{"rst": [{"lastseen": "2021-01-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **149[.]56.182.177** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-13T03:00:00.\n IOC tags: **generic**.\nASN 16276: (First IP 149.56.0.0, Last IP 149.56.255.255).\nASN Name \"OVH\" and Organisation \"\".\nThis IP is a part of \"**ovh**\" address pools.\nASN hosts 8553004 domains.\nGEO IP information: City \"\", Country \"Canada\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:15F95F21-5131-3B48-9FF0-470B54669617", "href": "", "published": "2021-01-14T00:00:00", "title": "RST Threat feed. IOC: 149.56.182.177", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **216[.]152.249.62** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-17T03:00:00, Last seen: 2021-01-13T03:00:00.\n IOC tags: **generic**.\nASN 14237: (First IP 216.152.248.0, Last IP 216.152.249.255).\nASN Name \"BEAMSPEED1\" and Organisation \"Beamspeed\".\nASN hosts 107 domains.\nGEO IP information: City \"Yuma\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-17T00:00:00", "id": "RST:79A67AD8-5131-372E-887B-C72F9C744CC6", "href": "", "published": "2021-01-14T00:00:00", "title": "RST Threat feed. IOC: 216.152.249.62", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **453t34rt[.]xyz** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-13T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:C2AF7A3F-5131-317F-B586-09637CB138F0", "href": "", "published": "2021-01-14T00:00:00", "title": "RST Threat feed. IOC: 453t34rt.xyz", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **bqwsa[.]igg.biz** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-17T03:00:00, Last seen: 2021-01-13T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 185[.]53.177.71\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-17T00:00:00", "id": "RST:FF5B3049-5131-34DA-ACAE-E6822C594703", "href": "", "published": "2021-01-14T00:00:00", "title": "RST Threat feed. IOC: bqwsa.igg.biz", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **tiusvay[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-13T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:9EC2F0E8-5131-34A1-BB78-6CE873C36212", "href": "", "published": "2021-01-14T00:00:00", "title": "RST Threat feed. IOC: tiusvay.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **gameesense[.]ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-01-12T03:00:00.\n IOC tags: **malware**.\nWhois:\n Created: 2019-12-02 03:52:49, \n Registrar: REGRURU, \n Registrant: Private Person.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:E9AF985E-5131-397E-8FEB-F47C1456FF60", "href": "", "published": "2021-01-14T00:00:00", "title": "RST Threat feed. IOC: gameesense.ru", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **xn--signin-verif-pypal-srbc[.]com.docusignalveruseraccount.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-13T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:62B375B3-5131-3540-A37A-45304DB04FBD", "href": "", "published": "2021-01-14T00:00:00", "title": "RST Threat feed. IOC: xn--signin-verif-pypal-srbc.com.docusignalveruseraccount.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **iwillteachyoutoberichheck[.]eu** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-13T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 23[.]202.231.167,23.217.138.108\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:5A07A72D-5131-371C-9DD5-E5619BB5FB10", "href": "", "published": "2021-01-14T00:00:00", "title": "RST Threat feed. IOC: iwillteachyoutoberichheck.eu", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **hacked006[.]ddns.net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-12T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:EF29BCBA-5131-316C-8E83-EB6A0929CCBB", "href": "", "published": "2021-01-13T00:00:00", "title": "RST Threat feed. IOC: hacked006.ddns.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **paypal[.]co.uk.21le.pw** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-12T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:6DDBFF34-5131-31EB-AC57-E9800353D0D7", "href": "", "published": "2021-01-13T00:00:00", "title": "RST Threat feed. IOC: paypal.co.uk.21le.pw", "type": "rst", "cvss": {}}], "nessus": [{"lastseen": "2020-12-12T14:48:30", "description": "This update for conmon, fuse-overlayfs, libcontainers-common, podman\nfixes the following issues :\n\npodman was updated to v2.0.6 (bsc#1175821)\n\ninstall missing systemd units for the new Rest API (bsc#1175957) and a\nfew man-pages that where missing before\n\nDrop varlink API related bits (in favor of the new API)\n\nfix install location for zsh completions\n\n - Fixed a bug where running systemd in a container on a\n cgroups v1 system would fail.\n\n - Fixed a bug where /etc/passwd could be re-created every\n time a container is restarted if the container's\n /etc/passwd did not contain an entry for the user the\n container was started as.\n\n - Fixed a bug where containers without an /etc/passwd file\n specifying a non-root user would not start.\n\n - Fixed a bug where the --remote flag would sometimes not\n make remote connections and would instead attempt to run\n Podman locally.\n\nUpdate to v2.0.6 :\n\nFeatures\n\n - Rootless Podman will now add an entry to /etc/passwd for\n the user who ran Podman if run with --userns=keep-id.\n\n - The podman system connection command has been reworked\n to support multiple connections, and reenabled for use!\n\n - Podman now has a new global flag, --connection, to\n specify a connection to a remote Podman API instance.\n\nChanges\n\n - Podman's automatic systemd integration (activated by the\n\n --systemd=true flag, set by default) will now activate\n for containers using /usr/local/sbin/init as their\n command, instead of just /usr/sbin/init and /sbin/init\n (and any path ending in systemd).\n\n - Seccomp profiles specified by the --security-opt\n seccomp=... flag to podman create and podman run will\n now be honored even if the container was created using\n --privileged.\n\nBugfixes\n\n - Fixed a bug where the podman play kube would not honor\n the hostIP field for port forwarding (#5964).\n\n - Fixed a bug where the podman generate systemd command\n would panic on an invalid restart policy being specified\n (#7271).\n\n - Fixed a bug where the podman images command could take a\n very long time (several minutes) to complete when a\n large number of images were present.\n\n - Fixed a bug where the podman logs command with the\n --tail flag would not work properly when a large amount\n of output would be printed\n ((#7230)[https://github.com//issues/7230]).\n\n - Fixed a bug where the podman exec command with remote\n Podman would not return a non-zero exit code when the\n exec session failed to start (e.g. invoking a\n non-existent command) (#6893).\n\n - Fixed a bug where the podman load command with remote\n Podman would did not honor user-specified tags (#7124).\n\n - Fixed a bug where the podman system service command,\n when run as a non-root user by Systemd, did not properly\n handle the Podman pause process and would not restart\n properly as a result (#7180).\n\n - Fixed a bug where the --publish flag to podman create,\n podman run, and podman pod create did not properly\n handle a host IP of 0.0.0.0 (attempting to bind to\n literal 0.0.0.0, instead of all IPs on the system)\n (#7104).\n\n - Fixed a bug where the podman start --attach command\n would not print the container's exit code when the\n command exited due to the container exiting.\n\n - Fixed a bug where the podman rm command with remote\n Podman would not remove volumes, even if the --volumes\n flag was specified (#7128).\n\n - Fixed a bug where the podman run command with remote\n Podman and the\n\n --rm flag could exit before the container was fully\n removed.\n\n - Fixed a bug where the --pod new:... flag to podman run\n and podman create would create a pod that did not share\n any namespaces.\n\n - Fixed a bug where the --preserve-fds flag to podman run\n and podman exec could close the wrong file descriptors\n while trying to close user-provided descriptors after\n passing them into the container.\n\n - Fixed a bug where default environment variables ($PATH\n and $TERM) were not set in containers when not provided\n by the image.\n\n - Fixed a bug where pod infra containers were not properly\n unmounted after exiting.\n\n - Fixed a bug where networks created with podman network\n create with an IPv6 subnet did not properly set an IPv6\n default route.\n\n - Fixed a bug where the podman save command would not work\n properly when its output was piped to another command\n (#7017).\n\n - Fixed a bug where containers using a systemd init on a\n cgroups v1 system could leak mounts under\n /sys/fs/cgroup/systemd to the host.\n\n - Fixed a bug where podman build would not generate an\n event on completion (#7022).\n\n - Fixed a bug where the podman history command with remote\n Podman printed incorrect creation times for layers\n (#7122).\n\n - Fixed a bug where Podman would not create working\n directories specified by the container image if they did\n not exist.\n\n - Fixed a bug where Podman did not clear CMD from the\n container image if the user overrode ENTRYPOINT (#7115).\n\n - Fixed a bug where error parsing image names were not\n fully reported (part of the error message containing the\n exact issue was dropped).\n\n - Fixed a bug where the podman images command with remote\n Podman did not support printing image tags in Go\n templates supplied to the --format flag (#7123).\n\n - Fixed a bug where the podman rmi --force command would\n not attempt to unmount containers it was removing, which\n could cause a failure to remove the image.\n\n - Fixed a bug where the podman generate systemd --new\n command could incorrectly quote arguments to Podman that\n contained whitespace, leading to nonfunctional unit\n files (#7285).\n\n - Fixed a bug where the podman version command did not\n properly include build time and Git commit.\n\n - Fixed a bug where running systemd in a Podman container\n on a system that did not use the systemd cgroup manager\n would fail (#6734).\n\n - Fixed a bug where capabilities from --cap-add were not\n properly added when a container was started as a\n non-root user via --user.\n\n - Fixed a bug where Pod infra containers were not properly\n cleaned up when they stopped, causing networking issues\n (#7103).\n\nAPI\n\n - Fixed a bug where the libpod and compat Build endpoints\n did not accept the application/tar content type (instead\n only accepting application/x-tar) (#7185).\n\n - Fixed a bug where the libpod Exists endpoint would\n attempt to write a second header in some error\n conditions (#7197).\n\n - Fixed a bug where compat and libpod Network Inspect and\n Network Remove endpoints would return a 500 instead of\n 404 when the requested network was not found.\n\n - Added a versioned _ping endpoint (e.g.\n http://localhost/v1.40/_ping).\n\n - Fixed a bug where containers started through a\n systemd-managed instance of the REST API would be shut\n down when podman system service shut down due to its\n idle timeout (#7294).\n\n - Added stronger parameter verification for the libpod\n Network Create endpoint to ensure subnet mask is a valid\n value.\n\n - The Pod URL parameter to the Libpod Container List\n endpoint has been deprecated; the information previously\n gated by the Pod boolean will now be included in the\n response unconditionally.\n\nChange hard requires for AppArmor to Recommends. They are not needed\nfor runtime or with SELinux but already installed if AppArmor is used\n[jsc#SMO-15]\n\nAdd BuildRequires for pkg-config(libselinux) to build with SELinux\nsupport [jsc#SMO-15]\n\nUpdate to v2.0.4\n\nFixed a bug where the output of podman image search did not populate\nthe Description field as it was mistakenly assigned to the ID field.\n\nFixed a bug where podman build - and podman build on an HTTP target\nwould fail.\n\nFixed a bug where rootless Podman would improperly chown the copied-up\ncontents of anonymous volumes (#7130).\n\nFixed a bug where Podman would sometimes HTML-escape special\ncharacters in its CLI output.\n\nFixed a bug where the podman start --attach --interactive command\nwould print the container ID of the container attached to when exiting\n(#7068).\n\nFixed a bug where podman run --ipc=host --pid=host would only set\n\n--pid=host and not --ipc=host (#7100).\n\nFixed a bug where the --publish argument to podman run, podman create\nand podman pod create would not allow binding the same container port\nto more than one host port (#7062).\n\nFixed a bug where incorrect arguments to podman images --format could\ncause Podman to segfault.\n\nFixed a bug where podman rmi --force on an image ID with more than one\nname and at least one container using the image would not completely\nremove containers using the image (#7153).\n\nFixed a bug where memory usage in bytes and memory use percentage were\nswapped in the output of podman stats\n\n--format=json.\n\nFixed a bug where the libpod and compat events endpoints would fail if\nno filters were specified (#7078).\n\nFixed a bug where the CgroupVersion field in responses from the compat\nInfo endpoint was prefixed by 'v' (instead of just being '1' or '2',\nas is documented).\n\nSuggest katacontainers instead of recommending it. It's not enabled by\ndefault, so it's just bloat\n\nUpdate to v2.0.3\n\nFix handling of entrypoint\n\nlog API: add context to allow for cancelling\n\nfix API: Create container with an invalid configuration\n\nRemove all instances of named return 'err' from Libpod\n\nFix: Correct connection counters for hijacked connections\n\nFix: Hijacking v2 endpoints to follow rfc 7230 semantics\n\nRemove hijacked connections from active connections list\n\nversion/info: format: allow more json variants\n\nCorrectly print STDOUT on non-terminal remote exec\n\nFix container and pod create commands for remote create\n\nMask out /sys/dev to prevent information leak from the host\n\nEnsure sig-proxy default is propagated in start\n\nAdd SystemdMode to inspect for containers\n\nWhen determining systemd mode, use full command\n\nFix lint\n\nPopulate remaining unused fields in `pod inspect`\n\nInclude infra container information in `pod inspect`\n\nplay-kube: add suport for 'IfNotPresent' pull type\n\ndocs: user namespace can't be shared in pods\n\nFix 'Error: unrecognized protocol \\'TCP\\' in port mapping'\n\nError on rootless mac and ip addresses\n\nFix & add notes regarding problematic language in codebase\n\nabi: set default umask and rlimits\n\nUsed reference package with errors for parsing tag\n\nfix: system df error when an image has no name\n\nFix Generate API title/description\n\nAdd noop function disable-content-trust\n\nfix play kube doesn't override dockerfile ENTRYPOINT\n\nSupport default profile for apparmor\n\nBump github.com/containers/common to v0.14.6\n\nevents endpoint: backwards compat to old type\n\nevents endpoint: fix panic and race condition\n\nSwitch references from libpod.conf to containers.conf\n\npodman.service: set type to simple\n\npodman.service: set doc to podman-system-service\n\npodman.service: use default registries.conf\n\npodman.service: use default killmode\n\npodman.service: remove stop timeout\n\nsystemd: symlink user->system\n\nvendor golang.org/x/text@v0.3.3\n\nFix a bug where --pids-limit was parsed incorrectly\n\nsearch: allow wildcards\n\n[CI:DOCS]Do not copy policy.json into gating image\n\nFix systemd pid 1 test\n\nCirrus: Rotate keys post repo. rename\n\nThe libpod.conf(5) man page got removed and all references are now\npointing towards containers.conf(5), which will be part of the\nlibcontainers-common package.\n\nUpdate to podman v2.0.2\n\nfix race condition in `libpod.GetEvents(...)`\n\nFix bug where `podman mount` didn't error as rootless\n\nremove podman system connection\n\nFix imports to ensure v2 is used with libpod\n\nUpdate release notes for v2.0.2\n\nspecgen: fix order for setting rlimits\n\nEnsure umask is set appropriately for 'system service'\n\ngenerate systemd: improve pod-flags filter\n\nFix a bug with APIv2 compat network remove to log an\nErrNetworkNotFound instead of nil\n\nFixes --remote flag issues\n\nPids-limit should only be set if the user set it\n\nSet console mode for windows\n\nAllow empty host port in --publish flag\n\nAdd a note on the APIs supported by `system service`\n\nfix: Don't override entrypoint if it's `nil`\n\nSet TMPDIR to /var/tmp by default if not set\n\ntest: add tests for --user and volumes\n\ncontainer: move volume chown after spec generation\n\nlibpod: volume copyup honors namespace mappings\n\nFix `system service` panic from early hangup in events\n\nstop podman service in e2e tests\n\nPrint errors from individual containers in pods\n\nauto-update: clarify systemd-unit requirements\n\npodman ps truncate the command\n\nmove go module to v2\n\nVendor containers/common v0.14.4\n\nBump to imagebuilder v1.1.6 on v2 branch\n\nAccount for non-default port number in image name\n\nChanges since v2.0.1\n\nUpdate release notes with further v2.0.1 changes\n\nFix inspect to display multiple label: changes\n\nSet syslog for exit commands on log-level=debug\n\nFriendly amendment for pr 6751\n\npodman run/create: support all transports\n\nsystemd generate: allow manual restart of container units in pods\n\nRevert sending --remote flag to containers\n\nPrint port mappings in `ps` for ctrs sharing network\n\nvendor github.com/containers/common@v0.14.3\n\nUpdate release notes for v2.0.1\n\nutils: drop default mapping when running uid!=0\n\nSet stop signal to 15 when not explicitly set\n\npodman untag: error if tag doesn't exist\n\nReformat inspect network settings\n\nAPIv2: Return `StatusCreated` from volume creation\n\nAPIv2:fix: Remove `/json` from compat network EPs\n\nFix ssh-agent support\n\nlibpod: specify mappings to the storage\n\nAPIv2:doc: Fix swagger doc to refer to volumes\n\nAdd podman network to bash command completions\n\nFix typo in manpage for `podman auto update`.\n\nAdd JSON output field for ps\n\nV2 podman system connection\n\nimage load: no args required\n\nRe-add PODMAN_USERNS environment variable\n\nFix conflicts between privileged and other flags\n\nBump required go version to 1.13\n\nAdd explicit command to alpine container in test case.\n\nUse POLL_DURATION for timer\n\nStop following logs using timers\n\n'pod' was being truncated to 'po' in the names of the generated\nsystemd unit files.\n\nrootless_linux: improve error message\n\nFix podman build handling of --http-proxy flag\n\ncorrect the absolute path of `rm` executable\n\nMakefile: allow customizable GO_BUILD\n\nCirrus: Change DEST_BRANCH to v2.0\n\nUpdate to podman v2.0.0\n\nThe `podman generate systemd` command now supports the `--new` flag\nwhen used with pods, allowing portable services for pods to be\ncreated.\n\nThe `podman play kube` command now supports running Kubernetes\nDeployment YAML.\n\nThe `podman exec` command now supports the `--detach` flag to run\ncommands in the container in the background.\n\nThe `-p` flag to `podman run` and `podman create` now supports\nforwarding ports to IPv6 addresses.\n\nThe `podman run`, `podman create` and `podman pod create` command now\nsupport a `--replace` flag to remove and replace any existing\ncontainer (or, for `pod create`, pod) with the same name\n\nThe `--restart-policy` flag to `podman run` and `podman create` now\nsupports the `unless-stopped` restart policy.\n\nThe `--log-driver` flag to `podman run` and `podman create` now\nsupports the `none` driver, which does not log the container's output.