csaf_suse - suse-su-2025:20805-1

suse-su-2025:20805-1

Vulnerability from csaf_suse

Published

2025-10-01 13:49

Modified

2025-10-01 13:49

Summary

Security update for podman

Notes

Title of the patch

Security update for podman

Description of the patch

This update for podman fixes the following issues: - CVE-2025-6032: Fixed machine init command failing to verify TLS certificate (bsc#1245320) - Fix conditional Requires (remove deprecated sle_version macro) - Update to version 5.4.2: * Add release notes for v5.4.2 * Fix a potential deadlock during `podman cp` * Improve the file format documentation of podman-import. * Revert "podman-import only supports gz and tar" * Bump buildah to v1.39.4 * libpod: do not cover idmapped mountpoint * test: Fix runc error message * oci: report empty exec path as ENOENT * test: adapt tests new crun error messages * test: remove duplicate test * cirrus: test only on f41/rawhide * CI: use z1d instance for windows machine testing * New images 2025-03-24 * test/e2e: use go net.Dial() ov nc * test: use ncat over nc * New images 2025-03-12 * RPM: Add riscv64 to ExclusiveArch-es * Fix HealthCheck log destination, count, and size defaults * Win installer test: hardcode latest GH release ID * Packit: Fix action script for fetching upstream commit * Bump to v5.4.2-dev * Bump to v5.4.1 * update gvproxy version to 0.8.4 * Update Buildah to v1.39.2 * Update release notes for v5.4.1 * Fix reporting summed image size for compat endpoint * podman-import only supports gz and tar * quadlet kube: correctly mark unit as failed * pkg/domain/infra/abi/play.go: fix two nilness issues * kube play: don't print start errors twice * libpod: race in WaitForConditionWithInterval() * libpod: race in WaitForExit() with autoremove * Don't try to resolve host path if copying to container from stdin. * Use svg for pkginstaller banner * Create quota before _data dir for volumes * Packit: clarify secondary status in CI * Packit/RPM: Display upstream commit SHA in all rpm builds * podman run: fix --pids-limit -1 wrt runc * vendor: update github.com/go-jose/go-jose/v3 to v3.0.4 * chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] * wire up --retry-delay for artifact pull * Revert "silence false positve from golangci-lint" * update golangci-lint to v1.64.4 * update golangci-lint to v1.64.2 * silence false positve from golangci-lint * cmd/podman: refactor Context handling * fix new usetesting lint issue * Packit/Copr: Fix `podman version` in rpm * Remove persist directory when cleaning up Conmon files * Bump to v5.4.1-dev * Bump to v5.4.0 * Update release notes for v5.4.0 final * In SQLite state, use defaults for empty-string checks * Bump FreeBSD version to 13.4 * docs: add v5.4 to API reference * Update rpm/podman.spec * RPM: set buildOrigin in LDFLAG * RPM: cleanup macro defs * Makefile: escape BUILD_ORIGIN properly * rootless: fix hang on s390x * Set Cirrus DEST_BRANCH appropriately to fix CI * Bump to v5.4.0-dev * Bump to v5.4.0-rc3 * Update release notes for v5.4.0-rc3 * Add BuildOrigin field to podman info * artifact: only allow single manifest * test/e2e: improve write/removeConf() * Add --noheading to artifact ls * Add --no-trunc to artifact ls * Add type and annotations to artifact add * pkg/api: honor cdi devices from the hostconfig * util: replace Walk with WalkDir * fix(pkg/rootless): avoid memleak during init() contructor. * Add `machine init --playbook` * RPM: include empty check to silence rpmlint * RPM: adjust qemu dependencies * Force use of iptables on Windows WSL * rpm: add attr as dependency for podman-tests * update gvproxy version * [v5.4] Bump Buildah to v1.39.0 * podman exec: correctly support detaching * libpod: remove unused ExecStartAndAttach() * [v5.4] Bump c/storage to v1.57.1, c/image v5.34.0, c/common v0.62.0 * Move detection of libkrun and intel * Prevent two podman machines running on darwin * Remove unnecessary error handling * Remove usused Kind() function * Bump to v5.4.0-dev * Bump to v5.4.0-rc2 * Update release notes for v5.4.0-rc2 * Safer use of `filepath.EvalSymlinks()` on Windows * error with libkrun on intel-based machines * chore(deps): update dependency pytest to v8.3.4 * test/buildah-bud: skip two new problematic tests on remote * Fix podman-restart.service when there are no containers * Avoid upgrading from v5.3.1 on Windows * Clean up after unexpectedly terminated build * system-tests: switch ls with getfattr for selinux tests * vendor latest c/{buildah,common,image,storage} * Makefile: Add validatepr description for 'make help' output * docs: Enhance podman build --secret documentation and add examples * docs: mount.md - idmapped mounts only work for root user * Define, and use, PodmanExitCleanlyWithOptions * Eliminate PodmanSystemdScope * Fix image ID query * Revert "Use the config digest to compare images loaded/pulled using different methods" * Update c/image after https://github.com/containers/image/pull/2613 * Update expected errors when pulling encrypted images * Eliminate PodmanExtraFiles * Introduce PodmanTestIntegration.PodmanWithOptions * Restructure use of options * Inline PodmanBase into callers * Pass all of PodmanExecOptions to various [mM]akeOptions functions * Turn PodmanAsUserBase into PodmanExecBaseWithOptions * Avoid indirect links through quadlet(5) * do not set the CreateCommand for API users * Add podman manifest rm --ignore * Bump to v5.4.0-dev * Bump to v5.4.0-rc1 * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.2 * podman artifact * vendor latest c/{common,image,storage} * fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.3.2 * cirrus: bump macos machine test timeout * pkg/machine/e2e: improve podman.exe match * pkg/machine/e2e: improve "list