Security update for podman

Announcement ID:	SUSE-SU-2025:20279-1
Release Date:	2025-04-22T13:50:03Z
Rating:	important
References:	bsc#1221677 bsc#1224112 bsc#1231208 bsc#1236270 bsc#1236507 bsc#1237641 bsc#1239330
Cross-References:	CVE-2023-45288 CVE-2024-11218 CVE-2024-1753 CVE-2024-3727 CVE-2024-9407 CVE-2025-22869 CVE-2025-27144
CVSS scores:	CVE-2023-45288 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2024-11218 ( SUSE ): 8.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE-2024-11218 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2024-11218 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2024-1753 ( SUSE ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2024-1753 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2024-3727 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2024-3727 ( NVD ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2024-9407 ( SUSE ): 5.6 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2024-9407 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N CVE-2024-9407 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-22869 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-27144 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-27144 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-27144 ( NVD ): 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:	SUSE Linux Micro 6.1

An update that solves seven vulnerabilities can now be installed.

Description:

This update for podman fixes the following issues:

• CVE-2023-45288: Fixed closing connection when receiving too many headers (bsc#1236507).
• CVE-2024-11218: Fixed container breakout by using --jobs=2 and a race condition when building a malicious Containerfile (bsc#1236270).
• CVE-2025-22869: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239330).
• CVE-2025-27144: Fixed Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237641).
• CVE-2024-9407: Fixed Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction (bsc#1231208).
• CVE-2024-3727: Fixed digest type (bsc#1224112).
• CVE-2024-1753: Fixed full container escape at build time (bsc#1221677).

Other fixes: - Updated to version 5.2.5: * RPM: remove dup Provides * Packit: constrain koji and bodhi jobs to fedora package to avoid dupes * Validate the bind-propagation option to --mount * Updated Buildah to v1.37.4 * vendor: updated c/common to v0.60.4 * pkg/specgen: allow pasta when running inside userns * libpod: convert owner IDs only with :idmap * allow exposed sctp ports * libpod: setupNetNS() correctly mount netns * vendor: updated c/common to v0.60.3 * [skip-ci] Packit: split out ELN jobs and reuse fedora downstream targets * [skip-ci] Packit: Enable sidetags for bodhi updates * Updated gvisor-tap-vsock to 0.7.5 * CI: podman-machine: do not use cache registry * [CI:DOCS] Add v5.2.2 lib updates to RELEASE_NOTES.md * Update RELEASE_NOTES for v5.2.2 * [v5.2] Bump Buildah to v1.37.2, c/common v0.60.2, c/image v5.32.2 * [v5.2] golangci-lint: make darwin linting happy * [v5.2] golangci-lint: make windows linting happy * [v5.2] test/e2e: remove kernel version check * [v5.2] golangci-lint: remove most skip dirs * [v5.2] set !remote build tags where needed * [v5.2] update golangci-lint to 1.60.1 * Packit: update targets for propose-downstream * Create volume path before state initialization * Update Cirrus DEST_BRANCH * Bump to v5.2.2-dev * Bump to v5.2.1 * Update release notes for v5.2.1 * [v5.2] Add zstd:chunked test fix * [v5.2] Bump Buildah to v1.37.1, c/common v0.60.1, c/image v5.32.1 * libpod: reset state error on init * libpod: do not save expected stop errors in ctr state * libpod: fix broken saveContainerError() * Bump to v5.2.1-dev * Bump to v5.2.0 * Never skip checkout step in release workflow * Bump to v5.2.0-dev * Bump to v5.2.0-rc3 * Update release notes for v5.2.0-rc3 * Tweak versions in register_images.go * fix network cleanup flake in play kube * WIP: Fixes for vendoring Buildah * Add --compat-volumes option to build and farm build * Bump Buildah, c/storage, c/image, c/common * libpod: bind ports before