\n\nThe `--mount` flag to `podman run` and `podman create` now accepts\n`readonly` option as an alias to `ro`.\n\nThe `podman generate systemd` command now supports the\n`--container-prefix`, `--pod-prefix`, and `--separator` arguments to\ncontrol the name of generated unit files.\n\nThe `podman network ls` command now supports the `--filter` flag to\nfilter results.\n\nThe `podman auto-update` command now supports specifying an authfile\nto use when pulling new images on a per-container basis using the\n`io.containers.autoupdate.authfile` label.\n\nFixed a bug where the `podman exec` command would log to journald when\nrun in containers loggined to journald\n([#6555](https://github.com/containers/libpod/issues/6555)).\n\nFixed a bug where the `podman auto-update` command would not preserve\nthe OS and architecture of the original image when pulling a\nreplacement\n([#6613](https://github.com/containers/libpod/issues/6613)).\n\nFixed a bug where the `podman cp` command could create an extra\n`merged` directory when copying into an existing directory\n([#6596](https://github.com/containers/libpod/issues/6596)).\n\nFixed a bug where the `podman pod stats` command would crash on pods\nrun with `--network=host`\n([#5652](https://github.com/containers/libpod/issues/5652)).\n\nFixed a bug where containers logs written to journald did not include\nthe name of the container.\n\nFixed a bug where the `podman network inspect` and `podman network rm`\ncommands did not properly handle non-default CNI configuration paths\n([#6212](https://github.com/containers/libpod/issues/6212)).\n\nFixed a bug where Podman did not properly remove containers when using\nthe Kata containers OCI runtime.\n\nFixed a bug where `podman inspect` would sometimes incorrectly report\nthe network mode of containers started with `--net=none`.\n\nPodman is now better able to deal with cases where `conmon` is killed\nbefore the container it is monitoring.\n\nUpdate to podman v1.9.3 :\n\nFixed a bug where, on FIPS enabled hosts, FIPS mode secrets were not\nproperly mounted into containers\n\nFixed a bug where builds run over Varlink would hang\n\nFixed a bug where podman save would fail when the target image was\nspecified by digest\n\nFixed a bug where rootless containers with ports forwarded to them\ncould panic and dump core due to a concurrency issue (#6018)\n\nFixed a bug where rootless Podman could race when opening the rootless\nuser namespace, resulting in commands failing to run\n\nFixed a bug where HTTP proxy environment variables forwarded into the\ncontainer by the --http-proxy flag could not be overridden by --env or\n\n--env-file\n\nFixed a bug where rootless Podman was setting resource limits on\ncgroups v2 systems that were not using systemd-managed cgroups (and\nthus did not support resource limits), resulting in containers failing\nto start\n\nUpdate podman to v1.9.1 :\n\nBugfixes\n\n - Fixed a bug where healthchecks could become\n nonfunctional if container log paths were manually set\n with --log-path and multiple container logs were placed\n in the same directory\n\n - Fixed a bug where rootless Podman could, when using an\n older libpod.conf, print numerous warning messages about\n an invalid CGroup manager config\n\n - Fixed a bug where rootless Podman would sometimes fail\n to close the rootless user namespace when joining it\n\nUpdate podman to v1.9.0 :\n\nFeatures\n\n - Experimental support has been added for podman run\n\n --userns=auto, which automatically allocates a unique\n UID and GID range for the new container's user namespace\n\n - The podman play kube command now has a --network flag to\n place the created pod in one or more CNI networks\n\n - The podman commit command now supports an --iidfile flag\n to write the ID of the committed image to a file\n\n - Initial support for the new containers.conf\n configuration file has been added. containers.conf\n allows for much more detailed configuration of some\n Podman functionality\n\nChanges\n\n - There has been a major cleanup of the podman info\n command resulting in breaking changes. Many fields have\n been renamed to better suit usage with APIv2\n\n - All uses of the --timeout flag have been switched to\n prefer the alternative --time. The --timeout flag will\n continue to work, but man pages and --help will use the\n --time flag instead\n\nBugfixes\n\n - Fixed a bug where some volume mounts from the host would\n sometimes not properly determine the flags they should\n use when mounting\n\n - Fixed a bug where Podman was not propagating $PATH to\n Conmon and the OCI runtime, causing issues for some OCI\n runtimes that required it\n\n - Fixed a bug where rootless Podman would print error\n messages about missing support for systemd cgroups when\n run in a container with no cgroup support\n\n - Fixed a bug where podman play kube would not properly\n handle container-only port mappings (#5610)\n\n - Fixed a bug where the podman container prune command was\n not pruning containers in the created and configured\n states\n\n - Fixed a bug where Podman was not properly removing CNI\n IP address allocations after a reboot (#5433)\n\n - Fixed a bug where Podman was not properly applying the\n default Seccomp profile when --security-opt was not\n given at the command line\n\nHTTP API\n\n - Many Libpod API endpoints have been added, including\n Changes, Checkpoint, Init, and Restore\n\n - Resolved issues where the podman system service command\n would time out and exit while there were still active\n connections\n\n - Stability overall has greatly improved as we prepare the\n API for a beta release soon with Podman 2.0\n\nMisc\n\n - The default infra image for pods has been upgraded to\n k8s.gcr.io/pause:3.2 (from 3.1) to address a bug in the\n architecture metadata for non-AMD64 images\n\n - The slirp4netns networking utility in rootless Podman\n now uses Seccomp filtering where available for improved\n security\n\n - Updated Buildah to v1.14.8\n\n - Updated containers/storage to v1.18.2\n\n - Updated containers/image to v5.4.3\n\n - Updated containers/common to v0.8.1\n\nAdd 'systemd' BUILDFLAGS to build with support for journald logging\n(bsc#1162432)\n\nUpdate podman to v1.8.2 :\n\nFeatures\n\n - Initial support for automatically updating containers\n managed via Systemd unit files has been merged. This\n allows containers to automatically upgrade if a newer\n version of their image becomes available\n\nBugfixes\n\n - Fixed a bug where unit files generated by podman\n generate systemd\n\n --new would not force containers to detach, causing the\n unit to time out when trying to start\n\n - Fixed a bug where podman system reset could delete\n important system directories if run as rootless on\n installations created by older Podman (#4831)\n\n - Fixed a bug where image built by podman build would not\n properly set the OS and Architecture they were built\n with (#5503)\n\n - Fixed a bug where attached podman run with --sig-proxy\n enabled (the default), when built with Go 1.14, would\n repeatedly send signal 23 to the process in the\n container and could generate errors when the container\n stopped (#5483)\n\n - Fixed a bug where rootless podman run commands could\n hang when forwarding ports\n\n - Fixed a bug where rootless Podman would not work when\n /proc was mounted with the hidepid option set\n\n - Fixed a bug where the podman system service command\n would use large amounts of CPU when --timeout was set to\n 0 (#5531)\n\nHTTP API\n\n - Initial support for Libpod endpoints related to creating\n and operating on image manifest lists has been added\n\n - The Libpod Healthcheck and Events API endpoints are now\n supported\n\n - The Swagger endpoint can now handle cases where no\n Swagger documentation has been generated\n\nUpdate podman to v1.8.1 :\n\nFeatures\n\n - Many networking-related flags have been added to podman\n pod create to enable customization of pod networks,\n including\n\n --add-host, --dns, --dns-opt, --dns-search, --ip,\n\n --mac-address, --network, and --no-hosts\n\n - The podman ps --format=json command now includes the ID\n of the image containers were created with\n\n - The podman run and podman create commands now feature an\n\n --rmi flag to remove the image the container was using\n after it exits (if no other containers are using said\n image)\n ([#4628](https://github.com/containers/libpod/issues/462\n 8))\n\n - The podman create and podman run commands now support\n the\n\n --device-cgroup-rule flag (#4876)\n\n - While the HTTP API remains in alpha, many fixes and\n additions have landed. These are documented in a\n separate subsection below\n\n - The podman create and podman run commands now feature a\n\n --no-healthcheck flag to disable healthchecks for a\n container (#5299)\n\n - Containers now recognize the io.containers.capabilities\n label, which specifies a list of capabilities required\n by the image to run. These capabilities will be used as\n long as they are more restrictive than the default\n capabilities used\n\n - YAML produced by the podman generate kube command now\n includes SELinux configuration passed into the container\n via\n\n --security-opt label=... (#4950)\n\nBugfixes\n\n - Fixed CVE-2020-1726, a security issue where volumes\n manually populated before first being mounted into a\n container could have those contents overwritten on first\n being mounted into a container\n\n - Fixed a bug where Podman containers with user namespaces\n in CNI networks with the DNS plugin enabled would not\n have the DNS plugin's nameserver added to their\n resolv.conf\n ([#5256](https://github.com/containers/libpod/issues/525\n 6))\n\n - Fixed a bug where trailing / characters in image volume\n definitions could cause them to not be overridden by a\n