machine from all providers" * Remove JSON tag from UseImageHosts in ContainerConfig * Set network ID if available during container inspect * Stop creating a patch for v5.3.1 upgrades on windows * compose docs: fix typo * Document kube-play CDI support * docs: Add quadlet debug method systemd-analyze * Replace instances of PodmanExitCleanly in play_kube_test.go * docs: add 'initialized' state to status filters * fix(deps): update module google.golang.org/protobuf to v1.36.3 * Switch all calls of assert.Nil to assert.NoError * Add --no-hostname option * Fix unescaping octal escape sequence in values of Quadlet unit files * Remove `.exe` suffix if any * Add kube play support for CDI resource allocation * add support to `;` for comments in unit files as per systemd documentation * Use PodmanExitCleanly in attach_test.go * Introduce PodmanTestIntegration.PodmanExitCleanly * chore(deps): update dependency setuptools to ~=75.8.0 * Add newer c/i to support artifacts * fix(deps): update module golang.org/x/tools to v0.29.0 * fix(deps): update module golang.org/x/net to v0.34.0 * specgenutil: Fix parsing of mount option ptmxmode * namespaces: allow configuring keep-id userns size * Update description for completion * Quadlet - make sure the /etc/containers/systemd/users is traversed in rootless * Document .build for Image .container option * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.9.1 * New VM Images * update golangci/golangci-lint to v1.63.4 * fix(deps): update module google.golang.org/protobuf to v1.36.2 * chore(deps): update dependency setuptools to ~=75.7.0 * Fixing ~/.ssh/identity handling * vendor latest c/common from main * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.12 * fix(deps): update module github.com/opencontainers/runc to v1.2.4 * specgen: fix comment * Add hint to restart Podman machine to really accept new certificates * fix(deps): update module github.com/onsi/gomega to v1.36.2 * fix(deps): update module github.com/moby/term to v0.5.2 * Pass container hostname to netavark * Fix slirp4netns typo in podman-network.1.md * Add support to ShmSize in Pods with Quadlet * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.22.1 * chore(deps): update module golang.org/x/crypto to v0.31.0 [security] * fix(deps): update module golang.org/x/net to v0.33.0 [security] * Kube volumes can not container _ * fix(deps): update module github.com/docker/docker to v27.4.1+incompatible * test/system: fix "podman play --build private registry" error * test/system: CopyDirectory() do not chown files * test/system: remove system dial-stdio test * shell completion: respect CONTAINERS_REGISTRIES_CONF * fix(deps): update module github.com/cpuguy83/go-md2man/v2 to v2.0.6 * When generating host volumes for k8s, force to lowercase * test: enable newly added test * vfkit: Use 0.6.0 binary * gvproxy: Use 0.8.1 binary * systemd: simplify parser and fix infinite loop * Revert "win-installer test: revert to v5.3.0" * Avoid rebooting twice when installing WSL * Avoid rebooting on Windows when upgrading and WSL isn't installed * Add win installer patch * Bump WiX toolset version to 5.0.2 * test/e2e: SkipOnOSVersion() add reason field * test/e2e: remove outdated SkipOnOSVersion() calls * Update VM images * fix(deps): update module golang.org/x/crypto to v0.31.0 [security] * fix(deps): update module github.com/crc-org/crc/v2 to v2.45.0 * fix(deps): update module github.com/opencontainers/runc to v1.2.3 * quadlet: fix inter-dependency of containers in `Network=` * Add man pages to Mac installer * fix(deps): update module github.com/onsi/gomega to v1.36.1 * fix(deps): update module github.com/docker/docker to v27.4.0+incompatible * Fix device limitations in podman-remote update on remote systems * Use latest version of VS BuildTools * bin/docker: fix broken escaping and variable substitution * manifest annotate: connect IndexAnnotations * Fix panic in `manifest annotate --index` * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.5 * fix(deps): update module golang.org/x/net to v0.32.0 * fix(deps): update module golang.org/x/tools to v0.28.0 * fix(deps): update module golang.org/x/crypto to v0.30.0 * fix(deps): update module golang.org/x/sys to v0.28.0 * Fix overwriting of LinuxResources structure in the database * api: replace inspectID with name * fix(deps): update github.com/opencontainers/runtime-tools digest to f7e3563 * Replace ExclusiveArch with ifarch * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.1 * Improve platform specific URL handling in `podman compose` for machines * Fix `podman info` with multiple imagestores * Switch to fixed common * refact: use uptime.minutes instead of uptime.seconds * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.11 * fix(deps): update golang.org/x/exp digest to 2d47ceb * fix(deps): update github.com/godbus/dbus/v5 digest to c266b19 * Cover Unix socket in inpect test on Windows platform * Add a test for forcing compression and v2s2 format * fix(deps): update module github.com/crc-org/vfkit to v0.6.0 * Package podman-machine on supported architectures only. * Fixes missing binary in systemd. * stats: ignore errors from containers without cgroups * api: Error checking before NULL dereference * [skip-ci] Packit/copr: switch to fedora-all * make remotesystem: fail early if serial tests fail * spec: clamp rlimits without CAP_SYS_RESOURCE * Clarify the reason for skip_if_remote * Sanity-check that the test is really using partial pulls * Fix apparent typos in zstd:chunked tests * Fix compilation issues in QEMU machine files (Windows platform) * Mount volumes before copying into a container * Revert "libpod: remove shutdown.Unregister()" * docs: improve documentation for internal networks * docs: document bridge mode option * [skip-ci] Packit: remove epel and re-enable c9s * chore(deps): update dependency golangci/golangci-lint to v1.62.2 * vendor: update containers/common * OWNERS: remove edsantiago * fix(deps): update module github.com/onsi/gomega to v1.36.0 * fix(deps): update github.com/containers/common digest to ceceb40 * refact: EventerType and improve consistency * Add --hosts-file flag to container and pod commands * Add nohosts option to /build and /libpod/build * fix(deps): update module github.com/stretchr/testify to v1.10.0 * Quadlet - Use = sign when setting the pull arg for build * win-installer test: revert to v5.3.0 * fix(deps): update module github.com/crc-org/crc/v2 to v2.44.0 * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.22.0 * chore(deps): update dependency setuptools to ~=75.6.0 * Update windows installer tests * Windows: don't install WSL/HyperV on update * Switch to non-installing WSL by default * fix(deps): update github.com/containers/buildah digest to 52437ef * Configure HealthCheck with `podman update` * CI: --image-volume test: robustify * docs: add 5.3 as Reference version * Bump CI VMs * libpod: pass down NoPivotRoot to Buildah * vendor: bump containers/buildah * fix(deps): update module github.com/opencontainers/runc to v1.2.2 * Overlay mounts supersede image volumes & volumes-from * libpod: addHosts() prevent nil deref * only read ssh_config for non machine connections * ssh_config: allow IdentityFile file with tilde * ssh_config: do not overwrite values from config file * connection: ignore errors when parsing ssh_config * Bump bundled krunkit to 0.1.4 * fix(deps): update module google.golang.org/protobuf to v1.35.2 * add support for driver-specific options during container creation * doc: fix words repetitions * Update release notes on main for v5.3.0 * chore(deps): update dependency setuptools to ~=75.5.0 * CI: system tests: parallelize 010 * fix podman machine init --ignition-path * vendor: update containers/common * spec: clamp rlimits in a userns * Add subpath support to volumes in `--mount` option * refactor: simplify LinuxNS type definition and String method * test/e2e: remove FIPS test * vendor containers projects to tagged versions * fix(deps): update module github.com/moby/sys/capability to v0.4.0 * chore(deps): update dependency setuptools to ~=75.4.0 * system tests: safer install_kube_template() * Buildah treadmill tweaks * update golangci-lint to v1.62.0 * fix(deps): update module golang.org/x/net to v0.31.0 * fix(deps): update module golang.org/x/tools to v0.27.0 * Revert "Reapply "CI: test nftables driver on fedora"" * Yet another bump, f41 with fixed kernel * test: add zstd:chunked system tests * pkg/machine/e2e: remove dead code * fix(deps): update module golang.org/x/crypto to v0.29.0 * kube SIGINT system test: fix race in timeout handling * New `system connection add` tests * Update codespell to v2.3.0 * Avoid printing PR text to stdout in system test * Exclude symlink from pre-commit end-of-file-fixer * api: Add error check * [CI:ALL] Bump main to v5.4.0-dev * test/buildah-bud: build new inet helper * test/system: add regression test for TZDIR local issue * vendor latest c/{buildah,common,image,storage} * Reapply "CI: test nftables driver on fedora" * Revert "cirrus: test only on f40/rawhide" * test f41 VMs * AdditionalSupport for SubPath volume mounts * wsl-e2e: Add a test to ensure port 2222 is free with usermode networking * winmake.ps1: Fix the syntax of the function call Win-SSHProxy * volume ls: fix race that caused it to fail * gvproxy: Disable port-forwarding on WSL * build: update gvisor-tap-vsock to 0.8.0 * podman: update roadmap * Log network creation and removal events in Podman * libpod: journald do not lock thread * Add key to control if a container can get started by its pod * Honor users requests in quadlet files * CI: systests: workaround for parallel podman-stop flake * Fix inconsistent line ending in win-installer project * fix(deps): update module github.com/opencontainers/runc to v1.2.1 * Quadlet - support image file based mount in container file * API: container logs flush status code * rework event code to improve API errors * events: remove memory eventer * libpod: log file use Wait() over event API * Makefile: vendor target should always remove toolchain * cirrus: check consitent vendoring in test/tools * test/tools/go.mod: remove toolchain * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.10 * fix(deps): update module github.com/onsi/gomega to v1.35.1 * doc: explain --interactive in more detail * fix(deps): update golang.org/x/exp digest to f66d83c * fix(deps): update github.com/opencontainers/runtime-tools digest to 6c9570a * fix(deps): update github.com/linuxkit/virtsock digest to cb6a20c * add default polling interval to Container.Wait * Instrument cleanup tracer to log weird volume removal flake * make podman-clean-transient.service work as user * Add default remote socket path if empty * Use current user if no user specified * Add support for ssh_config for connection * libpod: use pasta Setup() over Setup2() * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.21.0 * fix(deps): update module github.com/onsi/gomega to v1.35.0 * logformatter: add cleanup tracer log link * docs: fix broken example * docs: add missing swagger links for the stable branches * readthedocs: build extra formats * pkg/machine/e2e: remove debug * fix(docs): Integrate pasta in rootless tutorial * chore(deps): update dependency setuptools to ~=75.3.0 * libpod: report cgroups deleted during Stat() call * chore: fix some function names in comment * CI: parallelize 450-interactive system tests * CI: parallelize 520-checkpoint tests * CI: make 070-build.bats use