
||||
+ return t.writeError
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
if t.writeBytesLeft > 0 {
|
||||
@@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
|
||||
|
||||
if err := t.pushPacket(p); err != nil {
|
||||
t.writeError = err
|
||||
+ t.writeCond.Broadcast()
|
||||
}
|
||||
|
||||
return nil
|
||||
--
|
||||
2.46.0
|
||||
|
@@ -1,68 +0,0 @@
|
||||
From fe456eed5ac0647250fa5249e663ddb236b2adfb Mon Sep 17 00:00:00 2001
|
||||
From: Danish Prakash <contact@danishpraka.sh>
|
||||
Date: Tue, 15 Oct 2024 22:14:55 +0530
|
||||
Subject: [PATCH 1/2] Properly validate cache IDs and sources
|
||||
|
||||
The `--mount type=cache` argument to the `RUN` instruction in
|
||||
Dockerfiles was using `filepath.Join` on user input, allowing
|
||||
crafted paths to be used to gain access to paths on the host,
|
||||
when the command should normally be limited only to Buildah;s own
|
||||
cache and context directories. Switch to `filepath.SecureJoin` to
|
||||
resolve the issue.
|
||||
|
||||
Fixes CVE-2024-9675
|
||||
|
||||
Signed-off-by: Matt Heon <mheon@redhat.com>
|
||||
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
|
||||
---
|
||||
.../buildah/internal/volumes/volumes.go | 19 ++++++++++++++-----
|
||||
1 file changed, 14 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
|
||||
index da6b768fdc21..610e9fcf11b2 100644
|
||||
--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
|
||||
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
|
||||
@@ -23,6 +23,7 @@ import (
|
||||
"github.com/containers/storage/pkg/idtools"
|
||||
"github.com/containers/storage/pkg/lockfile"
|
||||
"github.com/containers/storage/pkg/unshare"
|
||||
+ digest "github.com/opencontainers/go-digest"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
selinux "github.com/opencontainers/selinux/go-selinux"
|
||||
)
|
||||
@@ -374,7 +375,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
|
||||
return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
|
||||
}
|
||||
// path should be /contextDir/specified path
|
||||
- newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
|
||||
+ evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
|
||||
+ if err != nil {
|
||||
+ return newMount, nil, err
|
||||
+ }
|
||||
+ newMount.Source = evaluated
|
||||
} else {
|
||||
// we need to create cache on host if no image is being used
|
||||
|
||||
@@ -391,11 +396,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
|
||||
}
|
||||
|
||||
if id != "" {
|
||||
- newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
|
||||
- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
|
||||
+ // Don't let the user control where we place the directory.
|
||||
+ dirID := digest.FromString(id).Encoded()[:16]
|
||||
+ newMount.Source = filepath.Join(cacheParent, dirID)
|
||||
+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
|
||||
} else {
|
||||
- newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
|
||||
- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
|
||||
+ // Don't let the user control where we place the directory.
|
||||
+ dirID := digest.FromString(newMount.Destination).Encoded()[:16]
|
||||
+ newMount.Source = filepath.Join(cacheParent, dirID)
|
||||
+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
|
||||
}
|
||||
idPair := idtools.IDPair{
|
||||
UID: uid,
|
||||
--
|
||||
2.46.0
|
||||
|
@@ -1,26 +0,0 @@
|
||||
From 31a4b1040e04d711c6863f70561bde234f06f05a Mon Sep 17 00:00:00 2001
|
||||
From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
|
||||
Date: Mon, 28 Apr 2025 17:40:28 +0530
|
||||
Subject: [PATCH] remove appending rw as the default mount option
|
||||
|
||||
---
|
||||
pkg/util/mount_opts.go | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/pkg/util/mount_opts.go b/pkg/util/mount_opts.go
|
||||
index c9a773093e..4e37fd74a0 100644
|
||||
--- a/pkg/util/mount_opts.go
|
||||
+++ b/pkg/util/mount_opts.go
|
||||
@@ -191,9 +191,6 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
|
||||
newOptions = append(newOptions, opt)
|
||||
}
|
||||
|
||||
- if !foundWrite {
|
||||
- newOptions = append(newOptions, "rw")
|
||||
- }
|
||||
if !foundProp {
|
||||
if recursiveBind {
|
||||
newOptions = append(newOptions, "rprivate")
|
||||
--
|
||||
2.49.0
|
||||
|
@@ -1,239 +0,0 @@
|
||||
From 006e1387eaf2791d7b9c730b135de9648003c7db Mon Sep 17 00:00:00 2001
|
||||
From: Danish Prakash <contact@danishpraka.sh>
|
||||
Date: Mon, 21 Oct 2024 11:33:43 +0530
|
||||
Subject: [PATCH 2/2] Use securejoin.SecureJoin when forming userns paths
|
||||
|
||||
We need to read /etc/passwd and /etc/group in the container to
|
||||
get an idea of how many UIDs and GIDs we need to allocate for a
|
||||
user namespace when `--userns=auto` is specified. We were forming
|
||||
paths for these using filepath.Join, which is not safe for paths
|
||||
within a container, resulting in this CVE allowing crafted
|
||||
symlinks in the container to access paths on the host instead.
