Lucene search

K
suseSuseOPENSUSE-SU-2020:2039-1
HistoryNov 26, 2020 - 12:00 a.m.

Security update for podman (moderate)

2020-11-2600:00:00
lists.opensuse.org
9

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for podman fixes the following issues:

Security issue fixed:

  • This release resolves CVE-2020-14370, in which environment variables
    could be leaked between containers created using the Varlink API
    (bsc#1176804).

Non-security issues fixed:

  • add dependency to timezone package or podman fails to build a container
    (bsc#1178122)

  • Install new auto-update system units

  • Update to v2.1.1 (bsc#1178392):

    • Changes
      • The podman info command now includes the cgroup manager Podman is
        using.
    • API
      • The REST API now includes a Server header in all responses.
      • Fixed a bug where the Libpod and Compat Attach endpoints could
        terminate early, before sending all output from the container.
      • Fixed a bug where the Compat Create endpoint for containers did not
        properly handle the Interactive parameter.
      • Fixed a bug where the Compat Kill endpoint for containers could
        continue to run after a fatal error.
      • Fixed a bug where the Limit parameter of the Compat List endpoint
        for Containers did not properly handle a limit of 0 (returning
        nothing, instead of all containers) [#7722].
      • The Libpod Stats endpoint for containers is being deprecated and
        will be replaced by a similar endpoint with additional features in a
        future release.
  • Changes in v2.1.0