safe image names * test/system: add podman network reload test to distro gating * System tests: clean up unit file leaks * healthcheck: do not leak service on failed stop * healthcheck: do not leak statup service * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.0 * Add Startup HealthCheck configuration to the podman inspect * buildah version display: use progress() * new showrun() for displaying and running shell commands * Buildah treadmill: redo the .cirrus.yml tweaks * Buildah treadmill: more allow-empty options * Buildah treadmill: improve test-failure instructions * Buildah treadmill: improve wording in test-fail instructions * doc: Remove whitespace before comma * fix(deps): update module github.com/checkpoint-restore/checkpointctl to v1.3.0 * ps: fix display of exposed ports * ps: do not loop over port protocol * readme: Add reference to pasta in the readme * test/system: Fix spurious "duplicate tests" failures in pasta tests * Improve "podman load - from URL" * Try to repair c/storage after removing an additional image store * Use the config digest to compare images loaded/pulled using different methods * Simplify the additional store test * Fix the store choice in "podman pull image with additional store" * Bump to v5.3.0-dev * Bump to v5.3.0-rc1 * Set quota on volume root directory, not _data * fix(deps): update module github.com/opencontainers/runc to v1.2.0 * test: set soft ulimit * Vagrantfile: Delete * Enable pod restore with crun * vendor: update c/{buildah,common,image,storage} * Fix 330-corrupt-images.bats in composefs test runs * quadlet: add default network dependencies to all units * quadlet: ensure user units wait for the network * add new podman-user-wait-network-online.service * contrib/systemd: switch user symlink for file symlinks * Makefile: remove some duplication from install.systemd * contrib/systemd: move podman-auto-update units * quadlet: do not reject RemapUsers=keep-id as root * test/e2e: test quadlet with and without --user * CI: e2e: fix checkpoint flake * APIv2 test fix: image history * pasta udp tests: new bytecheck helper * Document packaging process * [skip-ci] RPM: remove dup Provides * Update dependency setuptools to ~=75.2.0 * System tests: safer pause-image creation * Update module github.com/opencontainers/selinux to v1.11.1 * Added escaping to invoked powershell command for hyperv stubber. * use slices.Clone instead of assignment * libpod API: only return exit code without conditions * Housekeeping: remove duplicates from success_task * Thorough overhaul of CONTRIBUTING doc. * api: Replace close function in condition body * test/e2e: fix default signal exit code test * Test new VM build * CI: fix changing-rootFsSize flake * scp: add option types * Unlock mutex before returning from function * Note in the README that we are moving to timed releases * cirrus: let tar extract figure out the compression * Make error messages more descriptive * Mention containers.conf settings for podman machine commands * [skip-ci] Packit: re-enable CentOS Stream 10/Fedora ELN teasks" * cmd: use logrus to print error * podman: do not set rlimits to the default value * spec: always specify default rlimits * vendor: update containers/common * Note in the README that we are moving to timed releases * Revert "CI: test nftables driver on fedora" * cirrus: use zstd over bzip2 for repo archive * cirrus: use shared repo_prep/repo_artifacts scripts * cirrus: speed up postbuild * cirrus: change alt arch task to only compile binaries * cirrus: run make with parallel jobs where useful * Makefile: allow man-page-check to be run in parallel * cirrus: use fastvm for builds * test/e2e: skip some Containerized checkpoint tests * test: update timezone checks * cirrus: update CI images * test/e2e: try debug potential pasta issue * CI: quadlet system tests: use airgapped testimage * Allow removing implicit quadlet systemd dependencies * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4 * libpod API: make wait endpoint better against rm races * podman-remote run: improve how we get the exit code * [skip-ci] Packit: constrain koji and bodhi jobs to fedora package to avoid dupes * 055-rm test: clean up a test, and document * CI: remove skips for libkrun * Bump bundled krunkit to 0.1.3 * fix(deps): update module google.golang.org/protobuf to v1.35.0 * fix(deps): update module golang.org/x/net to v0.30.0 * server: fix url parsing in info * fix(deps): update module golang.org/x/tools to v0.26.0 * Makefile: fix ginkgo FOCUS option * fix(deps): update module golang.org/x/crypto to v0.28.0 * podman-systemd.unit.5: adjust example options * docs: prefer --network to --net * fix(deps): update module golang.org/x/term to v0.25.0 * fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.24 * fix(deps): update module golang.org/x/sys to v0.26.0 * OWNERS file audit and update * Exposed ports are only included when not --net=host * libpod: hasCurrentUserMapped checks for gid too * [CI:DOCS] Document TESTFLAGS in test README file * Validate the bind-propagation option to `--mount` * Fix typo in secret inspect examples * Mention `no_hosts` and `base_hosts_file` configs in CLI option docs * Fixes for vendoring Buildah * vendor: update buildah to latest * Makefile - silence skipped tests when focusing on a file * vendor: update to latest c/common * Quadlet - prefer "param val" over "param=val" to allow env expansion * System tests: sdnotify: wait for socket file creation * Switch to moby/sys/capability * platformInspectContainerHostConfig: rm dead code * CI: require and test CI_DESIRED_NETWORK on RHEL * Add ExposedPorts to Inspect's ContainerConfig * fix(deps): update golang.org/x/exp digest to 701f63a * quadlet: allow variables in PublishPort * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.9 * fix(deps): update github.com/godbus/dbus/v5 digest to a817f3c * Document that zstd:chunked is downgraded to zstd when encrypting * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3 * chore(deps): update dependency ubuntu to v24 * rpm: do not load iptables modules on f41+ * adding docs for network-cmd-path * Include exposed ports in inspect output when net=host * feat(libpod): support kube play tar content-type (#24015) * podman mount: some better error wrapping * podman mount: ignore ErrLayerUnknown * Quadlet - make sure the order of the UnitsDir is deterministic * packit: disable Centos Stream/fedora ELN teasks * libpod: remove shutdown.Unregister() * libpod: rework shutdown handler flow * libpod: ensure we are not killed during netns creation * Update module github.com/moby/sys/capability to v0.3.0 * Update documentation of `--no-hosts`, `--hostname`, and `--name` CLI options * Update documentation of `--add-host` CLI option * System tests: set a default XDG_RUNTIME_DIR * Modify machine "Remove machine" test * CORS system test: clean up * Add --health-max-log-count, --health-max-log-size, --health-log-destination flags * troubleshooting: adjust home path in tip 44 * test/system: For pasta port forwarding tests don't bind socat server * Update connection on removal * Simplify `RemoveConnections` * Move `DefaultMachineName` to `pkg/machine/define` * vendor: update containers/image * vendor: update containers/storage * CI: skip the flaking quadlet test * CI: make systemd tests parallel-safe (*) * CI: run and collect cleanup tracer logs * add epbf program to trace podman cleanup errors * CI: parallelize logs test as much as possible * CI: format test: use local registry if available * CI: make 700-play parallel-safe * docs: Fix missing negation * bin/docker support warning message suppression from user config dir * Update module github.com/docker/docker to v27.3.1+incompatible * Quadlet - add full support for Symlinks * libpod: setupNetNS() correctly mount netns * vendor latest c/common * docs: remove usage of deprecated `--storage` * Update module github.com/docker/docker to v27.3.0+incompatible * CI: Quadlet rootfs test: use container image as rootfs * CI: system test registry: use --net=host * CI: rm system test: bump grace period * CI: system tests: minor documentation on parallel * fix typo in error message Fixes: containers/podman#24001 * CI: system tests: always create pause image * CI: quadlet system test: be more forgiving * vendor latest c/common * CI: make 200-pod parallel-safe * allow exposed sctp ports * test/e2e: add netns leak check * test/system: netns leak check for rootless as well * test/system: Improve TODO comments on IPv6 pasta custom DNS forward test * test/system: Clarify "Local forwarder" pasta tests * test/system: Simplify testing for nameserver connectivity * test/system: Consolidate "External resolver" pasta tests * test/system: Move test for default forwarder into its own case * CI: make 090-events parallel-safe * Misc minor test fixes * Add network namespace leak check * Add workaround for buildah parallel bug * registry: lock start attempts * Update system test template and README * bats log: differentiate parallel tests from sequential * ci: bump system tests to fastvm * clean_setup: create pause image * CI: make 012-manifest parallel-safe * podman-manifest-remove: update docs and help output * test/system: remove wait workaround * wait: fix handling of multiple conditions with exited * Match output of Compat Top API to Docker * system test parallelization: enable two-pass approach * New VMs: test crun 1.17 * libpod: hides env secrets from container inspect * CI: e2e: workaround for events out-of-sequence flake * update golangci-lint to 1.61.0 * libpod: convert owner IDs only with :idmap * Podman CLI --add-host with multiple host for a single IP * Quadlet - Split getUnitDirs to small functions * fix(deps): update module github.com/cpuguy83/go-md2man/v2 to v2.0.5 * chore(deps): update dependency setuptools to ~=75.1.0 * Fxi typo in cache-ttl.md * Get WSL disk as an OCI artifact * CI: make 260-sdnotify parallel-safe * quadlet: do not log ENOENT errors * pkg/specgen: allow pasta when running inside userns * troubleshooting: add tip about the user containers * chore(deps): update dependency setuptools to v75 * Convert windows paths in volume arg of the build command * Improve error when starting multiple machines * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2 * Minor typo noticed when reading podman man page * Remove `RemoveFilesAndConnections` * Add `GetAllMachinesAndRootfulness` * rewrite typo osascript * typo * fix(deps): update module github.com/docker/docker to v27.2.1+incompatible * Add radio buttons to select WSL or Hyper-V in windows setup.exe * [skip-ci] Packit: split out ELN jobs and reuse fedora downstream targets * [skip-ci] Packit: Enable sidetags for bodhi updates * vendor: update c/common * CI: make 710-kube parallel-safe * CI: mark 320-system-df *NOT* parallel safe * Add kube play support for image volume source * refactor: add sshClient function * fix(deps): update module golang.org/x/tools to v0.25.0 * CI: make 505-pasta parallel safe * CI: make 020-tag parallel-safe * CI: make 410-selinux parallel-safe * Bump VMs. ShellCheck is now built-in * troubleshooting: add tip about auto, keep-id, nomap * libpod: make use of new pasta option from c/common * vendor latest c/common * podman images: sort repository with tags * Remove containers/common/pkg/config from pkg/util * fix(deps): update module golang.org/x/net to v0.29.0 * fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.23 * fix(deps): update module golang.org/x/crypto