|
||||
|
||||
Addresses CVE-2024-9676
|
||||
|
||||
Signed-off-by: Matt Heon <mheon@redhat.com>
|
||||
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
|
||||
---
|
||||
go.mod | 2 +-
|
||||
go.sum | 4 +-
|
||||
.../github.com/containers/storage/.cirrus.yml | 2 +-
|
||||
vendor/github.com/containers/storage/VERSION | 2 +-
|
||||
.../github.com/containers/storage/userns.go | 87 +++++++++++++------
|
||||
.../containers/storage/userns_unsupported.go | 14 +++
|
||||
vendor/modules.txt | 2 +-
|
||||
7 files changed, 80 insertions(+), 33 deletions(-)
|
||||
create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go
|
||||
|
||||
diff --git a/go.mod b/go.mod
|
||||
index 02d1876148a4..8f049568e0b8 100644
|
||||
--- a/go.mod
|
||||
+++ b/go.mod
|
||||
@@ -20,7 +20,7 @@ require (
|
||||
github.com/containers/libhvee v0.7.1
|
||||
github.com/containers/ocicrypt v1.2.0
|
||||
github.com/containers/psgo v1.9.0
|
||||
- github.com/containers/storage v1.55.0
|
||||
+ github.com/containers/storage v1.55.1
|
||||
github.com/containers/winquit v1.1.0
|
||||
github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
|
||||
github.com/coreos/stream-metadata-go v0.4.4
|
||||
diff --git a/go.sum b/go.sum
|
||||
index 60da92454ca2..66795b5b82ad 100644
|
||||
--- a/go.sum
|
||||
+++ b/go.sum
|
||||
@@ -97,8 +97,8 @@ github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sir
|
||||
github.com/containers/ocicrypt v1.2.0/go.mod h1:ZNviigQajtdlxIZGibvblVuIFBKIuUI2M0QM12SD31U=
|
||||
github.com/containers/psgo v1.9.0 h1:eJ74jzSaCHnWt26OlKZROSyUyRcGDf+gYBdXnxrMW4g=
|
||||
github.com/containers/psgo v1.9.0/go.mod h1:0YoluUm43Mz2UnBIh1P+6V6NWcbpTL5uRtXyOcH0B5A=
|
||||
-github.com/containers/storage v1.55.0 h1:wTWZ3YpcQf1F+dSP4KxG9iqDfpQY1otaUXjPpffuhgg=
|
||||
-github.com/containers/storage v1.55.0/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ=
|
||||
+github.com/containers/storage v1.55.1 h1:ius7angdTqxO56hmTJnAznyEcUnYeLOV3ybwLozA/h8=
|
||||
+github.com/containers/storage v1.55.1/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ=
|
||||
github.com/containers/winquit v1.1.0 h1:jArun04BNDQvt2W0Y78kh9TazN2EIEMG5Im6/JY7+pE=
|
||||
github.com/containers/winquit v1.1.0/go.mod h1:PsPeZlnbkmGGIToMPHF1zhWjBUkd8aHjMOr/vFcPxw8=
|
||||
github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
|
||||
diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml
|
||||
index 50b98761694a..49a6e33b7014 100644
|
||||
--- a/vendor/github.com/containers/storage/.cirrus.yml
|
||||
+++ b/vendor/github.com/containers/storage/.cirrus.yml
|
||||
@@ -120,7 +120,7 @@ lint_task:
|
||||
env:
|
||||
CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage"
|
||||
container:
|
||||
- image: golang
|
||||
+ image: golang:1.21
|
||||
modules_cache:
|
||||
fingerprint_script: cat go.sum
|
||||
folder: $GOPATH/pkg/mod
|
||||
diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION
|
||||
index 094d6ad00ce7..6570a6d0dd76 100644
|
||||
--- a/vendor/github.com/containers/storage/VERSION
|
||||
+++ b/vendor/github.com/containers/storage/VERSION
|
||||
@@ -1 +1 @@
|
||||
-1.55.0
|
||||
+1.55.1
|
||||
diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go
|
||||
index 57120731be57..09919394c026 100644
|
||||
--- a/vendor/github.com/containers/storage/userns.go
|
||||
+++ b/vendor/github.com/containers/storage/userns.go
|
||||
@@ -1,18 +1,21 @@
|
||||
+//go:build linux
|
||||
+
|
||||
package storage
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"os/user"
|
||||
- "path/filepath"
|
||||
"strconv"
|
||||
|
||||
drivers "github.com/containers/storage/drivers"
|
||||
"github.com/containers/storage/pkg/idtools"
|
||||
"github.com/containers/storage/pkg/unshare"
|
||||
"github.com/containers/storage/types"
|
||||
+ securejoin "github.com/cyphar/filepath-securejoin"
|
||||
libcontainerUser "github.com/moby/sys/user"
|
||||
"github.com/sirupsen/logrus"
|
||||
+ "golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
// getAdditionalSubIDs looks up the additional IDs configured for
|
||||
@@ -85,40 +88,59 @@ const nobodyUser = 65534
|
||||
// parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
|
||||
// /etc/group files.
|
||||
func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
|
||||
+ var (
|
||||
+ passwd *os.File
|
||||
+ group *os.File
|
||||
+ size int
|
||||
+ err error
|
||||
+ )
|
||||
if passwdFile == "" {
|
||||
- passwdFile = filepath.Join(containerMount, "etc/passwd")
|
||||
- }
|
||||
- if groupFile == "" {
|
||||
- groupFile = filepath.Join(groupFile, "etc/group")
|
||||
+ passwd, err = secureOpen(containerMount, "/etc/passwd")
|
||||
+ } else {
|
||||
+ // User-specified override from a volume. Will not be in
|
||||
+ // container root.