    • Features
      • A new command, podman image mount, has been added. This allows for
        an image to be mounted, read-only, to inspect its contents without
        creating a container from it [#1433].
      • The podman save and podman load commands can now create and load
        archives containing multiple images [#2669].
      • Rootless Podman now supports all podman network commands, and
        rootless containers can now be joined to networks.
      • The performance of podman build on ADD and COPY instructions
        has been greatly improved, especially when a .dockerignore is
        present.
      • The podman run and podman create commands now support a new mode
        for the --cgroups option, --cgroups=split. Podman will create
        two cgroups under the cgroup it was launched in, one for the
        container and one for Conmon. This mode is useful for running Podman
        in a systemd unit, as it ensures that all processes are retained in
        systemd’s cgroup hierarchy [#6400].
      • The podman run and podman create commands can now specify
        options to slirp4netns by using the --network option as follows:
        --net slirp4netns:opt1,opt2. This allows for, among other things,
        switching the port forwarder used by slirp4netns away from rootlessport.
      • The podman ps command now features a new option, --storage, to
        show containers from Buildah, CRI-O and other applications.
      • The podman run and podman create commands now feature a
        --sdnotify option to control the behavior of systemd’s sdnotify
        with containers, enabling improved support for Podman in
        Type=notify units.
      • The podman run command now features a --preserve-fds
        opton to pass file descriptors from the host into the container
        [#6458].
      • The podman run and podman create commands can now create
        overlay volume mounts, by adding the :O option to a bind mount
        (e.g. -v /test:/test:O). Overlay volume mounts will mount a directory
        into a container from the host and allow changes to it, but not write
        those changes back to the directory on the host.
      • The podman play kube command now supports the Socket HostPath type
        [#7112].
      • The podman play kube command now supports read-only mounts.
      • The podman play kube command now supports setting labels on pods
        from Kubernetes metadata labels.
      • The podman play kube command now supports setting container
        restart policy [#7656].
      • The podman play kube command now properly handles HostAlias
        entries.
      • The podman generate kube command now adds entries to /etc/hosts
        from --host-add generated YAML as HostAlias entries.
      • The podman play kube and podman generate kube commands now
        properly support shareProcessNamespace to share the PID namespace
        in pods.
      • The podman volume ls command now supports the dangling filter to
        identify volumes that are dangling (not attached to any container).
      • The podman run and podman create commands now feature a
        --umask option to set the umask of the created container.
      • The podman create and podman run commands now feature a --tz
        option to set the timezone within the container [#5128].
      • Environment variables for Podman can now be added in the
        containers.conf configuration file.
      • The --mount option of podman run and podman create now
        supports a new mount type, type=devpts, to add a devpts mount to
        the container. This is useful for containers that want to mount
        /dev/ from the host into the container, but still create a
        terminal.
      • The --security-opt flag to podman run and podman create now
        supports a new option, proc-opts, to specify options for the
        container’s /proc filesystem.
      • Podman with the crun OCI runtime now supports a new option to
        podman run and podman create, --cgroup-conf, which allows for
        advanced configuration of cgroups on cgroups v2 systems.
      • The podman create and podman run commands now support a
        --override-variant option, to override the architecture variant of
        the image that will be pulled and ran.
      • A new global option has been added to Podman, --runtime-flags,
        which allows for setting flags to use when the OCI runtime is called.
      • The podman manifest add command now supports the --cert-dir,
        --auth-file, --creds, and --tls-verify
        options.
    • Security
      • This release resolves CVE-2020-14370, in which environment variables
        could be leaked between containers created using the Varlink API.
    • Changes
      • Podman will now retry pulling an image 3 times if a pull fails due
        to network errors.
      • The podman exec command would previously print error messages
        (e.g. exec session exited with non-zero exit code -1) when the command run exited with a non-0 exit code. It no
        longer does this. The podman exec command will still exit with the same
        exit code as the command run in the container did.
      • Error messages when creating a container or pod with a name that is
        already in use have been improved.
      • For read-only containers running systemd init, Podman creates a
        tmpfs filesystem at /run. This was previously limited to 65k in
        size and mounted noexec, but is now unlimited size and mounted
        exec.
      • The podman system reset command no longer removes configuration
        files for rootless Podman.
    • API
      • The Libpod API version has been bumped to v2.0.0 due to a breaking
        change in the Image List API.
      • Docker-compatible Volume Endpoints (Create, Inspect, List, Remove,
        Prune) are now available!
      • Added an endpoint for generating systemd unit files for containers.
      • The last parameter to the Libpod container list endpoint now has
        an alias, limit [#6413].
      • The Libpod image list API new returns timestamps in Unix format, as
        integer, as opposed to as strings
      • The Compat Inspect endpoint for containers now includes port
        information in NetworkSettings.
      • The Compat List endpoint for images now features limited support for
        the (deprecated) filter query parameter [#6797].
      • Fixed a bug where the Compat Create endpoint for containers was not
        correctly handling bind mounts.
      • Fixed a bug where the Compat Create endpoint for containers would
        not return a 404 when the requested image was not present.
      • Fixed a bug where the Compat Create endpoint for containers did not
        properly handle Entrypoint and Command from images.
      • Fixed a bug where name history information was not properly added in
        the Libpod Image List endpoint.
      • Fixed a bug where the Libpod image search endpoint improperly
        populated the Description field of responses.
      • Added a noTrunc option to the Libpod image search endpoint.
      • Fixed a bug where the Pod List API would return null, instead
        of an empty array, when no pods were present [#7392].
      • Fixed a bug where endpoints that hijacked would do perform the
        hijack too early, before being ready to send and receive data
        [#7195].
      • Fixed a bug where Pod endpoints that can operate on multiple
        containers at once (e.g. Kill, Pause, Unpause, Stop) would not
        forward errors from individual containers that failed.
      • The Compat List endpoint for networks now supports filtering results
        [#7462].
      • Fixed a bug where the Top endpoint for pods would return both a 500
        and 404 when run on a non-existent pod.
      • Fixed a bug where Pull endpoints did not stream progress back to the
        client.
      • The Version endpoints (Libpod and Compat) now provide version in a
        format compatible with Docker.
      • All non-hijacking responses to API requests should not include
        headers with the version of the server.
      • Fixed a bug where Libpod and Compat Events endpoints did not send
        response headers until the first event occurred [#7263].
      • Fixed a bug where the Build endpoints (Compat and Libpod) did not
        stream progress to the client.
      • Fixed a bug where the Stats endpoints (Compat and Libpod) did not
        properly handle clients disconnecting.
      • Fixed a bug where the Ignore parameter to the Libpod Stop endpoint
        was not performing properly.
      • Fixed a bug where the Compat Logs endpoint for containers did not
        stream its output in the correct format [#7196].

This update was imported from the SUSE:SLE-15-SP1:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.1:

    zypper in -t patch openSUSE-2020-2039=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap15.1x86_64< - openSUSE Leap 15.1 (x86_64):- openSUSE Leap 15.1 (x86_64):.x86_64.rpm
openSUSE Leap15.1noarch< - openSUSE Leap 15.1 (noarch):- openSUSE Leap 15.1 (noarch):.noarch.rpm

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N