user-specified mount at the same location\n ([#5219](https://github.com/containers/libpod/issues/521\n 9))\n\n - Fixed a bug where the label option in libpod.conf, used\n to disable SELinux by default, was not being respected\n (#5087)\n\n - Fixed a bug where the podman login and podman logout\n commands required the registry to log into be specified\n (#5146)\n\n - Fixed a bug where detached rootless Podman containers\n could not forward ports (#5167)\n\n - Fixed a bug where rootless Podman could fail to run if\n the pause process had died\n\n - Fixed a bug where Podman ignored labels that were\n specified with only a key and no value (#3854)\n\n - Fixed a bug where Podman would fail to create named\n volumes when the backing filesystem did not support\n SELinux labelling (#5200)\n\n - Fixed a bug where --detach-keys='' would not disable\n detaching from a container (#5166)\n\n - Fixed a bug where the podman ps command was too\n aggressive when filtering containers and would force\n --all on in too many situations\n\n - Fixed a bug where the podman play kube command was\n ignoring image configuration, including volumes, working\n directory, labels, and stop signal (#5174)\n\n - Fixed a bug where the Created and CreatedTime fields in\n podman images\n\n --format=json were misnamed, which also broke Go\n template output for those fields\n ([#5110](https://github.com/containers/libpod/issues/511\n 0))\n\n - Fixed a bug where rootless Podman containers with ports\n forwarded could hang when started (#5182)\n\n - Fixed a bug where podman pull could fail to parse\n registry names including port numbers\n\n - Fixed a bug where Podman would incorrectly attempt to\n validate image OS and architecture when starting\n containers\n\n - Fixed a bug where Bash completion for podman build -f\n would not list available files that could be built\n (#3878)\n\n - Fixed a bug where podman commit --change would perform\n incorrect validation, resulting in valid changes being\n rejected (#5148)\n\n - Fixed a bug where podman logs --tail could take large\n amounts of memory when the log file for a container was\n large (#5131)\n\n - Fixed a bug where Podman would sometimes incorrectly\n generate firewall rules on systems using firewalld\n\n - Fixed a bug where the podman inspect command would not\n display network information for containers properly if a\n container joined multiple CNI networks\n ([#4907](https://github.com/containers/libpod/issues/490\n 7))\n\n - Fixed a bug where the --uts flag to podman create and\n podman run would only allow specifying containers by\n full ID (#5289)\n\n - Fixed a bug where rootless Podman could segfault when\n passed a large number of file descriptors\n\n - Fixed a bug where the podman port command was\n incorrectly interpreting additional arguments as\n container names, instead of port numbers\n\n - Fixed a bug where units created by podman generate\n systemd did not depend on network targets, and so could\n start before the system network was ready (#4130)\n\n - Fixed a bug where exec sessions in containers which did\n not specify a user would not inherit supplemental groups\n added to the container via\n\n --group-add\n\n - Fixed a bug where Podman would not respect the $TMPDIR\n environment variable for placing large temporary files\n during some operations (e.g. podman pull)\n ([#5411](https://github.com/containers/libpod/issues/541\n 1))\n\nHTTP API\n\n - Initial support for secure connections to servers via\n SSH tunneling has been added\n\n - Initial support for the libpod create and logs endpoints\n for containers has been added\n\n - Added a /swagger/ endpoint to serve API documentation\n\n - The json endpoint for containers has received many fixes\n\n - Filtering images and containers has been greatly\n improved, with many bugs fixed and documentation\n improved\n\n - Image creation endpoints (commit, pull, etc) have seen\n many fixes\n\n - Server timeout has been fixed so that long operations\n will no longer trigger the timeout and shut the server\n down\n\n - The stats endpoint for containers has seen major fixes\n and now provides accurate output\n\n - Handling the HTTP 304 status code has been fixed for all\n endpoints\n\n - Many fixes have been made to API documentation to ensure\n it matches the code\n\nMisc\n\n - The Created field to podman images --format=json has\n been renamed to CreatedSince as part of the fix for\n (#5110). Go templates using the old name shou ld still\n work\n\n - The CreatedTime field to podman images --format=json has\n been renamed to CreatedAt as part of the fix for\n (#5110). Go templates using the old name should still\n work\n\n - The before filter to podman images has been renamed to\n since for Docker compatibility. Using before will still\n work, but documentation has been changed to use the new\n since filter\n\n - Using the --password flag to podman login now warns that\n passwords are being passed in plaintext\n\n - Some common cases where Podman would deadlock have been\n fixed to warn the user that podman system renumber must\n be run to resolve the deadlock\n\nConfigure br_netfilter for podman automatically (bsc#1165738) The\ntrigger is only excuted when updating podman-cni-config while the\ncommand was running\n\nconmon was update to v2.0.20 (bsc#1175821)\n\njournald: fix logging container name\n\ncontainer logging: Implement none driver - 'off', 'null' or 'none' all\nwork.\n\nctrl: warn if we fail to unlink\n\nDrop fsync calls\n\nReap PIDs before running exit command\n\nFix log path parsing\n\nAdd --sync option to prevent conmon from double forking\n\nAdd --no-sync-log option to instruct conmon to not sync the logs of\nthe containers upon shutting down. This feature fixes a regression\nwhere we unconditionally dropped the log sync. It is possible the\ncontainer logs could be corrupted on a sudden power-off. If you need\ncontainer logs to remain in consistent state after a sudden shutdown,\nplease update from v2.0.19 to v2.0.20\n\nUpdate to v2.0.17 :\n\n - Add option to delay execution of exit command\n\nUpdate to v2.0.16 :\n\n - tty: flush pending data when fd is ready\n\nEnable support for journald logging (bsc#1162432)\n\nUpdate to v2.0.15 :\n\n - store status while waiting for pid\n\nUpdate to v2.0.14 :\n\n - drop usage of splice(2)\n\n - avoid hanging on stdin\n\n - stdio: sometimes quit main loop after io is done\n\n - ignore sigpipe\n\nUpdate to v2.0.12\n\n - oom: fix potential race between verification steps\n\nUpdate to v2.0.11\n\n - log: reject --log-tag with k8s-file\n\n - chmod std files pipes\n\n - adjust score to -1000 to prevent conmon from ever being\n OOM killed\n\n - container OOM: verify cgroup hasn't been cleaned up\n before reporting OOM\n\n - journal logging: write to /dev/null instead of -1\n\nfuse-overlayfs was updated to 1.1.2 (bsc#1175821) :\n\nfix memory leak when creating whiteout files.\n\nfix lookup for overflow uid when it is different than the overflow\ngid.\n\nuse openat2(2) when available.\n\naccept 'ro' as mount option.\n\nfix set mtime for a symlink.\n\nfix some issues reported by static analysis.\n\nfix potential infinite loop on a short read.\n\nfix creating a directory if the destination already exists in the\nupper layer.\n\nreport correctly the number of links for a directory also for\nsubsequent stat calls\n\nstop looking up the ino in the lower layers if the file could not be\nopened\n\nmake sure the destination is deleted before doing a rename(2). It\nprevents a left over directory to cause delete to fail with EEXIST.\n\nhonor --debug.\n\nlibcontainers-common was updated to fix :\n\nFixes for %_libexecdir changing to /usr/libexec (bsc#1174075)\n\nAdded containers/common tarball for containers.conf(5) man page\n\nInstall containers.conf default configuration in /usr/share/containers\n\nlibpod repository on github got renamed to podman\n\nUpdate to image 5.5.1\n\n - Add documentation for credHelpera\n\n - Add defaults for using the rootless policy path\n\nUpdate libpod/podman to 2.0.3\n\n - docs: user namespace can't be shared in pods\n\n - Switch references from libpod.conf to containers.conf\n\n - Allow empty host port in --publish flag\n\n - update document login see config.json as valid\n\nUpdate storage to 1.20.2\n\n - Add back skip_mount_home\n\nRemove remaining difference between SLE and openSUSE package and ship\nthe some mounts.conf default configuration on both platforms. As the\nsources for the mount point do not exist on openSUSE by default this\nconfig will basically have no effect on openSUSE. (jsc#SLE-12122,\nbsc#1175821)\n\nUpdate to image 5.4.4\n\n - Remove registries.conf VERSION 2 references from man\n page\n\n - Intial authfile man page\n\n - Add $HOME/.config/containers/certs.d to\n perHostCertDirPath\n\n - Add $HOME/.config/containers/registries.conf to config\n path\n\n - registries.conf.d: add stances for the registries.conf\n\nupdate to libpod 1.9.3\n\n - userns: support --userns=auto\n\n - Switch to using --time as opposed to --timeout to better\n match Docker\n\n - Add support for specifying CNI networks in podman play\n kube\n\n - man pages: fix inconsistencies\n\nUpdate to storage 1.19.1\n\n - userns: add support for auto\n\n - store: change the default user to containers\n\n - config: honor XDG_CONFIG_HOME\n\nRemove the /var/lib/ca-certificates/pem/SUSE.pem workaround again. It\nnever ended up in SLES and a different way to fix the underlying\nproblem is being worked on.\n\nAdd registry.opensuse.org as default registry [bsc#1171578]\n\nAdd /var/lib/ca-certificates/pem/SUSE.pem to the SLES mounts. This for\nmaking container-suseconnect working in the public cloud on-demand\nimages. It needs that file for being able to verify the server\ncertificates of the RMT servers hosted in the public cloud.