to v0.27.0 * Fix CI * Detect and fix typos using codespell * Fix typo: replace buildin with built-in * Add codespell config, pre-commit definition, and move options from Makefile * prune: support clearing build cache using CleanCacheMount * test/e2e: fix network prune flake * Add support for Job to kube generate & play * Add podman-rootless.7 man page * Add DNS, DNSOption and DNSSearch to quadlet pod * podman.1.md: improve policy.json section * e2e: flake fix: SIGPIPE in hook test * libpod: fix rootless cgroup path with --cgroup-parent * vendor: update c/storage * CI: make 055-rm parallel-safe * CI: make 130-kill parallel-safe * CI: make 125-import parallel-safe * CI: make 110-history parallel-safe * CI: system tests: parallelize low-hanging fruit * Add disclaimer to `podman machine info` manpage. * man pages: refactor two more options * update github.com/opencontainers/runc to v1.2.0-rc.3 * update go.etcd.io/bbolt to v1.3.11 * update github.com/onsi/{ginkgo,gomega} * Update module github.com/shirou/gopsutil to v4 * packit: update fedora and epel targets * bump go to 1.22 * cirrus: test only on f40/rawhide * cirrus: remove CI_DESIRED_NETWORK reference * cirrus: prebuild use f40 for extra tests * chore(deps): update dependency setuptools to ~=74.1.0 * libpod: fix HostConfig.Devices output from 'podman inspect' on FreeBSD * fix(deps): update golang.org/x/exp digest to 9b4947d * Implement publishing API UNIX socket on Windows platforms * Vendor c/common:8483ef6022b4 * quadlet: support container network reusing * docs: update read the docs changes * CI: parallel-safe network system test * Quadlet - Support multiple image tags in .build files * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.8.3 * cirrus: remove _bail_if_test_can_be_skipped * cirrus: move renovate check into validate * cirrus: remove 3rd party connectivity check * cirrus: remove cross jobs for aarch64 and x86_64 * cirrus: do not upload alt arch cross artifacts * cirrus: remove ginkgo-e2e.json artifact * cirrus: fix default timeouts * github: remove fcos-podman-next-build-prepush * Clarify podman machine volume mounting behavior under WSL * machine: Add -all-providers flag to machine list * Create a podman-troubleshooting man page * chore(deps): update dependency setuptools to v74 * fix(deps): update module github.com/docker/docker to v27.2.0+incompatible * Fix an improperly ignored error in SQLite * CI: flake workaround: ignore socat waitpid warnings * fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.3.1 * Stop skipping machine volume test on Hyper-V * cleanup: add new --stopped-only option * fix races in the HTTP attach API * cirrus: skip windows/macos machine task on RHEL branches * Update module github.com/containers/gvisor-tap-vsock to v0.7.5 * run: fix detach passthrough and --rmi * podman run: ignore image rm error * Add support for AddHost in quadlet .pod and .container * [CI:DOCS] Update dependency golangci/golangci-lint to v1.60.3 * update github.com/vishvananda/netlink to v1.3.0 * build: Update gvisor-tap-vsock to 0.7.5 * Quote systemd DefaultEnvironment Proxy values, as documented in systemd.conf man page: * fix typo in podman-network-create.1.md * Use HTTP path prefix of TCP connections to match Docker context behavior * Makefile: remotesystem: use real podman server, no --url * Update module github.com/openshift/imagebuilder to v1.2.15 * CI: parallel-safe userns test * Update module github.com/onsi/ginkgo/v2 to v2.20.1 * Add support for IP in quadlet .pod files * Specify format to use for referencing fixed bugs. * CI: parallel-safe run system test * Revert "test/e2e: work around for pasta issue" * CI: On vX.Y-rhel branches, ensure that some downstream Jira issue is linked * quadlet: support user mapping in pod unit * Update Release Process * Test new VM build * command is not optional to podman exec * CI: parallel-safe namespaces system test * [CI:DOCS] Update dependency golangci/golangci-lint to v1.60.2 * quadlet: add key CgroupsMode * Fix `podman stop` and `podman run --rmi` * quadlet: set infra name to %s-infra * chore(deps): update dependency setuptools to v73 * [skip-ci] Packit: update targets for propose-downstream * Do not segfault on hard stop * Fix description of :Z to talk about pods * CI: disable ginkgo flake retries * vendor: update go-criu to latest * golangci-lint: make darwin linting happy * golangci-lint: make windows linting happy * test/e2e: remove kernel version check * golangci-lint: remove most skip dirs * set !remote build tags where needed * update golangci-lint to 1.60.1 * test/e2e: rm systemd start test * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.8.1 * podman wait: allow waiting for removal of containers * libpod: remove UpdateContainerStatus() * podman mount: fix storage/libpod ctr race * CI: quadlet tests: make parallel-safe * CI: system tests: make random_free_port() parallel-safe * remove trailing comma in example * CI: format test: make parallel-safe * Fix podman-docker.sh under -eu shells (fixes #23628) * docs: update podman-wait man page * libpod: remove duplicated HasVolume() check * podman volume rm --force: fix ABBA deadlock * test/system: fix network cleanup restart test * libpod: do not stop pod on init ctr exit * libpod: simplify WaitForExit() * CI: remove build-time quay check * Fix known_hosts file clogging and remote host id * Update docker.io/library/golang Docker tag to v1.23 * Update dependency setuptools to ~=72.2.0 * Update module github.com/docker/docker to v27.1.2+incompatible * healthcheck system check: reduce raciness * CI: healthcheck system test: make parallel-safe * Validate renovate config in every PR * pkg/machine: Read stderr from ssh-keygen correctly * Fix renovate config syntax