Security update for podman

Announcement ID: SUSE-SU-2020:3378-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2020-14370 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2020-14370 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products:
  • Containers Module 15-SP2
  • Containers Module 15-SP1
  • SUSE Enterprise Storage 7
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP2
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
  • SUSE Linux Enterprise Server 15 SP2
  • SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
  • SUSE Manager Proxy 4.0
  • SUSE Manager Proxy 4.1
  • SUSE Manager Retail Branch Server 4.0
  • SUSE Manager Retail Branch Server 4.1
  • SUSE Manager Server 4.0
  • SUSE Manager Server 4.1

An update that solves one vulnerability and has two security fixes can now be installed.

Description:

This update for podman fixes the following issues:

Security issue fixed:

  • This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API (bsc#1176804).

Non-security issues fixed:

  • add dependency to timezone package or podman fails to build a container (bsc#1178122)

  • Install new auto-update system units

  • Update to v2.1.1 (bsc#1178392):
  • Changes
    • The podman info command now includes the cgroup manager Podman is using.
  • API
    • The REST API now includes a Server header in all responses.
    • Fixed a bug where the Libpod and Compat Attach endpoints could terminate early, before sending all output from the container.
    • Fixed a bug where the Compat Create endpoint for containers did not properly handle the Interactive parameter.
    • Fixed a bug where the Compat Kill endpoint for containers could continue to run after a fatal error.
    • Fixed a bug where the Limit parameter of the Compat List endpoint for Containers did not properly handle a limit of 0 (returning nothing, instead of all containers) [#7722].
    • The Libpod Stats endpoint for containers is being deprecated and will be replaced by a similar endpoint with additional features in a future release.
  • Changes in v2.1.0
  • Features
    • A new command, podman image mount, has been added. This allows for an image to be mounted, read-only, to inspect its contents without creating a container from it [#1433].
    • The podman save and podman load commands can now create and load archives containing multiple images [#2669].
    • Rootless Podman now supports all podman network commands, and rootless containers can now be joined to networks.
    • The performance of podman build on ADD and COPY instructions has been greatly improved, especially when a .dockerignore is present.
    • The podman run and podman create commands now support a new mode for the --cgroups option, --cgroups=split. Podman will create two cgroups under the cgroup it was launched in, one for the container and one for Conmon. This mode is useful for running Podman in a systemd unit, as it ensures that all processes are retained in systemd's cgroup hierarchy [#6400].
    • The podman run and podman create commands can now specify options to slirp4netns by using the --network option as follows: --net slirp4netns:opt1,opt2. This allows for, among other things, switching the port forwarder used by slirp4netns away from rootlessport.
    • The podman ps command now features a new option, --storage, to show containers from Buildah, CRI-O and other applications.
    • The podman run and podman create commands now feature a --sdnotify option to control the behavior of systemd's sdnotify with containers, enabling improved support for Podman in Type=notify units.
    • The podman run command now features a --preserve-fds opton to pass file descriptors from the host into the container [#6458].
    • The podman run and podman create commands can now create overlay volume mounts, by adding the :O option to a bind mount (e.g. -v /test:/test:O). Overlay volume mounts will mount a directory into a container from the host and allow changes to it, but not write those changes back to the directory on the host.
    • The podman play kube command now supports the Socket HostPath type [#7112].
    • The podman play kube command now supports read-only mounts.
    • The podman play kube command now supports setting labels on pods from Kubernetes metadata labels.
    • The podman play kube command now supports setting container restart policy [#7656].
    • The podman play kube command now properly handles HostAlias entries.
    • The podman generate kube command now adds entries to /etc/hosts from --host-add generated YAML as HostAlias entries.
    • The podman play kube and podman generate kube commands now properly support shareProcessNamespace to share the PID namespace in pods.
    • The podman volume ls command now supports the dangling filter to identify volumes that are dangling (not attached to any container).
    • The podman run and podman create commands now feature a --umask option to set the umask of the created container.
    • The podman create and podman run commands now feature a --tz option to set the timezone within the container [#5128].
    • Environment variables for Podman can now be added in the containers.conf configuration file.
    • The --mount option of podman run and podman create now supports a new mount type, type=devpts, to add a devpts mount to the container. This is useful for containers that want to mount /dev/ from the host into the container, but still create a terminal.