network setup * pkg/api: do not leak config pointers into specgen * build: Update gvisor-tap-vsock to 0.7.4 * test/system: fix borken pasta interface name checks * test/system: fix bridge host.containers.internal test * CI: system tests: instrument to allow failure analysis * Use uploaded .zip for Windows action * RPM: podman-iptables.conf only on Fedora * Bump to v5.2.0-dev * Bump to v5.2.0-rc2 * Update release notes for v5.2.0-rc2 * test/e2e: fix ncat tests * libpod: add hidden env to set sqlite timeout * Add support for StopSignal in quadlet .container files * podman pod stats: fix race when ctr process exits * Update module github.com/vbauerster/mpb/v8 to v8.7.4 * libpod: correctly capture healthcheck output * Bump bundled krunkit to 0.1.2 * podman stats: fix race when ctr process exists * nc -p considered harmful * podman pod stats: fix pod rm race * podman ps: fix racy pod name query * system connection remove: use Args function to validate * pkg/machine/compression: skip decompress bar for empty file * nc -p considered harmful * podman system df: fix fix ErrNoSuchCtr/Volume race * podman auto-update: fix ErrNoSuchCtr race * Fix name for builder in farm connection * 700-play.bats: use unique pod/container/image/volume names * safename: consistent within same test, and, dashes * 700-kube.bats: refactor $PODMAN_TMPDIR/test.yaml * 700-play.bats: eliminate $testYaml * 700-play.bats: refactor clumsy yamlfile creation * 700-play.bats: move write_test_yaml up near top * chore(deps): update dependency setuptools to v71 * Expand drop-in search paths * top-level (pod.d) * truncated (unit-.container.d) * Remove references and checks for --gpus * Do not crash on invalid filters * fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.2.0 * Bump to v5.2.0-dev * Bump to v5.2.0-rc1 * Keep the volume-driver flag deprecated * Vendor in latest containers(common, storage,image, buildah) * System tests: safe container/image/volume/etc names * Implement disable default mounts via command line * test: drop unmount for overlay * test: gracefully terminate server * libpod: shutdown Stop waits for handlers completion * libpod: cleanup store at shutdown * Add NetworkAlias= support to quadlet * cmd: call shutdown handler stop function * fix race conditions in start/attach logic * swagger: exlude new docker network types * vendor: bump c/storage * update to docker 27 * contrib: use a distinct --pull-option= for each flag * Update warning message when using external compose provider * Update module github.com/cyphar/filepath-securejoin to v0.3.0 * Ignore result of EvalSymlinks on ENOENT * test/upgrade: fix tests when netavark uses nftables * test/system: fix network reload test with nftables * test/e2e: rework some --expose tests * test: remove publish tests from e2e * CI: test nftables driver on fedora * CI: use local registry, part 3 of 3: for developers * CI: use local registry, part 2 of 3: fix tests * CI: use local registry, part 1 of 3: setup * CI: test composefs on rawhide * chore(deps): update module google.golang.org/grpc to v1.64.1 [security] * chore(deps): update dependency setuptools to ~=70.3.0 * Improve container filenname ambiguity. * containers/attach: Note bug around goroutine leak * Drop minikube CI test * add libkrun test docs * fix(deps): update module tags.cncf.io/container-device-interface to v0.8.0 * cirrus: check for header files in source code check * pkg/machine/e2e: run debug command only for macos * create runtime's worker queue before queuing any job * test/system: fix pasta host.containers.internal test * Visual Studio BuildTools as a MinGW alternative * SetupRootless(): only reexec when needed * pkg/rootless: simplify reexec for container code * cirrus: add missing test/tools to danger files * fix(deps): update module golang.org/x/tools to v0.23.0 * Windows Installer: switch to wix5 * fix(deps): update module golang.org/x/net to v0.27.0 * pkg/machine/e2e: print tests timings at the end * pkg/machine/e2e: run debug commands after init * pkg/machine/e2e: improve timeout handling * libpod: first delete container then cidfile * fix(deps): update module golang.org/x/term to v0.22.0 * System test fixes * cirrus.yml: automatic skips based on source * fix(deps): update module github.com/containers/ocicrypt to v1.2.0 * podman events: fix error race * chore(deps): update dependency setuptools to ~=70.2.0 * fix(deps): update module github.com/gorilla/schema to v1.4.1 [security] * Update CI VM images * pkg/machine/e2e: fix broken cleanup * pkg/machine/e2e: use tmp file for connections * test/system: fix podman --image-volume to allow tmpfs storage * CI: mount tmpfs for container storage * docs: --network remove missing leading sentence * specgen: parse devices even with privileged set * vendor: update c/storage * Remove the unused machine volume-driver * feat(quadlet): log option handling * Error when machine memory exceeds system memory * machine: Always use --log-file with gvproxy * CI: Build-Each-Commit test: run only on PRs * Small fixes for testing libkrun * Podman machine resets all providers * Clearly indicate names w/ URLencoded duplicates * [skip-ci] Packit: split rhel and centos-stream jobs * apple virtiofs: fix racy mount setup * cirrus: fix broken macos artifacts URL * libpod/container_top_linux.c: fix missing header * refactor(build): improve err when file specified by -f does not exist * Minor: Remove unhelpful comment * Update module github.com/openshift/imagebuilder to v1.2.11 * Minor: Rename the OSX Cross task * [skip-ci] Remove conditionals from changelog * podman top: join the container userns * Run linting in parallel with building * Fix missing Makefile target dependency * build API: accept platform comma separated * [skip-ci] RPM: create podman-machine subpackage * ExitWithError() - more upgrades from Exit() * test/e2e: remove podman system service tests * cirrus: reduce int tests timeout * cirrus: remove redundant skip logic * pkg/machine/apple: machine stop timeout * CI: logformatter: link to correct PR base * Update module github.com/crc-org/crc/v2 to v2.38.0 * ExitWithError(): continued * test/system: Add test steps for journald log check in quadlet * restore: fix missing network setup * podman run use pod userns even with --pod-id-file * macos-installer: bundle krunkit * remote API: fix pod top error reporting * libpod API: return proper error status code for pod start * fix #22233 * added check for registry.IsRemote(). and correct error message. * fix #20686 * pkg/machine/e2e: Remove unnecessary copy of machine image. * libpod: intermediate mount if UID not mapped into the userns * libpod: avoid chowning the rundir to root in the userns * libpod: do not chmod bind mounts * libpod: unlock the thread if possible * CI Cleanup: Remove cgroups v1 support * ExitWithError() - more upgrades from Exit() * remote: fix incorrect CONTAINER_CONNECTION parsing * container: pass KillSignal and StopTimeout to the systemd scope * libpod: fix comment * e2e: test container restore in pod by name * docs: Adds all PushImage supported paramters to openapi docs. * systests: kube: bump up a timeout * cirrus.yml: add CI:ALL mode to force all tests * cirrus.yml: implement skips based on source changes * CI VMs: bump * restore: fix container restore into pod * sqlite_state: Fix RewriteVolumeConfig * chore(deps): update dependency setuptools to ~=70.1.0 * Quadlet - use specifier for unescaped values for templated container name * cirrus: check for system test leaks in nightly * test/system: check for leaks in teardown suite * test/system: speed up basic() * test/system: fix up many tests that do not cleanup * test/system: fix podman --authfile=nonexistent-path * Update module github.com/containernetworking/plugins to v1.5.1 * Update module github.com/checkpoint-restore/checkpointctl to v1.2.1 * Update module github.com/spf13/cobra to v1.8.1 * Update module github.com/gorilla/schema to v1.4.0 * pkg/machine/wsl: force terminate wsl instance * pkg/machine/wsl: wrap command errors * [CI:DOCS] Quadlet - add note about relative path resolution * CI: do not install python packages at runtime * Release workflow: Include candidate descriptor * Minor: Fix indentation in GHA release workflow * GHA: Send release notification mail * GHA: Validate release version number * Remove references to --pull=true and --pull=false * ExitWithError, continued * podman: add new hidden flag --pull-option * [CI:DOCS] Fix typos in podman-build * infra: mark storageSet when imagestore is changed * [CI:DOCS] Add jnovy as reviewer and approver * fix(deps): update module google.golang.org/protobuf to v1.34.2 * refactor(machine,wsl): improve operations of Windows API * --squash --layers=false should be allowed * fix(deps): update module github.com/checkpoint-restore/checkpointctl to v1.2.0 * update golangci-lint to v1.59.1 * Rename master to main in CONTRIBUTING.md * podman 5, pasta and inter-container networking * libpod: do not resuse networking on start * machine/linux: Switch to virtiofs by default * machine/linux: Support virtiofs mounts (retain 9p default) * machine/linux: Use memory-backend-memfd by default * ExitWithError() - continued * Enable libkrun provider to open a debug console * Add new targets on Windows makefile (winmake.ps1) * fix(deps): update module github.com/docker/docker to v26.1.4+incompatible * fix(deps): update module github.com/crc-org/crc/v2 to v2.37.1 * fix(deps): update module golang.org/x/tools to v0.22.0 * fix(deps): update module golang.org/x/net to v0.26.0 * libpod: fix 'podman kube generate' on FreeBSD * fix(deps): update module golang.org/x/sys to v0.21.0 * libpod: do not leak systemd hc startup unit timer * vendor latest c/common * pkg/rootless: set _CONTAINERS_USERNS_CONFIGURED correctly * run bats -T, to profile timing hogs * test/system: speed up podman ps --external * test/system: speed up podman network connect/disconnect * test/system: speed up podman network reload * test/system: speed up quadlet - pod simple * test/system: speed up podman parallel build should not race * test/system: speed up podman cp dir from host to container * test/system: speed up podman build - workdir, cmd, env, label * test/system: speed up podman --log-level recognizes log levels * test/system: remove obsolete debug in net connect/disconnect test * test/system: speed up quadlet - basic * test/system: speed up user namespace preserved root ownership * System tests: add podman system check tests * Add podman system check for checking storage consistency * fix(deps): update module github.com/crc-org/crc/v2 to v2.37.0 * fix(libpod): add newline character to the end of container's hostname file * fix(deps): update module github.com/openshift/imagebuilder to v1.2.10 * fix(deps): update github.com/containers/image/v5 digest to aa93504 * Fix 5.1 release note re: runlabel * test/e2e: use local skopeo not image * fix(deps): update golang.org/x/exp digest to fd00a4e * [CI:DOCS] Add contrib/podmanimage/stable path back in repo * chore(deps): update dependency requests to ~=2.32.3 * fix(deps): update github.com/containers/image/v5 digest to 2343e81 * libpod: do not move podman with --cgroups=disabled * Update release notes on Main to v5.1.0 * test: look at the file base name * tests: simplify expected output * Sigh, new VMs again * Fail earlier when no containers exist in stats * Add Hyper-V option in windows installer * libpod: cleanup default cache on system reset * vendor: update c/image * test/system: speed up kube generate tmpfs on /tmp * test/system: speed up podman kube play tests * test/system: speed up podman shell completion test * test/system: simplify test signal handling in containers * test/system: speed up podman container rm ... * test/system: speed up podman ps - basic tests * test/system: speed up read-only from containers.conf * test/system: speed up podman logs - multi ... * test/system: speed up podman run --name * Debian: switch to crun * test/system: speed up podman generate systemd - envar * test/system: speed up podman-kube@.service template * test/system: speed up kube play healthcheck initialDelaySeconds * test/system: speed up exit-code propagation test * test/system: speed up "podman run --timeout" * test/system: fix slow kube play --wait with siginterrupt * undo auto-formatting * test/system: speed up podman events tests * Quadlet: Add support for .build files * test/system: speed up "podman auto-update using systemd" * test/system: remove podman wait test * tests: disable tests affected by a race condition * update golangci-lint to v1.59.0 * kubernetes_support.md: Mark volumeMounts.subPath as supported * working name of pod on start and stop * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.0 * Bump Buildah to v1.36.0 * fix(deps): update module github.com/burntsushi/toml to v1.4.0 * fix typo in Tutorials.rst * Mac PM test: Require pre-installed rosetta * test/e2e: fix new error message * Add configuration for podmansh * Update containers/common to latest main * Only stop chowning volumes once they're not empty * podman: fix --sdnotify=healthy with --rm * libpod: wait another interval for healthcheck * quadlet: Add a network requirement on .image units * test, pasta: Ignore deprecated addresses in tests * [CI:DOCS] performance: update network docs * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.18.0 * CI: disable minikube task * [CI:DOCS] Fix windows action trigger * chore(deps): update dependency setuptools to v70 * Check AppleHypervisor before accessing it * fix(deps): update module github.com/containernetworking/plugins to v1.5.0 * [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.2 * add podman-clean-transient.service service to rootless * [CI:DOCS] Update podman network docs * fix incorrect host.containers.internal entry for rootless bridge mode * vendor latest c/common main * Add Rosetta support for Apple Silicon mac * bump main to 5.2.0-dev * Use a defined constant instead of a hard-coded magic value * cirrus: use faster VM's for integration tests * fix(deps): update github.com/containers/gvisor-tap-vsock digest to 01a1a0c * [CI:DOCS] Fix Mac pkg link * test: remove test_podman* scripts * test/system: fix documentation * Return StatusNotFound when multiple volumes matching occurs * container_api: do not wait for healtchecks if stopped * libpod: wait for healthy on main thread * podman events: check for an error after we finish reading events * remote API: restore v4 payload in container inspect * Fix updating connection when SSH port conflict happens * rootless: fix reexec to use /proc/self/exe * ExitWithError() - enforce required exit status & stderr * ExitWithError() - a few that I missed * [skip-ci] Packit: use only one value for packages key for trigger: commit copr builds * Revert "Temporarily disable rootless debian e2e testing" * CI tests: enforce TMPDIR on tmpfs * use new CI images with tmpfs /tmp * run e2e test on tmpfs * Update module github.com/crc-org/crc/v2 to v2.36.0 * [CI:DOCS] Use checkout@v4 in GH Actions * ExitWithError() - rmi_test * ExitWithError() - more r files * ExitWithError() - s files * ExitWithError() - more run_xxx tests * Fix podman-remote support for podman farm build * [CI:DOCS] Trigger windows installer action properly * Revert "container stop: kill conmon" * Ensure that containers do not get stuck in stopping * [CI:DOCS] Improvements to make validatepr * ExitWithError() - rest of the p files * [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.1 * Graceful shutdown during podman kube down * Remove duplicate call * test/system: fix broken "podman volume globs" test * Quadlet/Container: Add GroupAdd option * Don't panic if a runtime was configured without paths * update c/{buildah,common,image,storage} to latest main * update golangci-lint to 1.58 * machine: Add LibKrun provider detection * ExitWithError() - continue tightening * fix(deps): update module google.golang.org/protobuf to v1.34.1 * test: improve test for powercap presence * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.3 * fix(deps): update module go.etcd.io/bbolt to v1.3.10 * fix(deps): update module golang.org/x/tools to v0.21.0 * [skip-ci] RPM: bats required only on Fedora * fix(deps): update module golang.org/x/exp to