\n(https://github.com/SUSE/container-suseconnect/issues/41)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2020-12-09T00:00:00", "title": "SUSE SLES15 Security Update : conmon, fuse-overlayfs, libcontainers-common, podman (SUSE-SU-2020:2731-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1726"], "modified": "2020-12-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:fuse-overlayfs-debuginfo", "p-cpe:/a:novell:suse_linux:conmon-debuginfo", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:podman", "p-cpe:/a:novell:suse_linux:conmon", "p-cpe:/a:novell:suse_linux:fuse-overlayfs", "p-cpe:/a:novell:suse_linux:fuse-overlayfs-debugsource"], "id": "SUSE_SU-2020-2731-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143877", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2731-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143877);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/11\");\n\n script_cve_id(\"CVE-2020-1726\");\n\n script_name(english:\"SUSE SLES15 Security Update : conmon, fuse-overlayfs, libcontainers-common, podman (SUSE-SU-2020:2731-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for conmon, fuse-overlayfs, libcontainers-common, podman\nfixes the following issues :\n\npodman was updated to v2.0.6 (bsc#1175821)\n\ninstall missing systemd units for the new Rest API (bsc#1175957) and a\nfew man-pages that where missing before\n\nDrop varlink API related bits (in favor of the new API)\n\nfix install location for zsh completions\n\n - Fixed a bug where running systemd in a container on a\n cgroups v1 system would fail.\n\n - Fixed a bug where /etc/passwd could be re-created every\n time a container is restarted if the container's\n /etc/passwd did not contain an entry for the user the\n container was started as.\n\n - Fixed a bug where containers without an /etc/passwd file\n specifying a non-root user would not start.\n\n - Fixed a bug where the --remote flag would sometimes not\n make remote connections and would instead attempt to run\n Podman locally.\n\nUpdate to v2.0.6 :\n\nFeatures\n\n - Rootless Podman will now add an entry to /etc/passwd for\n the user who ran Podman if run with --userns=keep-id.\n\n - The podman system connection command has been reworked\n to support multiple connections, and reenabled for use!\n\n - Podman now has a new global flag, --connection, to\n specify a connection to a remote Podman API instance.\n\nChanges\n\n - Podman's automatic systemd integration (activated by the\n\n --systemd=true flag, set by default) will now activate\n for containers using /usr/local/sbin/init as their\n command, instead of just /usr/sbin/init and /sbin/init\n (and any path ending in systemd).\n\n - Seccomp profiles specified by the --security-opt\n seccomp=... flag to podman create and podman run will\n now be honored even if the container was created using\n --privileged.\n\nBugfixes\n\n - Fixed a bug where the podman play kube would not honor\n the hostIP field for port forwarding (#5964).\n\n - Fixed a bug where the podman generate systemd command\n would panic on an invalid restart policy being specified\n (#7271).\n\n - Fixed a bug where the podman images command could take a\n very long time (several minutes) to complete when a\n large number of images were present.\n\n - Fixed a bug where the podman logs command with the\n --tail flag would not work properly when a large amount\n of output would be printed\n ((#7230)[https://github.com//issues/7230]).\n\n - Fixed a bug where the podman exec command with remote\n Podman would not return a non-zero exit code when the\n exec session failed to start (e.g. invoking a\n non-existent command) (#6893).\n\n - Fixed a bug where the podman load command with remote\n Podman would did not honor user-specified tags (#7124).\n\n - Fixed a bug where the podman system service command,\n when run as a non-root user by Systemd, did not properly\n handle the Podman pause process and would not restart\n properly as a result (#7180).\n\n - Fixed a bug where the --publish flag to podman create,\n podman run, and podman pod create did not properly\n handle a host IP of 0.0.0.0 (attempting to bind to\n literal 0.0.0.0, instead of all IPs on the system)\n (#7104).\n\n - Fixed a bug where the podman start --attach command\n would not print the container's exit code when the\n command exited due to the container exiting.\n\n - Fixed a bug where the podman rm command with remote\n Podman would not remove volumes, even if the --volumes\n flag was specified (#7128).\n\n - Fixed a bug where the podman run command with remote\n Podman and the\n\n --rm flag could exit before the container was fully\n removed.\n\n - Fixed a bug where the --pod new:... flag to podman run\n and podman create would create a pod that did not share\n any namespaces.\n\n - Fixed a bug where the --preserve-fds flag to podman run\n and podman exec could close the wrong file descriptors\n while trying to close user-provided descriptors after\n passing them into the container.\n\n - Fixed a bug where default environment variables ($PATH\n and $TERM) were not set in containers when not provided\n by the image.\n\n - Fixed a bug where pod infra containers were not properly\n unmounted after exiting.\n\n - Fixed a bug where networks created with podman network\n create with an IPv6 subnet did not properly set an IPv6\n default route.\n\n - Fixed a bug where the podman save command would not work\n properly when its output was piped to another command\n (#7017).\n\n - Fixed a bug where containers using a systemd init on a\n cgroups v1 system could leak mounts under\n /sys/fs/cgroup/systemd to the host.\n\n - Fixed a bug where podman build would not generate an\n event on completion (#7022).\n\n - Fixed a bug where the podman history command with remote\n Podman printed incorrect creation times for layers\n (#7122).\n\n - Fixed a bug where Podman would not create working\n directories specified by the container image if they did\n not exist.\n\n - Fixed a bug where Podman did not clear CMD from the\n container image if the user overrode ENTRYPOINT (#7115).\n\n - Fixed a bug where error parsing image names were not\n fully reported (part of the error message containing the\n exact issue was dropped).\n\n - Fixed a bug where the podman images command with remote\n Podman did not support printing image tags in Go\n templates supplied to the --format flag (#7123).\n\n - Fixed a bug where the podman rmi --force command would\n not attempt to unmount containers it was removing, which\n could cause a failure to remove the image.\n\n - Fixed a bug where the podman generate systemd --new\n command could incorrectly quote arguments to Podman that\n contained whitespace, leading to nonfunctional unit\n files (#7285).\n\n - Fixed a bug where the podman version command did not\n properly include build time and Git commit.\n\n - Fixed a bug where running systemd in a Podman container\n on a system that did not use the systemd cgroup manager\n would fail (#6734).\n\n - Fixed a bug where capabilities from --cap-add were not\n properly added when a container was started as a\n non-root user via --user.\n\n - Fixed a bug where Pod infra containers were not properly\n cleaned up when they stopped, causing networking issues\n (#7103).\n\nAPI\n\n - Fixed a bug where the libpod and compat Build endpoints\n did not accept the application/tar content type (instead\n only accepting application/x-tar) (#7185).\n\n - Fixed a bug where the libpod Exists endpoint would\n attempt to write a second header in some error\n conditions (#7197).\n\n - Fixed a bug where compat and libpod Network Inspect and\n Network Remove endpoints would return a 500 instead of\n 404 when the requested network was not found.\n\n - Added a versioned _ping endpoint (e.g.\n http://localhost/v1.40/_ping).\n\n - Fixed a bug where containers started through a\n systemd-managed instance of the REST API would be shut\n down when podman system service shut down due to its\n idle timeout (#7294).\n\n - Added stronger parameter verification for the libpod\n Network Create endpoint to ensure subnet mask is a valid\n value.\n\n - The Pod URL parameter to the Libpod Container List\n endpoint has been deprecated; the information previously\n gated by the Pod boolean will now be included in the\n response unconditionally.\n\nChange hard requires for AppArmor to Recommends. They are not needed\nfor runtime or with SELinux but already installed if AppArmor is used\n[jsc#SMO-15]\n\nAdd BuildRequires for pkg-config(libselinux) to build with SELinux\nsupport [jsc#SMO-15]\n\nUpdate to v2.0.4\n\nFixed a bug where the output of podman image search did not populate\nthe Description field as it was mistakenly assigned to the ID field.\n\nFixed a bug where podman build - and podman build on an HTTP target\nwould fail.\n\nFixed a bug where rootless Podman would improperly chown the copied-up\ncontents of anonymous volumes (#7130).\n\nFixed a bug where Podman would sometimes HTML-escape special\ncharacters in its CLI output.\n\nFixed a bug where the podman start --attach --interactive command\nwould print the container ID of the container attached to when exiting\n(#7068).\n\nFixed a bug where podman run --ipc=host --pid=host would only set\n\n--pid=host and not --ipc=host (#7100).\n\nFixed a bug where the --publish argument to podman run, podman create\nand podman pod create would not allow binding the same container port\nto more than one host port (#7062).\n\nFixed a bug where incorrect arguments to podman images --format could\ncause Podman to segfault.\n\nFixed a bug where podman rmi --force on an image ID with more than one\nname and at least one container using the image would not completely\nremove containers using the image (#7153).