Overview

File _patchinfo of Package patchinfo.37140

<patchinfo incident="37140">
  <category>security</category>
  <rating>important</rating>
  <packager>msmeissn</packager>
  <summary>Security update for podman</summary>
<description>
This update for podman fixes the following issues:

- CVE-2024-9676: github.com/containers/storage: Fixed symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) (bsc#1231698) 

- Load ip_tables and ip6_tables kernel module (bsc#1214612)
  * Required for rootless mode as a regular user has no permission
    to load kernel modules

- CVE-2024-9675: Fixed cache arbitrary directory mount in buildah (bsc#1231499)
- CVE-2024-9407: Fixed Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction in buildah (bsc#1231208)
- CVE-2024-9341: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library (bsc#1231230)
- CVE-2024-1753: Fixed full container escape at build time in buildah (bsc#1221677)
- CVE-2024-11218: Fixed a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. (bsc#1236270)

- Refactor network backend dependencies:
  * podman requires either netavark or cni-plugins. On ALP, require
    netavark, otherwise prefer netavark but don't force it.
  * This fixes missing cni-plugins in some scenarios
  * Default to netavark everywhere where it's available
</description>
  <issue id="1214612" tracker="bnc">rootless ipv6 containers can't be started</issue>
  <issue id="1215807" tracker="bnc">VUL-0: podman: go1.19 is EOL</issue>
  <issue id="1215926" tracker="bnc">podman-docker can't be installed in parallel with docker-compose</issue>
  <issue id="1217828" tracker="bnc">podman not using netavark as default</issue>
  <issue id="1231208" tracker="bnc">VUL-0: CVE-2024-9407: buildah: Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction</issue>
  <issue id="1231230" tracker="bnc">VUL-0: CVE-2024-9341: buildah,podman: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library</issue>
  <issue id="1231499" tracker="bnc">VUL-0: CVE-2024-9675: buildah,podman: buildah: cache arbitrary directory mount</issue>
  <issue id="1231698" tracker="bnc">VUL-0: CVE-2024-9676: buildah,podman,skopeo: github.com/containers/storage: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS)</issue>
  <issue id="1221677" tracker="bnc">VUL-0: CVE-2024-1753: buildah: full container escape at build time</issue>
  <issue id="1236270" tracker="bnc">VUL-0: CVE-2024-11218: podman: github.com/containers/buildah: Container breakout by using --jobs=2 and a race condition when building a malicious Containerfile</issue>
  <issue id="2024-11218" tracker="cve"/>
  <issue id="2024-9341" tracker="cve"/>
  <issue id="2024-9407" tracker="cve"/>
  <issue id="2024-9675" tracker="cve"/>
  <issue id="2024-9676" tracker="cve"/>
  <issue id="2024-1753" tracker="cve"/>
</patchinfo>
openSUSE Build Service is sponsored by
Places