|
||||
+ passwd, err = os.Open(passwdFile)
|
||||
}
|
||||
-
|
||||
- size := 0
|
||||
-
|
||||
- users, err := libcontainerUser.ParsePasswdFile(passwdFile)
|
||||
if err == nil {
|
||||
- for _, u := range users {
|
||||
- // Skip the "nobody" user otherwise we end up with 65536
|
||||
- // ids with most images
|
||||
- if u.Name == "nobody" {
|
||||
- continue
|
||||
- }
|
||||
- if u.Uid > size && u.Uid != nobodyUser {
|
||||
- size = u.Uid
|
||||
- }
|
||||
- if u.Gid > size && u.Gid != nobodyUser {
|
||||
- size = u.Gid
|
||||
+ defer passwd.Close()
|
||||
+
|
||||
+ users, err := libcontainerUser.ParsePasswd(passwd)
|
||||
+ if err == nil {
|
||||
+ for _, u := range users {
|
||||
+ // Skip the "nobody" user otherwise we end up with 65536
|
||||
+ // ids with most images
|
||||
+ if u.Name == "nobody" || u.Name == "nogroup" {
|
||||
+ continue
|
||||
+ }
|
||||
+ if u.Uid > size && u.Uid != nobodyUser {
|
||||
+ size = u.Uid + 1
|
||||
+ }
|
||||
+ if u.Gid > size && u.Gid != nobodyUser {
|
||||
+ size = u.Gid + 1
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
- groups, err := libcontainerUser.ParseGroupFile(groupFile)
|
||||
+ if groupFile == "" {
|
||||
+ group, err = secureOpen(containerMount, "/etc/group")
|
||||
+ } else {
|
||||
+ // User-specified override from a volume. Will not be in
|
||||
+ // container root.
|
||||
+ group, err = os.Open(groupFile)
|
||||
+ }
|
||||
if err == nil {
|
||||
- for _, g := range groups {
|
||||
- if g.Name == "nobody" {
|
||||
- continue
|
||||
- }
|
||||
- if g.Gid > size && g.Gid != nobodyUser {
|
||||
- size = g.Gid
|
||||
+ defer group.Close()
|
||||
+
|
||||
+ groups, err := libcontainerUser.ParseGroup(group)
|
||||
+ if err == nil {
|
||||
+ for _, g := range groups {
|
||||
+ if g.Name == "nobody" || g.Name == "nogroup" {
|
||||
+ continue
|
||||
+ }
|
||||
+ if g.Gid > size && g.Gid != nobodyUser {
|
||||
+ size = g.Gid + 1
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -309,3 +331,14 @@ func getAutoUserNSIDMappings(
|
||||
gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
|
||||
return uidMap, gidMap, nil
|
||||
}
|
||||
+
|
||||
+// Securely open (read-only) a file in a container mount.
|
||||
+func secureOpen(containerMount, file string) (*os.File, error) {
|
||||
+ tmpFile, err := securejoin.OpenInRoot(containerMount, file)
|
||||
+ if err != nil {
|
||||
+ return nil, err
|
||||
+ }
|
||||
+ defer tmpFile.Close()
|
||||
+
|
||||
+ return securejoin.Reopen(tmpFile, unix.O_RDONLY)
|
||||
+}
|
||||
diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go
|
||||
new file mode 100644
|
||||
index 000000000000..e37c18fe4381
|
||||
--- /dev/null
|
||||
+++ b/vendor/github.com/containers/storage/userns_unsupported.go
|
||||
@@ -0,0 +1,14 @@
|
||||
+//go:build !linux
|
||||
+
|
||||
+package storage
|
||||
+
|
||||
+import (
|
||||
+ "errors"
|
||||
+
|
||||
+ "github.com/containers/storage/pkg/idtools"
|
||||
+ "github.com/containers/storage/types"
|
||||
+)
|
||||
+
|
||||
+func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
|
||||
+ return nil, nil, errors.New("user namespaces are not supported on this platform")
|
||||
+}
|
||||
diff --git a/vendor/modules.txt b/vendor/modules.txt
|
||||
index 3d35b8be92d7..c0801a56b979 100644
|
||||
--- a/vendor/modules.txt
|
||||
+++ b/vendor/modules.txt
|
||||
@@ -354,7 +354,7 @@ github.com/containers/psgo/internal/dev
|
||||
github.com/containers/psgo/internal/host
|
||||
github.com/containers/psgo/internal/proc
|
||||
github.com/containers/psgo/internal/process
|
||||
-# github.com/containers/storage v1.55.0
|
||||
+# github.com/containers/storage v1.55.1
|
||||
## explicit; go 1.21
|
||||
github.com/containers/storage
|
||||
github.com/containers/storage/drivers
|
||||
--
|
||||
2.46.0
|
||||
|
2
_service
2
_service
@@ -2,7 +2,7 @@
|
||||
<service name="obs_scm" mode="manual">
|
||||
<param name="url">https://github.com/containers/podman.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="revision">v5.5.2</param>
|
||||
<param name="revision">v5.6.0</param>
|
||||
<param name="versionformat">@PARENT_TAG@</param>
|
||||
<param name="changesgenerate">enable</param>
|
||||
<param name="versionrewrite-pattern">v(.*)</param>
|
||||
|
@@ -1,4 +1,4 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://github.com/containers/podman.git</param>
|
||||
<param name="changesrevision">e7d8226745ba07a64b7176a7f128e4ef53225a0e</param></service></servicedata>
|
||||
<param name="changesrevision">da671ef6cfa3fc9ac6225c18f1dd0a70a951e43f</param></service></servicedata>
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1cc6d2195d65f529b4169d96ac8dd20f4a832b314b990eb9faf9588cced425c9
|
||||
size 109453838
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:86ae9f9404e0f605de8cb2f056dd61a8929038c4e6eecacb7b5fc903ad4f2471
|
||||
size 109458446
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:af6c274fbcbd4b432e137f8ca0c43bd638d2a286bd3cb0a2455e05c22bb64a7a
|
||||
size 109566478
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1f2e5bd13e4c0ca13561fe124f44c93898450405ef15e93c6cce1d10d24105c2