error * CI: 080-pause.bats: make parallel-safe * CI: 050-stop.bats: make parallel-safe * Additional potential race condition on os.Readdir * pkg/bindings/containers: handle ignore for stop * remote: fix invalid --cidfile + --ignore * Update/simplify renovate config header comment * Migrate renovate config to latest schema * Fix race condition when listing /dev * docs/podman-systemd: Try to clarify `Exec=` more * libpod: reset state error on init * test/system: pasta_test_do add explicit port check * test/e2e: work around new push warning * vendor: update c/common to latest * stopIfOnlyInfraRemains: log all errors * libpod: do not save expected stop errors in ctr state * libpod: fix broken saveContainerError() * Quadlet: fix filters failure when the search paths are symlinks * readme: replace GPG with PGP * Drop APIv2 CNI configuration * De-duplicate docker-py testing * chore(podmansnoop): explain why crun comm is 3 * libpod: cleanupNetwork() return error * fix(deps): update module golang.org/x/sys to v0.24.0 * Reduce python APIv2 test net dependency * Fix not testing registry.conf updates * test/e2e: improve command timeout handling * Update module github.com/onsi/ginkgo/v2 to v2.20.0 * Update module github.com/moby/sys/user to v0.3.0 * Add passwd validate and generate steps * podman container cleanup: ignore common errors * Quadlet - Allow the user to override the default service name * CI: e2e: serialize root containerPort tests * Should not force conversion of manifest type to DockerV2ListMediaType * fix(deps): update module golang.org/x/tools to v0.24.0 * fix(deps): update github.com/containers/common digest to 05b2e1f * CI: mount system test: parallelize * Update module golang.org/x/net to v0.28.0 * Ignore ERROR_SHARING_VIOLATION error on windows * CI: manifest system tests: make parallel-safe * Create volume path before state initialization * vendor: update c/storage * CI: fix broken libkrun test * test/e2e: work around for pasta issue * test/e2e: fix missing exit code checks * Test new CI images * Remove another race condition when mounting containers or images * fix(deps): update github.com/containers/common digest to c0cc6b7 * Change Windows installer MajorUpgrade Schedule * Ignore missing containers when calling GetExternalContainerLists * Remove runc edit to lock to specific version * fix(deps): update module golang.org/x/sys to v0.23.0 * CI: podman-machine: do not use cache registry * CI: completion system test: use safename * Temporarly disable failing Windows Installer CI test * libpod: fix volume copyup with idmap * libpod: avoid hang on errors * Temp. disable PM basic Volume ops test * Add libkrun Mac task * Never skip checkout step in release workflow * System tests: leak_test: readable output * fix(deps): update github.com/docker/go-plugins-helpers digest to 45e2431 * vendor: bump c/common * Version: bump to v5.3.0-dev * libpod: inhibit SIGTERM during cleanup() * Tweak versions in register_images.go * fix network cleanup flake in play kube * WIP: Fixes for vendoring Buildah * Add --compat-volumes option to build and farm build * Bump to Buildah v1.37.0 * Quadlet test - Split between success, warning and error cases * libpod: bind ports before network setup * Disable compose-warning-logs if PODMAN_COMPOSE_WARNING_LOGS=false * Use new syntax for selinux options in quadlet * fix(deps): update module github.com/onsi/gomega to v1.34.1 * CI: kube test: fix broken external-storage test * Update dependency setuptools to v72 * Convert additional build context paths on Windows * pkg/api: do not leak config pointers into specgen * Quadlet - Allow the user to set the service name for .pod files * Quadlet tests - allow overriding the expected service name * fix(deps): update module github.com/moby/sys/user to v0.2.0 * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.7.5 * CI: enable root user namespaces * libpod: force rootfs for OCI path with idmap * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1 * Add test steps for automount with multi images * CI: cp tests: use safename * [skip-ci] RPM: podman-iptables.conf only on Fedora * CI: 700-play: fix a leaked non-safename * test: check that kube generate/play restores the userns * test: disable artifacts cache with composefs * test: fix podman pull tests * vendor: bump c/storage * Update module github.com/cyphar/filepath-securejoin to v0.3.1 * Add /run/containers/systemd, ${XDG_RUNTIME_DIR}/containers/systemd quadlet dirs * build: Update gvisor-tap-vsock to 0.7.4 * test/system: fix borken pasta interface name checks * test/system: fix bridge host.containers.internal test * api: honor the userns for the infra container * play: handle 'private' as 'auto' * kube: record infra user namespace * infra: user ns annotation higher precedence * specgenutil: record the pod userns in the annotations * kube: invert branches * CI: system log test: use safe names * Update encryption tests to avoid a warning if zstd:chunked is the default * Fix "podman pull and decrypt"/"from local registry" * Use unique image names for the encrypted test images * CI: system tests: instrument to allow failure analysis * Fix outdated comment for the build step win-gvproxy * Add utility to convert VMFile to URL for UNIX sockets * Run codespell on source * fix(deps): update module github.com/docker/docker to v27.1.0+incompatible * chore(deps): update dependency setuptools to ~=71.1.0 * logformatter: tweaks to pass html tidy * More information for podman --remote build and running out of space. * Fix windows installer deleting machine provider config file * Use uploaded .zip for Windows action * pr-should-include-tests: no more CI:DOCS override - Depend on runc unconditionally, not only on SLE 15 (bsc#1239088)