\n\nFixed a bug where memory usage in bytes and memory use percentage were\nswapped in the output of podman stats\n\n--format=json.\n\nFixed a bug where the libpod and compat events endpoints would fail if\nno filters were specified (#7078).\n\nFixed a bug where the CgroupVersion field in responses from the compat\nInfo endpoint was prefixed by 'v' (instead of just being '1' or '2',\nas is documented).\n\nSuggest katacontainers instead of recommending it. It's not enabled by\ndefault, so it's just bloat\n\nUpdate to v2.0.3\n\nFix handling of entrypoint\n\nlog API: add context to allow for cancelling\n\nfix API: Create container with an invalid configuration\n\nRemove all instances of named return 'err' from Libpod\n\nFix: Correct connection counters for hijacked connections\n\nFix: Hijacking v2 endpoints to follow rfc 7230 semantics\n\nRemove hijacked connections from active connections list\n\nversion/info: format: allow more json variants\n\nCorrectly print STDOUT on non-terminal remote exec\n\nFix container and pod create commands for remote create\n\nMask out /sys/dev to prevent information leak from the host\n\nEnsure sig-proxy default is propagated in start\n\nAdd SystemdMode to inspect for containers\n\nWhen determining systemd mode, use full command\n\nFix lint\n\nPopulate remaining unused fields in `pod inspect`\n\nInclude infra container information in `pod inspect`\n\nplay-kube: add suport for 'IfNotPresent' pull type\n\ndocs: user namespace can't be shared in pods\n\nFix 'Error: unrecognized protocol \\'TCP\\' in port mapping'\n\nError on rootless mac and ip addresses\n\nFix & add notes regarding problematic language in codebase\n\nabi: set default umask and rlimits\n\nUsed reference package with errors for parsing tag\n\nfix: system df error when an image has no name\n\nFix Generate API title/description\n\nAdd noop function disable-content-trust\n\nfix play kube doesn't override dockerfile ENTRYPOINT\n\nSupport default profile for apparmor\n\nBump github.com/containers/common to v0.14.6\n\nevents endpoint: backwards compat to old type\n\nevents endpoint: fix panic and race condition\n\nSwitch references from libpod.conf to containers.conf\n\npodman.service: set type to simple\n\npodman.service: set doc to podman-system-service\n\npodman.service: use default registries.conf\n\npodman.service: use default killmode\n\npodman.service: remove stop timeout\n\nsystemd: symlink user->system\n\nvendor golang.org/x/text@v0.3.3\n\nFix a bug where --pids-limit was parsed incorrectly\n\nsearch: allow wildcards\n\n[CI:DOCS]Do not copy policy.json into gating image\n\nFix systemd pid 1 test\n\nCirrus: Rotate keys post repo. rename\n\nThe libpod.conf(5) man page got removed and all references are now\npointing towards containers.conf(5), which will be part of the\nlibcontainers-common package.\n\nUpdate to podman v2.0.2\n\nfix race condition in `libpod.GetEvents(...)`\n\nFix bug where `podman mount` didn't error as rootless\n\nremove podman system connection\n\nFix imports to ensure v2 is used with libpod\n\nUpdate release notes for v2.0.2\n\nspecgen: fix order for setting rlimits\n\nEnsure umask is set appropriately for 'system service'\n\ngenerate systemd: improve pod-flags filter\n\nFix a bug with APIv2 compat network remove to log an\nErrNetworkNotFound instead of nil\n\nFixes --remote flag issues\n\nPids-limit should only be set if the user set it\n\nSet console mode for windows\n\nAllow empty host port in --publish flag\n\nAdd a note on the APIs supported by `system service`\n\nfix: Don't override entrypoint if it's `nil`\n\nSet TMPDIR to /var/tmp by default if not set\n\ntest: add tests for --user and volumes\n\ncontainer: move volume chown after spec generation\n\nlibpod: volume copyup honors namespace mappings\n\nFix `system service` panic from early hangup in events\n\nstop podman service in e2e tests\n\nPrint errors from individual containers in pods\n\nauto-update: clarify systemd-unit requirements\n\npodman ps truncate the command\n\nmove go module to v2\n\nVendor containers/common v0.14.4\n\nBump to imagebuilder v1.1.6 on v2 branch\n\nAccount for non-default port number in image name\n\nChanges since v2.0.1\n\nUpdate release notes with further v2.0.1 changes\n\nFix inspect to display multiple label: changes\n\nSet syslog for exit commands on log-level=debug\n\nFriendly amendment for pr 6751\n\npodman run/create: support all transports\n\nsystemd generate: allow manual restart of container units in pods\n\nRevert sending --remote flag to containers\n\nPrint port mappings in `ps` for ctrs sharing network\n\nvendor github.com/containers/common@v0.14.3\n\nUpdate release notes for v2.0.1\n\nutils: drop default mapping when running uid!=0\n\nSet stop signal to 15 when not explicitly set\n\npodman untag: error if tag doesn't exist\n\nReformat inspect network settings\n\nAPIv2: Return `StatusCreated` from volume creation\n\nAPIv2:fix: Remove `/json` from compat network EPs\n\nFix ssh-agent support\n\nlibpod: specify mappings to the storage\n\nAPIv2:doc: Fix swagger doc to refer to volumes\n\nAdd podman network to bash command completions\n\nFix typo in manpage for `podman auto update`.\n\nAdd JSON output field for ps\n\nV2 podman system connection\n\nimage load: no args required\n\nRe-add PODMAN_USERNS environment variable\n\nFix conflicts between privileged and other flags\n\nBump required go version to 1.13\n\nAdd explicit command to alpine container in test case.\n\nUse POLL_DURATION for timer\n\nStop following logs using timers\n\n'pod' was being truncated to 'po' in the names of the generated\nsystemd unit files.\n\nrootless_linux: improve error message\n\nFix podman build handling of --http-proxy flag\n\ncorrect the absolute path of `rm` executable\n\nMakefile: allow customizable GO_BUILD\n\nCirrus: Change DEST_BRANCH to v2.0\n\nUpdate to podman v2.0.0\n\nThe `podman generate systemd` command now supports the `--new` flag\nwhen used with pods, allowing portable services for pods to be\ncreated.\n\nThe `podman play kube` command now supports running Kubernetes\nDeployment YAML.\n\nThe `podman exec` command now supports the `--detach` flag to run\ncommands in the container in the background.\n\nThe `-p` flag to `podman run` and `podman create` now supports\nforwarding ports to IPv6 addresses.\n\nThe `podman run`, `podman create` and `podman pod create` command now\nsupport a `--replace` flag to remove and replace any existing\ncontainer (or, for `pod create`, pod) with the same name\n\nThe `--restart-policy` flag to `podman run` and `podman create` now\nsupports the `unless-stopped` restart policy.\n\nThe `--log-driver` flag to `podman run` and `podman create` now\nsupports the `none` driver, which does not log the container's output.\n\nThe `--mount` flag to `podman run` and `podman create` now accepts\n`readonly` option as an alias to `ro`.\n\nThe `podman generate systemd` command now supports the\n`--container-prefix`, `--pod-prefix`, and `--separator` arguments to\ncontrol the name of generated unit files.\n\nThe `podman network ls` command now supports the `--filter` flag to\nfilter results.\n\nThe `podman auto-update` command now supports specifying an authfile\nto use when pulling new images on a per-container basis using the\n`io.containers.autoupdate.authfile` label.\n\nFixed a bug where the `podman exec` command would log to journald when\nrun in containers loggined to journald\n([#6555](https://github.com/containers/libpod/issues/6555)).\n\nFixed a bug where the `podman auto-update` command would not preserve\nthe OS and architecture of the original image when pulling a\nreplacement\n([#6613](https://github.com/containers/libpod/issues/6613)).\n\nFixed a bug where the `podman cp` command could create an extra\n`merged` directory when copying into an existing directory\n([#6596](https://github.com/containers/libpod/issues/6596)).\n\nFixed a bug where the `podman pod stats` command would crash on pods\nrun with `--network=host`\n([#5652](https://github.com/containers/libpod/issues/5652)).\n\nFixed a bug where containers logs written to journald did not include\nthe name of the container.\n\nFixed a bug where the `podman network inspect` and `podman network rm`\ncommands did not properly handle non-default CNI configuration paths\n([#6212](https://github.com/containers/libpod/issues/6212)).\n\nFixed a bug where Podman did not properly remove containers when using\nthe Kata containers OCI runtime.\n\nFixed a bug where `podman inspect` would sometimes incorrectly report\nthe network mode of containers started with `--net=none`.\n\nPodman is now better able to deal with cases where `conmon` is killed\nbefore the container it is monitoring.