|
||||
size 109693454
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d98c93f568b31cecc530b86cfd0078fb290f72ec0ab61649b63ca4407173a809
|
||||
size 109701646
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:bf70c5e307cda183ed60a3222bea20a5001779f804d65e8d8b508679dd9d9349
|
||||
size 109704718
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1335489dd8ae33de44593440297cd7d7272c20cc48cbdaf5d95921bebb362ef5
|
||||
size 111504910
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:33b098fc56781b1b963652d353634682b3a0d5d15723b760d931185e7b8ea586
|
||||
size 111512078
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:16be7292e16b91a3d8ee4ad8dd5d1284c3c910c3392fbc8e66186d9be850c6bc
|
||||
size 119042062
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:17125ab81f0fdeb56016afdcd332de557dbc829c920f9a122ae1eb54eb629bc2
|
||||
size 119047182
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:090828d216d40f4744977cd727c9c23fd01f4d94d8432df80b8abea6c587f622
|
||||
size 96669198
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:31173b15ee5a17d29af7fa1266eb661bc202007bc74c9adc4fe1001aea9851a8
|
||||
size 96685582
|
3
podman-5.6.0.obscpio
Normal file
3
podman-5.6.0.obscpio
Normal file
@@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:8f8fe13947a65924ea92e867d50912efd827f0ec2432d2faa5d9cdb2941ccb05
|
||||
size 94526478
|
389
podman.changes
389
podman.changes
@@ -1,3 +1,392 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 1 07:27:55 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
- Do not recommend apparmor-parser and apparmor-abstractions: if
|
||||
the system is using apparmor, those packages will be present. If
|
||||
the system is selinux enabled, we don't want to recommend those
|
||||
packages just becuase we build support for apparmor into the
|
||||
package.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 19 03:52:06 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
|
||||
|
||||
- Remove patch:
|
||||
* 0001-remove-appending-rw-as-the-default-mount-option.patch (merged upstream)
|
||||
- Update to version 5.6.0:
|
||||
* Bump to v5.6.0
|
||||
* Update release notes for v5.6.0 final release
|
||||
* [v5.6] Bump Buildah to v1.41.3
|
||||
* [v5.6] Reverse skipped test for 26773
|
||||
* Add a deprecation notice for users of BoltDB
|
||||
* Bump Podman to v5.6.0-dev
|
||||
* Bump to v5.6.0-rc2
|
||||
* Update release notes for v5.6.0-RC2
|
||||
* feat: add Podman artifact support to Go bindings and remote clients
|
||||
* compat: remove deprecated VirtualSize
|
||||
* compat: add shared-size par to GET /images/json
|
||||
* compat: RepoTags and RepoDigest return [] and not null
|
||||
* compat: remove GET /system/df BuilderSize
|
||||
* compat: GET /_ping return Builder-Version: 1
|
||||
* [v5.6] Bump Buildah to v1.41.1
|
||||
* [v5.6] Skip failing Buildah v1.41.1 test
|
||||
* Remove Experimental from Artifacts man pages
|
||||
* [v5.6] Bump c/storage to v1.59.1, c/image 5.36.1, and
|
||||
* Bump Podman to v5.6.0-dev
|
||||
* Bump to v5.6.0-rc1
|
||||
* Add release notes for Podman v5.6.0-rc1
|
||||
* Temp fix for #26680
|
||||
* Update "podman diff container and image with same name" e2e test
|
||||
* API server: drop inherit-labels/annotations for compat builds
|
||||
* buildah-bud tests: handle "-t oci:" and such, skip a new --output
|
||||
* API handler: don't force the SkipUnusedStages flag
|
||||
* API handler: don't force the CompatVolumes flag
|
||||
* API handler: don't force the IdentityLabel flag
|
||||
* Update compat-volumes setting for remotes
|
||||
* Update inherit-labels setting for remotes
|
||||
* pkg/emulation.parseBinfmtMisc(): accept empty "flags" fields
|
||||
* build endpoint: document the "timestamp" flag
|
||||
* remote build: relay more new flags introduced in buildah 1.41
|
||||
* Feat: send additional build contexts for remote builds
|
||||
* Add Buildah build's passwd test helper
|
||||
* Add CLI updates for inherit and unset annotations
|
||||
* Add missing manpages options for Buildah v1.41.0
|
||||
* Bump to Buildah v1.41.0
|
||||
* fix(deps): update module github.com/onsi/gomega to v1.38.0
|
||||
* test/system: add quadlet drop-in regression test for subdirs
|
||||
* Quadlet - fix dropin overwrites if different parent dirs
|
||||
* chore(deps): update dependency golangci/golangci-lint to v2.3.0
|
||||
* added updated state in podman-auto-update.1.md.in
|
||||
* Initial implementation of `podman quadlet` commands
|
||||
* fix(deps): update module github.com/containers/common to v0.64.0
|
||||
* docs: add description about our code structure
|
||||
* fix(deps): update common, image, and storage deps
|
||||
* podman rm: handle case where conmon was killed
|
||||
* podman inspect: fix error difference between local and remote
|
||||
* Update module github.com/containers/storage to v1.59.0
|
||||
* Update module github.com/opencontainers/cgroups to v0.0.4
|
||||
* Fix test that checks for podman exec leaks
|
||||
* Update common, image, and storage deps
|
||||
* volume export: refuse to write to terminal (TTY)
|
||||
* podman auto-update: include container in invalid policy message
|
||||
* Update module github.com/go-viper/mapstructure/v2 to v2.3.0 [SECURITY]
|
||||
* chore(deps): update dependency golangci/golangci-lint to v2.2.2
|
||||
* Maintainers: add Nicola Sella as Reviewer
|
||||
* Maintainers: add Jan Kaluza as Reviewer
|
||||
* Maintainers: add Lewis Roy as Reviewer
|
||||
* fix(deps): update module golang.org/x/net to v0.42.0
|
||||
* fix(deps): update module golang.org/x/crypto to v0.40.0
|
||||
* test/e2e: podman update make env check stricter
|
||||
* pkg/bindings/containers: do not ignore ErrUnexpectedEOF
|
||||
* pkg/bindings/containers: do not create sub slice
|
||||
* pkg/bindings/containers: don't check for short read
|
||||
* Quadlet - add support for the Policy key for .image files
|
||||
* Clarifies error message when using an improperly formatted secret with kube
|
||||
* Fix seccomp profile path on Windows
|
||||
* fix(deps): update module golang.org/x/term to v0.33.0
|
||||
* docs: replace fuse-overlayfs example with additionalimagestore
|
||||
* hack/podman_cleanup_tracer.bt: check map before deleting keys
|
||||
* hack/podman_cleanup_tracer.bt: clamp str size for strcontains()
|
||||
* hack/podman_cleanup_tracer.bt: use new max str lenth
|
||||
* libpod/build: add headers
|
||||
* Update the journalctl function to ignore No entry message
|
||||
* fix(deps): update common, image, and storage deps
|
||||
* [Artifacts] Remove erroneous ArtifactListOptions var ImagePushOptions
|
||||
* [Artifacts] Add note about ArtifactInspectOptions Remote var
|
||||
* Quadlet - print warning when fail to parse
|
||||
* manpages: adds example for podman system renumber
|
||||
* Add basic locking to Libartifact
|
||||
* Fix documentation around checkpoints
|
||||
* cirrus: setup WSL logging
|
||||
* fix(deps): update github.com/containers/image/v5 digest to 3532547
|
||||
* Fix `podman inspect` to correctly handle log_size_max
|
||||
* warn instead of error, lift logic to main.go
|
||||
* Enforce wsl.exe UTF-8 encoded output
|
||||
* WSL commands execution refactoring
|
||||
* Clarify meaning of --syslog
|
||||
* Quadlet - Error when units define User, Group, or DynamicUser in Service group
|
||||
* fix(deps): update common, image, and storage deps
|
||||
* fix(deps): update module github.com/shirou/gopsutil/v4 to v4.25.6
|
||||
* Makefile: add Makefile to sources
|
||||
* rpm: add grpcnotrace build tag
|
||||
* Makefile: add grpcnotrace build tag
|
||||
* Add conditional release-checking system test
|
||||
* api: Don't HTML escape application/json responses
|
||||
* update CI images 2025-06-27
|
||||
* chore(deps): update dependency golangci/golangci-lint to v2.2.1
|
||||
* vendor: update c/{common,image,storage} to main
|
||||
* fix new lint errors from the docker update
|
||||
* Quadlet - Do not override existing Environment in Service group for Pod units
|
||||
* vendor: update docker to v28.3.0
|
||||
* pkg/domain/infra/tunnel: ignore error from removeContainer()
|
||||
* libpod: remove deadcode
|
||||
* remove test/framework/framework.go
|
||||
* pkg/util: remove deadcode
|
||||
* remove pkg/util/camelcase
|
||||
* pkg/rootless: remove deadcode
|
||||
* pkg/parallel: remove deadcode
|
||||
* pkg/namespaces: remove deadcode
|
||||
* pkg/machine: remove deadcode
|
||||
* pkg/libartifact: remove deadcode
|
||||
* pkg/fileserver: remove deadcode
|
||||
* pkg/farm: remove deadcode
|
||||
* pkg/errorhandling: remove deadcode
|
||||
* podman images --sort use ChoiceValue flag
|
||||
* pkg/domain: remove deadcode
|
||||
* pkg/bindings: remove deadcode
|
||||
* pkg/api: remove deadcode
|
||||
* remove unused ShouldRestart() code
|
||||
* cmd/podman: remove deadcode
|
||||
* podman images --sort autocomplete options
|
||||
* Update Neil Smith's GitHub username in MAINTAINERS.md
|
||||
* machine: enable nested virt on libkrun by default
|
||||
* pkg/machine/e2e: add CVE-2025-6032 regression test
|
||||
* test/e2e: fix podman run check dns flake
|
||||
* Bump bundled krunkit from 0.2.1 to 0.2.2
|
||||
* Secret create - add ignore option to allow noop
|
||||
* cmd/podman: add --latest option to update #26380
|
||||
* docs: document when a volume is chowned
|
||||
* Refactor `volume import` to support the remote client
|
||||
* update image_fix -> automation_images#407 skip test duo to rawhide know issues
|
||||
* Podman pull - add policy flag
|
||||
* Pod YAML: Add support for `lifecycle.stopSignal`
|
||||
* machine init: fix tls check
|
||||
* update podman-machine-start with examples for --no-info and --quiet
|
||||
* test/e2e: fix "with unsafe hostPath subpaths" test
|
||||
* quadlet: remove indirect logrus import
|
||||
* docs: add three examples to podman-generate-spec man page
|
||||
* fix panic on state refresh
|
||||
* pkg/systemd: expose [Pod] ExitPolicy key for pod create --exit-policy
|
||||
* volumes: add new --uid and --gid option
|
||||
* docs: add an example to podman-secret-rm man page
|
||||
* chore(deps): update dependency pytest to v8.4.1
|
||||
* [CI:DOCS] Tweak Governace slightly
|
||||
* remove .github/workflows/pr-title.yml
|
||||
* remove hack/install_catatonit.sh
|
||||
* Makefile: remove some old files from clean target
|
||||
* remove cni/
|
||||
* remove pkg/timetype
|
||||
* remove contrib/modules-load.d
|
||||
* remove contrib/snapcraft
|
||||
* remove contrib/script/size.sh
|
||||
* remove contrib/remote/containers.conf
|
||||
* remove contrib/dependabot-dance
|
||||
* remove contrib/dependencies.txt
|
||||
* remove contrib/containers-common
|
||||
* Removed the 'Deleted: ' prefix from each example
|
||||
* add more exmples applying current style for each page
|
||||
* docs: add an example to podman-network-rm man page
|
||||
* [CI] Correct ST1005 staticcheck lint rule
|
||||
* docs: add examples to podman-system-migrate man page
|
||||
* Refactor `podman export` to work with the remote client
|
||||
* artifact mount: add new name option to specify filename
|
||||
* Fixes: #26374 add example network connect with mac address
|
||||
* artifact mount: improve single blob behavior
|
||||
* docs: remove bogus markdown heading in podman-ps
|
||||
* Update podman system prune doc
|
||||
* fix 26348: add container diff --latest doc
|
||||
* Add missing --pod examples to podman ps manpage
|
||||
* Move 'Examples' section down in the podman-volume-create man page
|
||||
* fix(ci): add ST1005 linter rule
|
||||
* Add examples of `--all` flag
|
||||
* Manpages: podman machine init add example with --now
|
||||
* Update docs/source/markdown/podman-secret-inspect.1.md
|
||||
* Improve documentation for podman-secret-inspect, closes #26362
|
||||
* Add Craig Loewen to Reviewer role
|
||||
* man pages: Add an example about --no-prune
|
||||
* Manpages: add podman exec missing example of detach option
|
||||
* fix(cmd): improve ValidURL reliability
|
||||
* Bunch of trivial manpage fixes
|
||||
* libpod: log file doesn't need to be executable
|
||||
* libpod: do not dereference nil pointer
|
||||
* libpod: fix file descriptor leak
|
||||
* podman-update: fix EXAMPLES
|
||||
* test: check podman update errors on non-block devices
|
||||
* pkg/specgen: error out when a block device isn't
|
||||
* pkg/specgen: refactor FinishThrottleDevices, WeightDevices
|
||||
* quadlet: handle generate environment params that inherit from host
|
||||
* fix(deps): update module go.etcd.io/bbolt to v1.4.1
|
||||
* make validate-in-container changes
|
||||
* Clarified the consequences of --network=host
|
||||
* podman machine: pull wsl image from machine-os
|
||||
* remove hack/libdm_tag.sh
|
||||
* rpm: build rpm with libsqlite3 tag
|
||||
* Makefile: use libsqlite3 build when possible
|
||||
* Remove bin/podman.cross Make target
|
||||
* Allow generate-bindings on darwin
|
||||
* Update module github.com/go-swagger/go-swagger to v0.32.3
|
||||
* docs: replace RemapUsers=keep-id with UserNS=keep-id
|
||||
* tmpfs: Add support for noatime mount option
|
||||
* fix(deps): update module golang.org/x/net to v0.41.0
|
||||
* pkg/machine: remove unsused net recover file
|
||||
* Revert "podman machine: fix proxy test"
|
||||
* pkg/machine: remove old fw_cfg service
|
||||
* podman machine: fix proxy test
|
||||
* pkg/machine/e2e: skip rosetta test
|
||||
* RPM: Limit Epoch 102 to podman-next copr
|
||||
* quadlet: generate RequiresMountsFor for Type=bind volumes
|
||||
* Make podman.io update action reusable
|
||||
* Skip layer digests for podman system check --quick
|
||||
* test/buildah-bud: skip new build-with-two-outputs on remote
|
||||
* test/buildah-bud: update buildah-tests.diff
|
||||
* Build the `dumpspec` test helper for the `buildah bud` tests
|
||||
* vendor: update buildah to latest main
|
||||
* vendor: update c/{common,image,storage} to latest main
|
||||
* vendor: update github.com/docker/docker to v28.2.2
|
||||
* fix(deps): update module github.com/vbauerster/mpb/v8 to v8.10.2
|
||||
* quadlet: add InterfaceName option to network unit
|
||||
* fix wsl install workflow on machine init command
|
||||
* feat: Add OCI Artifact support to the Podman REST API
|
||||
* build: reuse parse.ContainerIgnoreFile from buildah
|
||||
* podman buildx inspect support
|
||||
* chore(deps): update dependency pytest to v8.4.0
|
||||
* test/system: check --dns-option behavior
|
||||
* podman system check: Fix error check logic
|
||||
* libpod: don't force only network search domains
|
||||
* fix(deps): update module github.com/shirou/gopsutil/v4 to v4.25.5
|
||||
* update c/common to latest main
|
||||
* play kube: never add empty alias
|
||||
* fix(deps): update github.com/opencontainers/runtime-tools digest to 0ea5ed0
|
||||
* Don't BuildRequires: ostree-devel
|
||||
* Allow not specifying type with --mount flag
|
||||
* Add "dest" as an alias for "destination" in `--mount`
|
||||
* docs: quadlet can translate names now
|
||||
* e2e: ref full URL for aarch64 criu precheckpoint issues
|
||||
* specgen/generate: Fix log tag priority
|
||||
* e2e: skip pre-checkpoint tests on aarch64
|
||||
* Handle "Entrypoint":[] in compat containers/create API.
|
||||
* system df --verbose don't crash
|
||||
* Fix SQLite volume lookup queries matching too liberally
|
||||
* vendor: update c/{buildah,common,image,storage} to main
|
||||
* Recreate the Rootfs in mountStorage for infra-container.
|
||||
* test: fix race conditions in /dev/kmsg tests
|
||||
* Fix overlay volumes on Windows
|
||||
* chore(deps): update dependency setuptools to ~=80.9.0
|
||||
* libpod: Don't exclude running deps from the container graph inputs
|
||||
* compat API: respect base_hosts_file containers.conf option
|
||||
* Trigger podman.io version bump from release action
|
||||
* Packit: remove propose-downstream for centos stream
|
||||
* Packit: use fedora-all alias for tests
|
||||
* Disable the tests for rootless pods
|
||||
* Support --cpuset-<cpus/mems> in podman kube play
|
||||
* pkg/machine: don't use dummy linger service
|
||||
* pkg/machine: correctly enable lingering
|
||||
* Update expected output for a machine copy test
|
||||
* Replace alpine_nginx with TESTIMAGE in e2e tests
|
||||
* Support '$FOCUS' env variable on winmake too
|
||||
* pre-commit: exclude rpm/gating.yaml from check-yaml
|
||||
* lint: Fix linter issues on TMT files
|
||||
* Update release notes on main
|
||||
* fix CONTRIBUTING to say reference issue number 'or' url
|
||||
* compat: fix Container State.Status JSON values
|
||||
* chore(deps): update dependency setuptools to ~=80.8.0
|
||||
* libpod: fix mount order for "/" volume
|
||||
* Update RELEASE_PROCESS.md
|
||||
* github: remove fcos next image workflow
|
||||
* [skip-ci] Packit: set fedora-all after F40 EOL
|
||||
* test/e2e: do not check dns.podman
|
||||
* compat: Add DefaultAddressPools field to GET /info
|
||||
* Be explicit about ssh configs suitable only for localhost
|
||||
* compat: Add CgroupnsMode to POST /containers/create
|
||||
* Update dependency setuptools to ~=80.7.1
|
||||
* docs: drop --pre-checkpoint requirement
|
||||
* podman: remember hooks-dir on restarts
|
||||
* GHA Release: Fix windows installer uploads
|
||||
* Revert "GHA: Pin Go to 1.24.2"
|
||||
* fix macos compile issue with go 1.24.3
|
||||
* Packit: disable OpenScanHub scans
|
||||
* GHA: Pin Go to 1.24.2
|
||||
* fix(deps): update module github.com/vbauerster/mpb/v8 to v8.10.1
|
||||
* fix issues found by nilness
|
||||
* Bump bundled krunkit to 0.2.1
|
||||
* chore(deps): update dependency setuptools to ~=80.4.0
|
||||
* chore(deps): update dependency docker to v7
|
||||
* fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.3.5
|
||||
* fix(deps): update module github.com/crc-org/vfkit to v0.6.1
|
||||
* fix(deps): update module github.com/containernetworking/plugins to v1.7.1
|
||||
* Fix: Use SIGKILL instead of SIGTERM when ExecStopContainer timeout is 0
|
||||
* Fix: Ensure HealthCheck exec session terminates on timeout
|
||||
* [skip-ci] Tighten version match
|
||||
* Quadlet - Update the docs to reflect the default naming of resources
|
||||
* Revert "Quadlet - fix pod name to depend on the name of the generate service"
|
||||
* Fix a shellcheck warning about word splitting
|
||||
* fix(deps): update module github.com/vishvananda/netlink to v1.3.1
|
||||
* Fix parsing of paths for unmask
|
||||
* Take path for wsl instead of forcing through WindowsApps
|
||||
* fix(deps): update module golang.org/x/net to v0.40.0
|
||||
* Update win-installer github job for arm64
|
||||
* Build windows arm64 artifacts
|
||||
* Fix windows arm64 installer build
|
||||
* README.md: add openssf passing badge
|
||||
* fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.6
|
||||
* Update podman-secret-create.1.md
|
||||
* Quadlet - fix pod name to depend on the name of the generate service
|
||||
* fix(deps): update module golang.org/x/crypto to v0.38.0
|
||||
* Verify the ExecSession pid before killing it.
