File _patchinfo of Package patchinfo.37144
<patchinfo incident="37144">
<category>security</category>
<rating>important</rating>
<packager>msmeissn</packager>
<summary>Security update for podman</summary>
<description>
This update for podman fixes the following issues:
- CVE-2025-27144: Fixed denial of service in parsing function of embedded library Go JOSE (bsc#1237641)
- CVE-2024-9676: github.com/containers/storage: Fixed symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) (bsc#1231698)
- CVE-2024-9675: Fixed cache arbitrary directory mount in buildah (bsc#1231499)
- CVE-2024-9407: Fixed Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction in buildah (bsc#1231208)
- CVE-2024-9341: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library (bsc#1231230)
- CVE-2024-1753: Fixed full container escape at build time in buildah (bsc#1221677)
- CVE-2024-11218: Fixed a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. (bsc#1236270)
- CVE-2024-6104: Fixed hashicorp/go-retryablehttp writing sensitive information to log files (bsc#1227052)
- CVE-2023-45288: Fixed golang.org/x/net/http2 excessive resource consumption when receiving too many headers (bsc#1236507)
- Load ip_tables and ip6_tables kernel module (bsc#1214612)
* Required for rootless mode as a regular user has no permission
to load kernel modules
- Refactor network backend dependencies:
* podman requires either netavark or cni-plugins. On ALP, require
netavark, otherwise prefer netavark but don't force it.
* This fixes missing cni-plugins in some scenarios
* Default to netavark everywhere where it's available
</description>
<issue id="1214612" tracker="bnc">rootless ipv6 containers can't be started</issue>
<issue id="1215807" tracker="bnc">VUL-0: podman: go1.19 is EOL</issue>
<issue id="1215926" tracker="bnc">podman-docker can't be installed in parallel with docker-compose</issue>
<issue id="1217828" tracker="bnc">podman not using netavark as default</issue>
<issue id="1231208" tracker="bnc">VUL-0: CVE-2024-9407: buildah: Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction</issue>
<issue id="1231230" tracker="bnc">VUL-0: CVE-2024-9341: buildah,podman: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library</issue>
<issue id="1231499" tracker="bnc">VUL-0: CVE-2024-9675: buildah,podman: buildah: cache arbitrary directory mount</issue>
<issue id="1231698" tracker="bnc">VUL-0: CVE-2024-9676: buildah,podman,skopeo: github.com/containers/storage: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS)</issue>
<issue id="1221677" tracker="bnc">VUL-0: CVE-2024-1753: buildah: full container escape at build time</issue>
<issue id="1236270" tracker="bnc">VUL-0: CVE-2024-11218: podman: github.com/containers/buildah: Container breakout by using --jobs=2 and a race condition when building a malicious Containerfile</issue>
<issue tracker="bnc" id="1227052">VUL-0: CVE-2024-6104: podman: hashicorp/go-retryablehttp: url might write sensitive information to log file</issue>
<issue tracker="bnc" id="1236507">VUL-0: CVE-2023-45288: podman: golang.org/x/net/http2: close connections when receiving too many headers</issue>
<issue tracker="bnc" id="1237641">VUL-0: CVE-2025-27144: podman: gopkg.in/square/go-jose.v2,gopkg.in/go-jose/go-jose.v2,github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service</issue>
<issue tracker="cve" id="2025-27144"/>
<issue id="2024-6104" tracker="cve"/>
<issue id="2023-45288" tracker="cve"/>
<issue id="2024-11218" tracker="cve"/>
<issue id="2024-9341" tracker="cve"/>
<issue id="2024-9407" tracker="cve"/>
<issue id="2024-9675" tracker="cve"/>
<issue id="2024-9676" tracker="cve"/>
<issue id="2024-1753" tracker="cve"/>
</patchinfo>