\n\nUpdate to podman v1.9.3 :\n\nFixed a bug where, on FIPS enabled hosts, FIPS mode secrets were not\nproperly mounted into containers\n\nFixed a bug where builds run over Varlink would hang\n\nFixed a bug where podman save would fail when the target image was\nspecified by digest\n\nFixed a bug where rootless containers with ports forwarded to them\ncould panic and dump core due to a concurrency issue (#6018)\n\nFixed a bug where rootless Podman could race when opening the rootless\nuser namespace, resulting in commands failing to run\n\nFixed a bug where HTTP proxy environment variables forwarded into the\ncontainer by the --http-proxy flag could not be overridden by --env or\n\n--env-file\n\nFixed a bug where rootless Podman was setting resource limits on\ncgroups v2 systems that were not using systemd-managed cgroups (and\nthus did not support resource limits), resulting in containers failing\nto start\n\nUpdate podman to v1.9.1 :\n\nBugfixes\n\n - Fixed a bug where healthchecks could become\n nonfunctional if container log paths were manually set\n with --log-path and multiple container logs were placed\n in the same directory\n\n - Fixed a bug where rootless Podman could, when using an\n older libpod.conf, print numerous warning messages about\n an invalid CGroup manager config\n\n - Fixed a bug where rootless Podman would sometimes fail\n to close the rootless user namespace when joining it\n\nUpdate podman to v1.9.0 :\n\nFeatures\n\n - Experimental support has been added for podman run\n\n --userns=auto, which automatically allocates a unique\n UID and GID range for the new container's user namespace\n\n - The podman play kube command now has a --network flag to\n place the created pod in one or more CNI networks\n\n - The podman commit command now supports an --iidfile flag\n to write the ID of the committed image to a file\n\n - Initial support for the new containers.conf\n configuration file has been added. containers.conf\n allows for much more detailed configuration of some\n Podman functionality\n\nChanges\n\n - There has been a major cleanup of the podman info\n command resulting in breaking changes. Many fields have\n been renamed to better suit usage with APIv2\n\n - All uses of the --timeout flag have been switched to\n prefer the alternative --time. The --timeout flag will\n continue to work, but man pages and --help will use the\n --time flag instead\n\nBugfixes\n\n - Fixed a bug where some volume mounts from the host would\n sometimes not properly determine the flags they should\n use when mounting\n\n - Fixed a bug where Podman was not propagating $PATH to\n Conmon and the OCI runtime, causing issues for some OCI\n runtimes that required it\n\n - Fixed a bug where rootless Podman would print error\n messages about missing support for systemd cgroups when\n run in a container with no cgroup support\n\n - Fixed a bug where podman play kube would not properly\n handle container-only port mappings (#5610)\n\n - Fixed a bug where the podman container prune command was\n not pruning containers in the created and configured\n states\n\n - Fixed a bug where Podman was not properly removing CNI\n IP address allocations after a reboot (#5433)\n\n - Fixed a bug where Podman was not properly applying the\n default Seccomp profile when --security-opt was not\n given at the command line\n\nHTTP API\n\n - Many Libpod API endpoints have been added, including\n Changes, Checkpoint, Init, and Restore\n\n - Resolved issues where the podman system service command\n would time out and exit while there were still active\n connections\n\n - Stability overall has greatly improved as we prepare the\n API for a beta release soon with Podman 2.0\n\nMisc\n\n - The default infra image for pods has been upgraded to\n k8s.gcr.io/pause:3.2 (from 3.1) to address a bug in the\n architecture metadata for non-AMD64 images\n\n - The slirp4netns networking utility in rootless Podman\n now uses Seccomp filtering where available for improved\n security\n\n - Updated Buildah to v1.14.8\n\n - Updated containers/storage to v1.18.2\n\n - Updated containers/image to v5.4.3\n\n - Updated containers/common to v0.8.1\n\nAdd 'systemd' BUILDFLAGS to build with support for journald logging\n(bsc#1162432)\n\nUpdate podman to v1.8.2 :\n\nFeatures\n\n - Initial support for automatically updating containers\n managed via Systemd unit files has been merged. This\n allows containers to automatically upgrade if a newer\n version of their image becomes available\n\nBugfixes\n\n - Fixed a bug where unit files generated by podman\n generate systemd\n\n --new would not force containers to detach, causing the\n unit to time out when trying to start\n\n - Fixed a bug where podman system reset could delete\n important system directories if run as rootless on\n installations created by older Podman (#4831)\n\n - Fixed a bug where image built by podman build would not\n properly set the OS and Architecture they were built\n with (#5503)\n\n - Fixed a bug where attached podman run with --sig-proxy\n enabled (the default), when built with Go 1.14, would\n repeatedly send signal 23 to the process in the\n container and could generate errors when the container\n stopped (#5483)\n\n - Fixed a bug where rootless podman run commands could\n hang when forwarding ports\n\n - Fixed a bug where rootless Podman would not work when\n /proc was mounted with the hidepid option set\n\n - Fixed a bug where the podman system service command\n would use large amounts of CPU when --timeout was set to\n 0 (#5531)\n\nHTTP API\n\n - Initial support for Libpod endpoints related to creating\n and operating on image manifest lists has been added\n\n - The Libpod Healthcheck and Events API endpoints are now\n supported\n\n - The Swagger endpoint can now handle cases where no\n Swagger documentation has been generated\n\nUpdate podman to v1.8.1 :\n\nFeatures\n\n - Many networking-related flags have been added to podman\n pod create to enable customization of pod networks,\n including\n\n --add-host, --dns, --dns-opt, --dns-search, --ip,\n\n --mac-address, --network, and --no-hosts\n\n - The podman ps --format=json command now includes the ID\n of the image containers were created with\n\n - The podman run and podman create commands now feature an\n\n --rmi flag to remove the image the container was using\n after it exits (if no other containers are using said\n image)\n ([#4628](https://github.com/containers/libpod/issues/462\n 8))\n\n - The podman create and podman run commands now support\n the\n\n --device-cgroup-rule flag (#4876)\n\n - While the HTTP API remains in alpha, many fixes and\n additions have landed. These are documented in a\n separate subsection below\n\n - The podman create and podman run commands now feature a\n\n --no-healthcheck flag to disable healthchecks for a\n container (#5299)\n\n - Containers now recognize the io.containers.capabilities\n label, which specifies a list of capabilities required\n by the image to run. These capabilities will be used as\n long as they are more restrictive than the default\n capabilities used\n\n - YAML produced by the podman generate kube command now\n includes SELinux configuration passed into the container\n via\n\n --security-opt label=... (#4950)\n\nBugfixes\n\n - Fixed CVE-2020-1726, a security issue where volumes\n manually populated before first being mounted into a\n container could have those contents overwritten on first\n being mounted into a container\n\n - Fixed a bug where Podman containers with user namespaces\n in CNI networks with the DNS plugin enabled would not\n have the DNS plugin's nameserver added to their\n resolv.conf\n ([#5256](https://github.com/containers/libpod/issues/525\n 6))\n\n - Fixed a bug where trailing / characters in image volume\n definitions could cause them to not be overridden by a\n user-specified mount at the same location\n ([#5219](https://github.com/containers/libpod/issues/521\n 9))\n\n - Fixed a bug where the label option in libpod.conf, used\n to disable SELinux by default, was not being respected\n (#5087)\n\n - Fixed a bug where the podman login and podman logout\n commands required the registry to log into be specified\n (#5146)\n\n - Fixed a bug where detached rootless Podman containers\n could not forward ports (#5167)\n\n - Fixed a bug where rootless Podman could fail to run if\n the pause process had died\n\n - Fixed a bug where Podman ignored labels that were\n specified with only a key and no value (#3854)\n\n - Fixed a bug where Podman would fail to create named\n volumes when the backing filesystem did not support\n SELinux labelling (#5200)\n\n - Fixed a bug where --detach-keys='' would not disable\n detaching from a container (#5166)\n\n - Fixed a bug where the podman ps command was too\n aggressive when filtering containers and would force\n --all on in too many situations\n\n - Fixed a bug where the podman play kube command was\n ignoring image configuration, including volumes, working\n directory, labels, and stop signal (#5174)\n\n - Fixed a bug where the Created and CreatedTime fields in\n podman images\n\n --format=json were misnamed, which also broke Go\n template output for those fields\n ([#5110](https://github.com/containers/libpod/issues/511\n 0))\n\n - Fixed a bug where rootless Podman containers with ports\n forwarded could hang when started (#5182)\n\n - Fixed a bug where podman pull could fail to parse\n registry names including port numbers\n\n - Fixed a bug where Podman would incorrectly attempt to\n validate image OS and architecture when starting\n containers\n\n - Fixed a bug where Bash completion for podman build -f\n would not list available files that could be built\n (#3878)\n\n - Fixed a bug where podman commit --change would perform\n incorrect validation, resulting in valid changes being\n rejected (#5148)\n\n - Fixed a bug where podman logs --tail could take large\n amounts of memory when the log file for a container was\n large (#5131)\n\n - Fixed a bug where Podman would sometimes incorrectly\n generate firewall rules on systems using firewalld\n\n - Fixed a bug where the podman inspect command would not\n display network information for containers properly if a\n container joined multiple CNI networks\n ([#4907](https://github.com/containers/libpod/issues/490\n 7))\n\n - Fixed a bug where the --uts flag to podman create and\n podman run would only allow specifying containers by\n full ID (#5289)\n\n - Fixed a bug where rootless Podman could segfault when\n passed a large number of file descriptors\n\n - Fixed a bug where the podman port command was\n incorrectly interpreting additional arguments as\n container names, instead of port numbers\n\n - Fixed a bug where units created by podman generate\n systemd did not depend on network targets, and so could\n start before the system network was ready (#4130)\n\n - Fixed a bug where exec sessions in containers which did\n not specify a user would not inherit supplemental groups\n added to the