v0.0.0-20240506185415-9bf2ced13842 * gpdate and remove parameter settings in .golangci.yml * ExitWithError() - play_kube_test.go * Temporarily disable rootless debian e2e testing * fix(deps): update module golang.org/x/crypto to v0.23.0 * CI Docs: Clarify passthrough_envars() comments * Skip machine tests if they don't need to be run * Update CI VMs to F40, F39, D13 * ExitWithError() - v files * Update module golang.org/x/term to v0.20.0 * machine: Add provider detection API * util: specify a not empty pause dir for root too * Add missing option 'healthy' to output of podman run --help * [CI:DOCS] Add info on the quay.io images to the README.md * Add a random suffix to healthcheck unit names * test/e2e: remove toolbox image * Also substitute $HOME in runlabel with user's homedir * Update module github.com/cyphar/filepath-securejoin to v0.2.5 * Change tmpDir for macOS * ExitWithError() - pod_xxx tests * ExitWithError() -- run_test.go * Update module golang.org/x/exp to v0.0.0-20240416160154-fe59bbe5cc7f * Update module github.com/shirou/gopsutil/v3 to v3.24.4 * Update module github.com/docker/docker to v26.1.1+incompatible * GHA: Attempt fix exceeded a secondary rate limit * vendor ginkgo 2.17.2 into test/tools * Fix machine volumes with long path and paths with dashes * Update module google.golang.org/protobuf to v1.34.0 * Update module github.com/crc-org/crc/v2 to v2.35.0 * Update module github.com/onsi/gomega to v1.33.1 * test/e2e: podman unshare image mount fix tmpdir leak * test/e2e: do not leak /tmp/private_file * test/e2e: "persistentVolumeClaim with source" do not leak file * e2e tests: use /var/tmp, not $TMPDIR, as workdirs * Update dependency pytest to v8.1.2 * Remove unncessary lines at the end of specfile summary * Clean machine pull cache * Add krun support to podman machine * Use custom image for make validatepr * test/e2e: force systemd cgroup manager * e2e and bindings tests: fix $PATH setup * Makefile: remove useless HACK variable in e2e test * test/e2e: fix volumes and suid/dev/exec options * test/e2e: volumes and suid/dev/exec options works remote * test/e2e: fix limits test * Update module github.com/rootless-containers/rootlesskit/v2 to v2.1.0 * Correct option name ip -> ip6 * Add the ability to automount images as volumes via play * Add support for image volume subpaths * Bump Buildah to latest main * Update Makefile to Go 1.22 for in-container * ExitWithError() - yet more low-hanging fruit * ExitWithError() - more low-hanging fruit * ExitWithError() - low-hanging fruit * chore: fix function names in comment * Remove redundant Prerequisite before build section * Remove PKG_CONFIG_PATH * Add installation instructions for openSUSE * Replace golang.org/x/exp/slices with slices from std * Update to go 1.21 * fix(deps): update module github.com/docker/docker to v26.1.0+incompatible * [CI:DOCS] Fix artifact action * [skip-ci] Packit/rpm: remove el8 jobs and spec conditionals * e2e tests: stop littering * [CI:DOCS] format podman-pull example as code * [CI:DOCS] Build & upload release artifacts with GitHub Actions * libpod: getHealthCheckLog() remove unessesary check * add containers.conf healthcheck_events support * vendor latest c/common * libpod: make healthcheck events more efficient * libpod: wrap store setup error message * [skip-ci] Packit: enable CentOS 10 Stream build jobs * pkg/systemd: use fileutils.(Le|E)xists * pkg/bindings: use fileutils.(Le|E)xists * pkg/util: use fileutils.(Le|E)xists * pkg/trust: use fileutils.(Le|E)xists * pkg/specgen: use fileutils.(Le|E)xists * pkg/rootless: use fileutils.(Le|E)xists * pkg/machine: use fileutils.(Le|E)xists * pkg/domain: use fileutils.(Le|E)xists * pkg/api: use fileutils.(Le|E)xists * libpod: use fileutils.(Le|E)xists * cmd: use fileutils.