    • The --security-opt flag to podman run and podman create now supports a new option, proc-opts, to specify options for the container's /proc filesystem.
    • Podman with the crun OCI runtime now supports a new option to podman run and podman create, --cgroup-conf, which allows for advanced configuration of cgroups on cgroups v2 systems.
    • The podman create and podman run commands now support a --override-variant option, to override the architecture variant of the image that will be pulled and ran.
    • A new global option has been added to Podman, --runtime-flags, which allows for setting flags to use when the OCI runtime is called.
    • The podman manifest add command now supports the --cert-dir, --auth-file, --creds, and --tls-verify options.
  • Security
    • This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API.
  • Changes
    • Podman will now retry pulling an image 3 times if a pull fails due to network errors.
    • The podman exec command would previously print error messages (e.g. exec session exited with non-zero exit code -1) when the command run exited with a non-0 exit code. It no longer does this. The podman exec command will still exit with the same exit code as the command run in the container did.
    • Error messages when creating a container or pod with a name that is already in use have been improved.
    • For read-only containers running systemd init, Podman creates a tmpfs filesystem at /run. This was previously limited to 65k in size and mounted noexec, but is now unlimited size and mounted exec.
    • The podman system reset command no longer removes configuration files for rootless Podman.
  • API
    • The Libpod API version has been bumped to v2.0.0 due to a breaking change in the Image List API.
    • Docker-compatible Volume Endpoints (Create, Inspect, List, Remove, Prune) are now available!
    • Added an endpoint for generating systemd unit files for containers.
    • The last parameter to the Libpod container list endpoint now has an alias, limit [#6413].
    • The Libpod image list API new returns timestamps in Unix format, as integer, as opposed to as strings
    • The Compat Inspect endpoint for containers now includes port information in NetworkSettings.
    • The Compat List endpoint for images now features limited support for the (deprecated) filter query parameter [#6797].
    • Fixed a bug where the Compat Create endpoint for containers was not correctly handling bind mounts.
    • Fixed a bug where the Compat Create endpoint for containers would not return a 404 when the requested image was not present.
    • Fixed a bug where the Compat Create endpoint for containers did not properly handle Entrypoint and Command from images.
    • Fixed a bug where name history information was not properly added in the Libpod Image List endpoint.
    • Fixed a bug where the Libpod image search endpoint improperly populated the Description field of responses.
    • Added a noTrunc option to the Libpod image search endpoint.
    • Fixed a bug where the Pod List API would return null, instead of an empty array, when no pods were present [#7392].
    • Fixed a bug where endpoints that hijacked would do perform the hijack too early, before being ready to send and receive data [#7195].
    • Fixed a bug where Pod endpoints that can operate on multiple containers at once (e.g. Kill, Pause, Unpause, Stop) would not forward errors from individual containers that failed.
    • The Compat List endpoint for networks now supports filtering results [#7462].
    • Fixed a bug where the Top endpoint for pods would return both a 500 and 404 when run on a non-existent pod.
    • Fixed a bug where Pull endpoints did not stream progress back to the client.
    • The Version endpoints (Libpod and Compat) now provide version in a format compatible with Docker.
    • All non-hijacking responses to API requests should not include headers with the version of the server.
    • Fixed a bug where Libpod and Compat Events endpoints did not send response headers until the first event occurred [#7263].
    • Fixed a bug where the Build endpoints (Compat and Libpod) did not stream progress to the client.
    • Fixed a bug where the Stats endpoints (Compat and Libpod) did not properly handle clients disconnecting.
    • Fixed a bug where the Ignore parameter to the Libpod Stop endpoint was not performing properly.
    • Fixed a bug where the Compat Logs endpoint for containers did not stream its output in the correct format [#7196].

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Containers Module 15-SP1
    zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-3378=1
  • Containers Module 15-SP2
    zypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2020-3378=1
  • SUSE Enterprise Storage 7
    zypper in -t patch SUSE-Storage-7-2020-3378=1

Package List:

  • Containers Module 15-SP1 (aarch64 ppc64le s390x x86_64)
    • podman-2.1.1-4.28.1
  • Containers Module 15-SP1 (noarch)
    • podman-cni-config-2.1.1-4.28.1
  • Containers Module 15-SP2 (aarch64 ppc64le s390x x86_64)
    • podman-2.1.1-4.28.1
  • Containers Module 15-SP2 (noarch)
    • podman-cni-config-2.1.1-4.28.1
  • SUSE Enterprise Storage 7 (aarch64 x86_64)
    • podman-2.1.1-4.28.1

References: