chore(deps): update module github.com/containers/podman/v4 to v5 [security] #77
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/go-github.com-containers-podman-v4-vulnerability
branch
from
0d87d7b
to
b5a3b49
Compare
renovate
bot
changed the title
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v4.9.3->v5.2.4GitHub Vulnerability Alerts
CVE-2024-1753
Impact
What kind of vulnerability is it? Who is impacted?
Users running containers with root privileges allowing a container to run with read/write access to the host system files when selinux is not enabled. With selinux enabled, some read access is allowed.
Patches
From @nalind . This is a patch for Buildah (https://github.com/containers/buildah). Once fixed there, Buildah will be vendored into Podman.
Reproducer
Prior to testing, as root, add a memorable username to
/etc/passwdvia adduser or your favorite editor. Also create a memorably named file in/. Suggest:touch /SHOULDNTSEETHIS.txtandadduser SHOULDNTSEETHIS. After testing, remember to remove both the file and the user from your system.Use the following Containerfile
To Test
Testing with an older version of Podman with the issue
As part of the printout from the build, you should be able to see the contents of the
/' and/etcdirectories, including the/SHOULDNOTSEETHIS.txtfile that you created, and the contents of the/etc/passwdfile which will include theSHOULDNOTSEETHISuser that you created. In addition, the file/BIND_BREAKOUTand/etc/BIND_BREAKOUT2` will exist on the host after the command is completed. Be sure to remove those two files between tests.Neither the
/BIND_BREAKEOUTor/etc/BIND_BREAKOUT2files should be created. An error should be raised during the build when both files are trying to be created. Also, errors will be raised when the build tries to display the contents of the/etc/passwdfile, and nothing will be displayed from that file.However, the files in both the
/and/etcdirectories on the host system will be displayed.Testing with the patch
Use the same commands as testing with an older version of Podman.
When running using the patched version of Podman, regardless of the
setenforcesettings, you should not see the file that you created or the user that you added. Also the/BIND_BREAKOUTand the/etc/BIND_BREAKOUTwill not exist on the host after the test completes.NOTE: With the fix, the contents of the
/and/etcdirectories, and the/etc/passwdfile will be displayed, however, it will be the file and contents from the container image, and NOT the host system. Also the/BIND_BREAKOUTand/etc/BIND_BREAKOUTfiles will be created in the container image.Workarounds
Ensure selinux controls are in place to avoid compromising sensitive system files and systems. With "setenforce 0" set, which is not at all advised, the root file system is open for modification with this exploit. With "setenfoce 1" set, which is the recommendation, files can not be changed. However, the contents of the
/directory can be displayed. I.e.,ls -alF /will show the contents of the host directory.References
Unknown.
CVE-2024-9407
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
Release Notes
containers/podman (github.com/containers/podman/v4)
v5.2.4Compare Source
Security
RUN --mountarguments to a Dockerfile being built.Misc
v5.2.3Compare Source
Bugfixes
pastanetwork mode.:idmapmount option was used.Misc
v5.2.2Compare Source
Bugfixes
/home(#23515).Misc
v5.2.1Compare Source
Bugfixes
Misc
v5.2.0Compare Source
Features
libkrunas a backend for creating virtual machines on MacOS. Thelibkrunbackend has the advantage of allowing GPUs to be mounted into the virtual machine to accelerate tasks. The default backend remainsapplehv..buildfiles, which allows images to be built by Quadlet and then used by Quadlet containers..containerfiles now support two new fields,LogOptto specify container logging configuration andStopSignalto specify container stop signal (#23050)..containerand.podfiles now support a new field,NetworkAlias, to add network aliases.container.d,pod.d) and truncated unit drop-ins (unit-.container.d) (#23158).podman system check, which will identify (and, if possible, correct) corruption within local container storage.podman machine resetcommand will now reset all providers available on the current operating system (e.g. ensuring that both HyperV and WSLpodman machineVMs will be removed on Windows).Changes
.imageunits now have a dependency onnetwork-online.target(#21873).--deviceoption topodman createandpodman runis no longer ignored when--privilegedis also specified (#23132).podman startandpodman stopcommands no longer print the full ID of the pod started/stopped, but instead the user's input used to specify the pod (e.g.podman pod start bwill printbinstead of the pod's full ID) (#22590).podman machineon Linux now usevirtiofsinstead of9pfor mounting host filesystems. Existing mounts will be transparently changed on machine restart or recreation. This should improve performance and reliability of host mounts. This requires the installation ofvirtiofsdon the host system to function.--squashand--layers=falseoptions topodman buildat the same time is now allowed.--volume-driveroption topodman machine initis now deprecated.Bugfixes
--sdnotify=healthyoption could panic when started (#22651).--sdnotify=healthyoption that exited quickly would sometimes return an error instead of notifying that the container was ready (#22760).podman system resetcommand did not remove the containers/image blob cache (#22825).--cgroups=disabledoption was specified at container creation time (#20910)./etc/hostsfile in a container was not created with a newline at the end of the file (#22729).podman startcommand could sometimes panic when starting a container in the stopped state.podman system renumbercommand would fail if volumes existed when using thesqlitedatabase backend (#23052).podman container restorecommand could not successfully restore a container in a pod.podman diffwould suggest using the--latestoption when using the remote Podman client (#23038).podman eventscommand was rarely unable to report errors that occurred (#23165).--cidfileoption.podman runandpodman startcommands could throw strange errors if another Podman process stopped the container at a midpoint in the process of starting (#23246).podman system servicecommand could leak a mount on termination.podman images(#23120).podman auto-updateandpodman system dfcommands could fail when a container was removed while the command was running (#23279).podman machine initcommand could panic when trying to decompress an empty file when preparing the VM image (#23281).podman ps --podandpodman pod statscommands could sometimes fail when a pod was removed while the command was running (#23282).podman statsandpodman pod statscommands would sometimes exit with acontainer is stoppederror when showing all containers (or pod containers, forpod stats) if a container stopped while the command was running (#23334).podman play kubecommand could sometimes not properly clean up their network stacks (#21569).API
Misc
podman buildcommand when the-foption is given, but points to a file that does not exist, have been improved (#22940).v5.1.2Compare Source
Bugfixes
podman machinevolumes into the virtual machine when using the Apple hypervisor (#22569).podman topwould show the incorrect UID for processes in containers run in a user namespace (#22293)./etc/hostsand/etc/resolv.conffiles in a container would be empty after restoring from a checkpoint (#22901).--pod-id-fileargument topodman runandpodman createdid not respect the pod's user namespace (#22931).CONTAINER_CONNECTIONenvironment variable would lead to a panic.Misc
podman machineusing the Apple hypervisor now wait 90 seconds before forcibly stopping the VM, matching the standard systemd shutdown timeout (#22515).v5.1.1Compare Source
Bugfixes
Misc
v5.1.0Compare Source
Features
podman machineon macOS with Apple silicon can now use Rosetta 2 (a.k.a Rosetta) for high-speed emulation of x86 code. This is enabled by default. If you wish to change this option, you can do so incontainers.conf.podman updatecommand are now persistent, and will survive container restart and be reflected inpodman inspect.podman updatecommand now includes a new option,--restart, to update the restart policy of existing containers..containerfiles now support a new key,GroupAdd, to add groups to the container.podman inspect.podman run --mount type=image,...now support a new option,subpath, to mount only part of the image into the container.healthcheck_events, has been added tocontainers.confunder the[engine]section to allow users to disable the generation ofhealth_statusevents to avoid spamming logs on systems with many healthchecks.io.podman.annotations.kube.image.automount/$CTRNAMEannotation (where$CTRNAMEis the name of the container they will be mounted into).podman infocommand now includes the default rootless network command (pastaorslirp4netns).podman pscommand now shows ports from--exposethat have not been published with--publish-allto improve Docker compatibility.podman runlabelcommand now expands$HOMEin the label being run to the user's home directory.podman network list, has been added to thepodman network lscommand.podmanshcan now be set incontainers.conf.podman-setup.exeWindows installer now provides 3 new CLI variables,MachineProvider(choose the provider for the machine,windowsorwsl, the default),HyperVCheckbox(can be set to1to install HyperV if it is not already installed or0, the default, to not install HyperV), andSkipConfigFileCreation(can be set to1to disable the creation of configuration files, or0, the default).Changes
podman kube playthat does not include animagePullPolicyand does not set a tag for the image, the image is now always pulled (#21211).podman kube play, pod-level restart policies are now passed down to individual containers within the pod (#20903).--runrootglobal option can now accept paths with lengths longer than 50 characters (#22272).podman updatecommand now emits an event.Bugfixes
--userns=keep-id:uid=0option topodman createandpodman runwould generate incorrect UID mappings and cause the container to fail to start (#22078).podman statscould report inaccurate percentages for very large or very small values (#22064).rbindinstead ofbind, meaning recursive mounts were allowed by default (#22107).podman machine rm -fcommand would fail to remove Hyper-V virtual machines if they were running.podman ps --synccommand could sometimes fail to properly update the status of containers.:idmapoption would sometimes be inaccessible with rootless Podman (#22228).:Uoption would have their ownership changed to the owner of the directory in the image being mounted over (#22224).--forceoption did not work when multiple arguments were given to the command and one of them did not exist (#21529).pause.pidfile in an incorrect directory (#22327).containers.conf(#22561).podman kube downcommand would not respect theStopTimeoutandStopSignalof containers that it stopped (#22397).podman stopfinished stopping the container (#19629).podman farm buildcommand would not updating manifests on the registry that were already pushed (#22647).argv[0]that is not a valid command path, as might happen when used inpodmansh(#22672).podman machineconnection URIs could be incorrect after an SSH port conflict, rendering machines inaccessible.podman eventscommand would not print an error if incorrect values were passed to its--sinceand--untiloptions.host.containers.internalentry could be added when running rootless containers using thebridgenetwork mode (#22653).API
Misc
podman machineon Darwin systems when--log-level=debugis used.EXTRA_BUILD_TAGSenvironment variable.v5.0.3Compare Source
Security
Bugfixes
podman machine startwould fail if the machine had a volume with a long target path (#22226).podman machine startmounted volumes with paths that included dashes in the wrong location (#22505).Misc
v5.0.2Compare Source
Bugfixes
:zor:Zvolume mount options on a directory with read only files (#19852)API
v5.0.1Compare Source
Bugfixes
podman machineVMs required an SSH client be installed on the system (#22075).podman buildcommand from working properly when connecting from a rootless client to a rootful server (#22109).Misc
podman machinenow fails immediately if admin privileges are not available (previously, it would only fail when it reached operations that required admin privileges).v5.0.0Compare Source
5.0.0
Security
podman buildwhich allowed a user to write files to the/directory of the host machine if selinux was not enabled.Features
podman machinecan now use the native Apple hypervisor (applehv) when run on MacOS.podman machine reset, which will remove all existingpodman machineVMs and relevant configurations.podman manifest addcommand now supports a new--artifactoption to add OCI artifacts to a manifest list.podman create,podman run, andpodman pushcommands now support the--retryand--retry-delayoptions to configure retries for pushing and pulling images.podman runandpodman execcommands now support a new option,--preserve-fd, which allows passing a list of file descriptors into the container (as an alternative to--preserve-fds, which passes a specific number of file descriptors).podman kube playcommand can now create image-based volumes using thevolume.podman.io/imageannotation.podman kube playcan now include volumes from other containers (similar to the--volumes-fromoption) using a new annotation,io.podman.annotations.volumes-from(#16819).podman kube playcan now set user namespace options through the theio.podman.annotations.usernsannotation in the pod definition (#20658).containers.conffieldinterface_name(#21313).--gpusoption topodman createandpodman runis now compatible with Nvidia GPUs (#21156).--mountoption topodman createandpodman runsupports a new mount option,no-dereference, to mount a symlink (instead of its dereferenced target) into a container (#20098).--config, to point to a Docker configuration where we can source registry login credentials.podman ps --formatcommand now supports a new format specifier,.Label(#20957).uidmappingandgidmappingoptions to thepodman run --userns=autooption can now map to host IDs by prefixing host IDs with the@symbol..podunit files (#17687).EntrypointandStopTimeout, in.containerfiles (#20585 and #21134).Ulimitkey multiple times in.containerfiles to set more than one ulimit on a container.Notifykey tohealthyin.containerfiles, to only sdnotify that a container has started when its health check begins passing (#18189).Breaking Changes
podman machinecommands has seen extensive rewrites. Configuration files have changed format and VMs from Podman 4.x and earlier are no longer usable.podman machineVMs must be recreated with Podman 5.podman machine initcommand now pulls images as OCI artifacts, instead of using HTTP. As a result, a validpolicy.jsonfile is required on the host. Windows and Mac installers have been changed to install this file.podman machineon Mac. Instead, the native Apple hypervisor is supported.ConfigPathandImagefields are no longer provided by thepodman machine inspectcommand. Users can also no longer use{{ .ConfigPath }}or{{ .Image }}as arguments topodman machine inspect --format.podman inspectfor containers has seen a number of breaking changes to improve Docker compatibility, including changingEntrypointfrom a string to an array of strings and StopSignal from an int to a string.podman inspectcommand for containers now returns nil for healthchecks when inspecting containers without healthchecks.podman pod inspectcommand now outputs a JSON array regardless of the number of pods inspected (previously, inspecting a single pod would omit the array).PODMAN_IGNORE_CGROUPSV1_WARNINGenvironment variable can be set to suppress warnings.slirp4netnstopastafor improved performance. As a result, networks namedpastaare no longer supported.--imageoption replaces the now deprecated--image-pathoption forpodman machine init.podman events --format "{{json .}}"has been changed to improve Docker compatibility, including thetimeandtimeNanofields (#14993).podman machineVMs and the username used within the VM are now validated and must match this regex:[a-zA-Z0-9][a-zA-Z0-9_.-]*.--annotationtopodman manifest annotateandpodman manifest add, the--configmap,--log-opt, and--annotationoptions topodman kube play, the--pubkeysfileoption topodman image trust set, the--encryption-keyand--decryption-keyoptions topodman create,podman run,podman pushandpodman pull, the--env-fileoption topodman exec, the--bkio-weight-device,--device-read-bps,--device-write-bps--device-read-iops,--device-write-iops,--device,--label-file,--chrootdirs,--log-opt, and--env-fileoptions topodman createandpodman run, and the--hooks-dirand--moduleglobal options.Changes
podman system resetcommand no longer waits for running containers to gracefully stop, and instead immediately sends SIGKILL (#21874).podman network inspectcommand now includes running containers using the network in its output (#14126).podman composecommand is now supported on non-AMD64/ARM64 architectures.podman machinewill now pass HTTP proxy environment variables into the VM for all providers.--no-truncoption to thepodman kube playandpodman kube generatecommands has been deprecated. Podman now complies to the Kubernetes specification for annotation size, removing the need for this option.DOCKER_HOSTenvironment variable will be set by default for rootless users when podman-docker is installed.podman system connectionand farms frompodman farmare now written to a new configuration file calledpodman-connections.conf. As a result, Podman no longer writes tocontainers.conf. Existing connections fromcontainers.confwill still be respected.podman farmsubcommands (save forpodman farm build) no longer need to connect to the machines in the farm to run.podman createandpodman runcommands no longer require specifying an entrypoint on the command line when the container image does not define one. In this case, an empty command will be passed to the OCI runtime, and the resulting behavior is runtime-specific.podman machineVMs on Mac is nowsystem_u:object_r:nfs_t:s0so that it can be shared with all containers without issue.podman machinewill now share a single SSH key key for access. As a result,podman machine rm --save-keysis deprecated as the key will persist by default.Bugfixes
podman statscommand would not show network statistics when thepastanetwork mode was used.podman machineVMs using the HyperV provider could not mount shares on directories that did not yet exist.podman composecommand did not respect the--connectionand--urloptions.podman stop -t -1command would wait for 0 seconds, not infinite seconds, before sending SIGKILL (#21811).slirp4netnsnetwork mode was used with a restart policy ofalwaysorunless-stoppedoron-failureand a user namespace (#21477).docker.socksymlink (#20650).podman image scpcommand could fail if there was not sufficient space in the destination machine's/tmpfor the image (#21239).podman inspect(#13102).podman kube playdid not create memory-backed emptyDir volumes using a tmpfs filesystem.--rmwere sometimes not removed after a reboot (#21482).podman eventscommand using the remote Podman client did not display the network name associated with network events (#21311).podman farm builddid not properly handle the--tls-verifyoption and would override server defaults even if the option was not set by the user (#21352).podman inspectcommand could segfault on FreeBSD (#21117)..containerfile with certain types of trailing whitespace (#21109).bind-mount-optionskey (#21080)..containerfiles (#20992).--publish-alloption topodman kube playdid not function when used with the remote Podman client.podman kube play --buildcommand could not build images whose Dockerfile specified an image from a private registry with a self-signed certificate in aFROMdirective (#20890).API
/libpod/images/$name/resolve, has been added to resolve a (potential) short name to a list of fully-qualified image references Podman which could be used to pull the image./etc/hostswere copied into create containers, resulting in incompatibility with network aliases.Misc
podman build.v4.9.5Compare Source
Security
API
v4.9.4Compare Source
Security
podman buildwhich allowed a user to write files to the/directory of the host machine if selinux was not enabled.Bugfixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.