container via\n\n --group-add\n\n - Fixed a bug where Podman would not respect the $TMPDIR\n environment variable for placing large temporary files\n during some operations (e.g. podman pull)\n ([#5411](https://github.com/containers/libpod/issues/541\n 1))\n\nHTTP API\n\n - Initial support for secure connections to servers via\n SSH tunneling has been added\n\n - Initial support for the libpod create and logs endpoints\n for containers has been added\n\n - Added a /swagger/ endpoint to serve API documentation\n\n - The json endpoint for containers has received many fixes\n\n - Filtering images and containers has been greatly\n improved, with many bugs fixed and documentation\n improved\n\n - Image creation endpoints (commit, pull, etc) have seen\n many fixes\n\n - Server timeout has been fixed so that long operations\n will no longer trigger the timeout and shut the server\n down\n\n - The stats endpoint for containers has seen major fixes\n and now provides accurate output\n\n - Handling the HTTP 304 status code has been fixed for all\n endpoints\n\n - Many fixes have been made to API documentation to ensure\n it matches the code\n\nMisc\n\n - The Created field to podman images --format=json has\n been renamed to CreatedSince as part of the fix for\n (#5110). Go templates using the old name shou ld still\n work\n\n - The CreatedTime field to podman images --format=json has\n been renamed to CreatedAt as part of the fix for\n (#5110). Go templates using the old name should still\n work\n\n - The before filter to podman images has been renamed to\n since for Docker compatibility. Using before will still\n work, but documentation has been changed to use the new\n since filter\n\n - Using the --password flag to podman login now warns that\n passwords are being passed in plaintext\n\n - Some common cases where Podman would deadlock have been\n fixed to warn the user that podman system renumber must\n be run to resolve the deadlock\n\nConfigure br_netfilter for podman automatically (bsc#1165738) The\ntrigger is only excuted when updating podman-cni-config while the\ncommand was running\n\nconmon was update to v2.0.20 (bsc#1175821)\n\njournald: fix logging container name\n\ncontainer logging: Implement none driver - 'off', 'null' or 'none' all\nwork.\n\nctrl: warn if we fail to unlink\n\nDrop fsync calls\n\nReap PIDs before running exit command\n\nFix log path parsing\n\nAdd --sync option to prevent conmon from double forking\n\nAdd --no-sync-log option to instruct conmon to not sync the logs of\nthe containers upon shutting down. This feature fixes a regression\nwhere we unconditionally dropped the log sync. It is possible the\ncontainer logs could be corrupted on a sudden power-off. If you need\ncontainer logs to remain in consistent state after a sudden shutdown,\nplease update from v2.0.19 to v2.0.20\n\nUpdate to v2.0.17 :\n\n - Add option to delay execution of exit command\n\nUpdate to v2.0.16 :\n\n - tty: flush pending data when fd is ready\n\nEnable support for journald logging (bsc#1162432)\n\nUpdate to v2.0.15 :\n\n - store status while waiting for pid\n\nUpdate to v2.0.14 :\n\n - drop usage of splice(2)\n\n - avoid hanging on stdin\n\n - stdio: sometimes quit main loop after io is done\n\n - ignore sigpipe\n\nUpdate to v2.0.12\n\n - oom: fix potential race between verification steps\n\nUpdate to v2.0.11\n\n - log: reject --log-tag with k8s-file\n\n - chmod std files pipes\n\n - adjust score to -1000 to prevent conmon from ever being\n OOM killed\n\n - container OOM: verify cgroup hasn't been cleaned up\n before reporting OOM\n\n - journal logging: write to /dev/null instead of -1\n\nfuse-overlayfs was updated to 1.1.2 (bsc#1175821) :\n\nfix memory leak when creating whiteout files.\n\nfix lookup for overflow uid when it is different than the overflow\ngid.\n\nuse openat2(2) when available.\n\naccept 'ro' as mount option.\n\nfix set mtime for a symlink.\n\nfix some issues reported by static analysis.\n\nfix potential infinite loop on a short read.\n\nfix creating a directory if the destination already exists in the\nupper layer.\n\nreport correctly the number of links for a directory also for\nsubsequent stat calls\n\nstop looking up the ino in the lower layers if the file could not be\nopened\n\nmake sure the destination is deleted before doing a rename(2). It\nprevents a left over directory to cause delete to fail with EEXIST.\n\nhonor --debug.\n\nlibcontainers-common was updated to fix :\n\nFixes for %_libexecdir changing to /usr/libexec (bsc#1174075)\n\nAdded containers/common tarball for containers.conf(5) man page\n\nInstall containers.conf default configuration in /usr/share/containers\n\nlibpod repository on github got renamed to podman\n\nUpdate to image 5.5.1\n\n - Add documentation for credHelpera\n\n - Add defaults for using the rootless policy path\n\nUpdate libpod/podman to 2.0.3\n\n - docs: user namespace can't be shared in pods\n\n - Switch references from libpod.conf to containers.conf\n\n - Allow empty host port in --publish flag\n\n - update document login see config.json as valid\n\nUpdate storage to 1.20.2\n\n - Add back skip_mount_home\n\nRemove remaining difference between SLE and openSUSE package and ship\nthe some mounts.conf default configuration on both platforms. As the\nsources for the mount point do not exist on openSUSE by default this\nconfig will basically have no effect on openSUSE. (jsc#SLE-12122,\nbsc#1175821)\n\nUpdate to image 5.4.4\n\n - Remove registries.conf VERSION 2 references from man\n page\n\n - Intial authfile man page\n\n - Add $HOME/.config/containers/certs.d to\n perHostCertDirPath\n\n - Add $HOME/.config/containers/registries.conf to config\n path\n\n - registries.conf.d: add stances for the registries.conf\n\nupdate to libpod 1.9.3\n\n - userns: support --userns=auto\n\n - Switch to using --time as opposed to --timeout to better\n match Docker\n\n - Add support for specifying CNI networks in podman play\n kube\n\n - man pages: fix inconsistencies\n\nUpdate to storage 1.19.1\n\n - userns: add support for auto\n\n - store: change the default user to containers\n\n - config: honor XDG_CONFIG_HOME\n\nRemove the /var/lib/ca-certificates/pem/SUSE.pem workaround again. It\nnever ended up in SLES and a different way to fix the underlying\nproblem is being worked on.\n\nAdd registry.opensuse.org as default registry [bsc#1171578]\n\nAdd /var/lib/ca-certificates/pem/SUSE.pem to the SLES mounts. This for\nmaking container-suseconnect working in the public cloud on-demand\nimages. It needs that file for being able to verify the server\ncertificates of the RMT servers hosted in the public cloud.\n(https://github.com/SUSE/container-suseconnect/issues/41)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://localhost/v1.40/_ping\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1162432\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1164090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1165738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1171578\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175821\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com//issues/7230]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/SUSE/container-suseconnect/issues/41\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/4628\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/4907\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/5110\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/5219\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/5256\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/5411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/5652\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/6212\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/6555\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/6596\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/containers/libpod/issues/6613\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-1726/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202731-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ebc80c48\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Containers 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2020-2731=1\n\nSUSE Linux Enterprise Module for Containers 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-2731=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-2731=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-2731=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:conmon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:conmon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:fuse-overlayfs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:fuse-overlayfs-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"conmon-2.0.20-3.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"conmon-debuginfo-2.0.20-3.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"fuse-overlayfs-1.1.2-3.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"fuse-overlayfs-debuginfo-1.1.2-3.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"fuse-overlayfs-debugsource-1.1.2-3.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"podman-2.0.6-4.25.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"conmon-2.0.20-3.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"conmon-debuginfo-2.0.20-3.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"fuse-overlayfs-1.1.2-3.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"fuse-overlayfs-debuginfo-1.1.2-3.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"fuse-overlayfs-debugsource-1.1.2-3.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"podman-2.0.6-4.25.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"conmon / fuse-overlayfs / libcontainers-common / podman\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}]}