(Le|E)xists * vendor: update containers/{buildah,common,image,storage} * fix(deps): update module github.com/docker/docker to v26.0.2+incompatible [security] * fix podman-pod-restart.1.md typo * [skip-ci] Packit: switch to EPEL instead of centos-stream+epel-next * fix(deps): update module github.com/onsi/gomega to v1.33.0 * Add more annnotation information to podman kupe play man page * test/compose: remove compose v1 code * CI: remove compose v1 tests * fix: close resource file * [CI:DOCS] Fix windows installer action * fix(deps): update module tags.cncf.io/container-device-interface to v0.7.2 * add list as an alias to list networks * Add support for updating restart policy * Add Compat API for Update * Make podman update changes persistent * Emergency fix (well, skip) for failing bud tests * fix swagger doc for manifest create * [CI:DOCS] options/network: fix markdown lists * Makefile: do not hardcode GOOS in podman-remote-static target * chore(deps): update module golang.org/x/crypto to v0.17.0 [security] * chore(deps): update dependency setuptools to ~=69.5.0 * Fix some comments * swagger fix infinitive recursion on some types * install swagger from source * Revert "Swap out javascript engine" * podman exec CID without command should exit 125 * (minor) prefetch systemd image before use * Update go-swagger version * Swap out javascript engine * fix(deps): update module github.com/docker/docker to v26.0.1+incompatible * Add os, arch, and ismanifest to libpod image list * [CI:DOCS]Initial PR validation * fix(deps): update github.com/containers/gvisor-tap-vsock digest to d744d71 * vendor ginkgo 2.17.1 into test/tools * fix "concurrent map writes" in network ls compat endpoint * chore(deps): update dependency pytest to v8 * e2e: redefine ExitWithError() to require exit code * docs: fix missleading run/create --expose description * podman ps: show exposed ports under PORTS as well * rootless: drop function ReadMappingsProc * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.7.3 * New CI VMs, to give us pasta 2024-04-05 * Add big warning to GHA workflow * GHA: Fix intermittent workflow error * fix(deps): update module golang.org/x/tools to v0.20.0 * e2e tests: remove requirement for fuse-overlayfs * docs: update Quadlet volume Options desc * fix(deps): update module golang.org/x/sync to v0.7.0 * Fix relabeling failures with Z/z volumes on Mac * fix(deps): update module golang.org/x/net to v0.24.0 * Makefile: fix annoying errors in docs generation * chore: fix function names in comment * Bump tags.cncf.io/container-device-interface to v0.7.1 * fix(deps): update module golang.org/x/crypto to v0.22.0 * Detect unhandled reboots and require user intervention * podman --runroot: remove 50 char length restriction * update github.com/rootless-containers/rootlesskit to v2 * Update module github.com/gorilla/schema to v1.3.0 * Update dependency requests-mock to ~=1.12.1 * Update module github.com/crc-org/crc/v2 to v2.34.1 * rm --force work for more than one arg * [CI:DOCS] Update kube docs * fix(deps): update module github.com/shirou/gopsutil/v3 to v3.24.3 * [CI:DOCS] Add GitHub action to update version on Podman.io * [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.2 * Windows: clean up temporary perl install * pkg/util: FindDeviceNodes() ignore ENOENT errors * [CI:DOCS] build deps: make-validate needs docs * test/system: add rootless-netns test for setup errors * vendor latest c/common main * container: do not chown to dest target with U * [CI:DOCS] golangci-lint: update deprecated flags * systests: conditionalize slirp4netns tests * CI: systests: instrument flaky tests * s3fs docs * test: do not skip tests under rootless * Add note about host networking to Kube PublishPort option * Inject additional build tags from the environment * libpod: use original IDs if idmap is provided * Switch back to checking out the same branch the action script runs in * docs/podman-login: Give an example of writing the persistent path * CI: Bump VMs to 2024-03-28 * [skip-ci] Update dawidd6/action-send-mail action to v3.12.0 * fix(deps): update module github.com/openshift/imagebuilder to v1.2.7 * Fix reference to deprecated types.Info * Use logformatter for podman_machine_windows_task * applehv: Print vfkit logs in --log-level debug * [CI:DOCS]Add Mario to reviewers list * [CI:DOCS] Document CI-maintenance job addition * Add golang 1.21 update warning * Add rootless network command to podman info * libpod: don't warn about cgroupsv1 on FreeBSD * hyperv: error if not admin * Properly parse stderr when updating container status * [skip-ci] Packit: specify fedora-latest in propose-downstream * Use built-in ssh impl for all non-pty operations * Add support for annotations * hyperv: fix machine rm -r * [skip-ci] Packit: Enable CentOS Stream 10 update job * 5.0 release note fix typo in cgroupv1 env var * fix remote build isolation on client side * chore: remove repetitive words * Dont save remote context in temp file but stream and extract * fix remote build isolation when server runs as root * util: use private propagation with bind * util: add some tests for ProcessOptions * util: refactor ProcessOptions into an internal function * util: rename files to snake case * Add LoongArch support for libpod * fix(deps): update github.com/containers/common digest to bc5f97c * [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.1 * fix(deps): update module github.com/docker/docker to v25.0.5+incompatible [security] * fix(deps): update module github.com/onsi/gomega to v1.32.0 * [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.0 * Update module github.com/cpuguy83/go-md2man/v2 to v2.0.4 * Fix type-o * Use correct extension in suite * minikube: instrument tests, to allow debugging failures * libpod: restart always reconfigure the netns * use new c/common pasta2 setup logic to fix dns * utils: drop conversion float->string->float * utils: do not generate duplicate range * logformatter: handle Windows logs * utils: add test for the new function * utils: move rootless code to a new function * xref-helpmsgs-manpages: cross-check Commands.rst * test/system: Add support for multipath routes in pasta networking tests * [skip-ci] rpm: use macro supported vendoring * Adjust to the standard location of gvforwarder used in new images * Makefile: add target podman-remote-static * Switch to 5.x WSL machine os stream using new automation * Cleanup build scratch dir if remote end disconnects while passing the context * bump main to 5.1.0-dev * Use faster gzip for compression for 3x speedup for sending large contexts to remote * pkg/machine: make checkExclusiveActiveVM race free * pkg/machine/wsl: remove unused CheckExclusiveActiveVM() * pkg/machine: CheckExclusiveActiveVM should also check for starting * pkg/machine: refresh config after we hold lock * Update dependency setuptools to ~=69.2.0 * [skip-ci] rpm: update containers-common dep on f40+ * fix invalid HTTP header values when hijacking a connection * Add doc to build podman on windows without MSYS * Removing CRI-O related annotations * fix(deps): update module github.com/containers/ocicrypt to v1.1.10 * Pass the restart policy to the individual containers * kube play: always pull when both imagePullPolicy and tag are missing

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.1
  zypper in -t patch SUSE-SLE-Micro-6.1-76=1

Package List:

• SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
  • podman-remote-debuginfo-5.2.5-slfo.1.1_1.1
  • podman-debuginfo-5.2.5-slfo.1.1_1.1
  • podman-remote-5.2.5-slfo.1.1_1.1
  • podman-5.2.5-slfo.1.1_1.1
• SUSE Linux Micro 6.1 (noarch)
  • podman-docker-5.2.5-slfo.1.1_1.1

References:

• https://www.suse.com/security/cve/CVE-2023-45288.html
• https://www.suse.com/security/cve/CVE-2024-11218.html
• https://www.suse.com/security/cve/CVE-2024-1753.html
• https://www.suse.com/security/cve/CVE-2024-3727.html
• https://www.suse.com/security/cve/CVE-2024-9407.html
• https://www.suse.com/security/cve/CVE-2025-22869.html
• https://www.suse.com/security/cve/CVE-2025-27144.html
• https://bugzilla.suse.com/show_bug.cgi?id=1221677
• https://bugzilla.suse.com/show_bug.cgi?id=1224112
• https://bugzilla.suse.com/show_bug.cgi?id=1231208
• https://bugzilla.suse.com/show_bug.cgi?id=1236270
• https://bugzilla.suse.com/show_bug.cgi?id=1236507
• https://bugzilla.suse.com/show_bug.cgi?id=1237641
• https://bugzilla.suse.com/show_bug.cgi?id=1239330