|
||||
* fix(deps): update module golang.org/x/term to v0.32.0
|
||||
* fix(deps): update github.com/vishvananda/netlink digest to 9d88d83
|
||||
* fix(deps): update module golang.org/x/sys to v0.33.0
|
||||
* fix(deps): update module golang.org/x/sync to v0.14.0
|
||||
* docs: fix markdown format
|
||||
* chore(deps): update dependency golangci/golangci-lint to v2.1.6
|
||||
* chore(deps): update dependency setuptools to ~=80.2.0
|
||||
* Automatically bump to -dev after tag
|
||||
* Update winmake.ps1 to build arm64 artifacts
|
||||
* [skip-ci] TMT: system tests
|
||||
* pkg/machinie: use TZ env for reading local timezone
|
||||
* pkg/machine: rework getLocalTimeZone on linux
|
||||
* pkg/machine: properly setup zoneinfo symlink
|
||||
* pkg/machine: do not add broken localtime symlink
|
||||
* fix(deps): update module github.com/vbauerster/mpb/v8 to v8.10.0
|
||||
* fix(deps): update module github.com/shirou/gopsutil/v4 to v4.25.4
|
||||
* fix(deps): update github.com/hugelgupf/p9 digest to abc96d2
|
||||
* chore(deps): update dependency setuptools to ~=80.1.0
|
||||
* pkg/signal: ignore SIGTOP for signal proxy
|
||||
* pkg/signal: rework CatchAll() behavior
|
||||
* sigproxy: ignore if container already removed
|
||||
* ci: Load null_blk for I/O limit tests
|
||||
* test/e2e: Use nullb0 for IO limit tests
|
||||
* test/system: Use correct device for I/O limit tests
|
||||
* inspect: Ignore character devices for IO limits
|
||||
* Do not error on tz detection
|
||||
* Stop setting btrfs_noversion build tag
|
||||
* Remove providers checks from the Windows Installer
|
||||
* Quadlet - remove the usage of cid and podid for container and pod files
|
||||
* Fix running machines with volumes containing spaces
|
||||
* Makefile: move some Go-related variable definitions up
|
||||
* Handle signal preventing Start from completing
|
||||
* Build documentation in a container on Win arm64
|
||||
* Fix mach os pr release action
|
||||
* bump main to 5.6-dev
|
||||
* pkg/bindings: wrap image push decode error
|
||||
* pkg/bindings: fix infinite loop/memory leak in image pull
|
||||
* Update "check.c" to be C23 compliant
|
||||
* feat: Add support for configuring swap in Podman machine
|
||||
* fix(deps): update module github.com/opencontainers/cgroups to v0.0.2
|
||||
* Quadlet - use helper function to initialize service struct
|
||||
* Fix logging podman machine server9 output
|
||||
* OWNERS: Fix Github handle
|
||||
* Fix handling of "r_limits" in Podman REST API /libpod/containers/create
|
||||
* chore(deps): update dependency setuptools to v80
|
||||
* bug: Correct Docker compat REST API image delete endpoint
|
||||
* update podman socket output to include also exposed ports
|
||||
* Disable FS mount in volume only test
|
||||
* Added tests for inheritlabel fix
|
||||
* Fix: inheritlabels=true if query param absent
|
||||
* Add Mohan Boddu as community manager
|
||||
* chore(deps): update dependency golangci/golangci-lint to v2.1.5
|
||||
* fix(deps): update module github.com/cpuguy83/go-md2man/v2 to v2.0.7
|
||||
* Quadlet - use helper function for handling key=val type keys
|
||||
* Add Label to quadlet pod
|
||||
* podman start: remove container if needed
|
||||
* remote: don't print bogus error when starting container attached
|
||||
* [skip-ci] Packit: do not merge PR in CI
|
||||
* [skip-ci] Packit: re-enable fedora-41 targets
|
||||
* hack/bats: Pass --tap (-t) option to bats
|
||||
* hack/bats: Fix to allow multiple tests
|
||||
* Fix: Remove appending rw as the default mount option
|
||||
* hack/bats: Allow specifying PODMAN_ROOTLESS_USER
|
||||
* libpod: fix a confusing error message from 'podman system reset' on FreeBSD
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 25 04:50:07 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
|
||||
|
||||
|
@@ -1,4 +1,4 @@
|
||||
name: podman
|
||||
version: 5.5.2
|
||||
mtime: 1750776105
|
||||
commit: e7d8226745ba07a64b7176a7f128e4ef53225a0e
|
||||
version: 5.6.0
|
||||
mtime: 1755265355
|
||||
commit: da671ef6cfa3fc9ac6225c18f1dd0a70a951e43f
|
||||
|
@@ -22,7 +22,7 @@
|
||||
%bcond_without apparmor
|
||||
|
||||
Name: podman
|
||||
Version: 5.5.2
|
||||
Version: 5.6.0
|
||||
Release: 0
|
||||
Summary: Daemon-less container engine for managing containers, pods and images
|
||||
License: Apache-2.0
|
||||
@@ -30,7 +30,6 @@ Group: System/Management
|
||||
URL: https://%{project}
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
Source1: podman.conf
|
||||
Patch1: 0001-remove-appending-rw-as-the-default-mount-option.patch
|
||||
BuildRequires: man
|
||||
BuildRequires: bash-completion
|
||||
BuildRequires: device-mapper-devel
|
||||
@@ -53,10 +52,6 @@ BuildRequires: golang(API) >= 1.23
|
||||
BuildRequires: pkgconfig(libselinux)
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
%if %{with apparmor}
|
||||
Recommends: apparmor-abstractions
|
||||
Recommends: apparmor-parser
|
||||
%endif
|
||||
# requirement for `podman machine`
|
||||
Recommends: gvisor-tap-vsock
|
||||
Requires: catatonit >= 0.1.7
|
||||
|
Reference in New Issue
Block a user