Patchnames

SUSE-SLE-Micro-6.1-292

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for podman",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for podman fixes the following issues:\n\n- CVE-2025-6032: Fixed machine init command failing to verify TLS \n  certificate (bsc#1245320)\n- Fix conditional Requires (remove deprecated sle_version macro)\n- Update to version 5.4.2:\n  \n  * Add release notes for v5.4.2\n  * Fix a potential deadlock during `podman cp`\n  * Improve the file format documentation of podman-import.\n  * Revert \"podman-import only supports gz and tar\"\n  * Bump buildah to v1.39.4\n  * libpod: do not cover idmapped mountpoint\n  * test: Fix runc error message\n  * oci: report empty exec path as ENOENT\n  * test: adapt tests new crun error messages\n  * test: remove duplicate test\n  * cirrus: test only on f41/rawhide\n  * CI: use z1d instance for windows machine testing\n  * New images 2025-03-24\n  * test/e2e: use go net.Dial() ov nc\n  * test: use ncat over nc\n  * New images 2025-03-12\n  * RPM: Add riscv64 to ExclusiveArch-es\n  * Fix HealthCheck log destination, count, and size defaults\n  * Win installer test: hardcode latest GH release ID\n  * Packit: Fix action script for fetching upstream commit\n  * Bump to v5.4.2-dev\n  * Bump to v5.4.1\n  * update gvproxy version to 0.8.4\n  * Update Buildah to v1.39.2\n  * Update release notes for v5.4.1\n  * Fix reporting summed image size for compat endpoint\n  * podman-import only supports gz and tar\n  * quadlet kube: correctly mark unit as failed\n  * pkg/domain/infra/abi/play.go: fix two nilness issues\n  * kube play: don\u0027t print start errors twice\n  * libpod: race in WaitForConditionWithInterval()\n  * libpod: race in WaitForExit() with autoremove\n  * Don\u0027t try to resolve host path if copying to container from stdin.\n  * Use svg for pkginstaller banner\n  * Create quota before _data dir for volumes\n  * Packit: clarify secondary status in CI\n  * Packit/RPM: Display upstream commit SHA in all rpm builds\n  * podman run: fix --pids-limit -1 wrt runc\n  * vendor: update github.com/go-jose/go-jose/v3 to v3.0.4\n  * chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security]\n  * wire up --retry-delay for artifact pull\n  * Revert \"silence false positve from golangci-lint\"\n  * update golangci-lint to v1.64.4\n  * update golangci-lint to v1.64.2\n  * silence false positve from golangci-lint\n  * cmd/podman: refactor Context handling\n  * fix new usetesting lint issue\n  * Packit/Copr: Fix `podman version` in rpm\n  * Remove persist directory when cleaning up Conmon files\n  * Bump to v5.4.1-dev\n  * Bump to v5.4.0\n  * Update release notes for v5.4.0 final\n  * In SQLite state, use defaults for empty-string checks\n  * Bump FreeBSD version to 13.4\n  * docs: add v5.4 to API reference\n  * Update rpm/podman.spec\n  * RPM: set buildOrigin in LDFLAG\n  * RPM: cleanup macro defs\n  * Makefile: escape BUILD_ORIGIN properly\n  * rootless: fix hang on s390x\n  * Set Cirrus DEST_BRANCH appropriately to fix CI\n  * Bump to v5.4.0-dev\n  * Bump to v5.4.0-rc3\n  * Update release notes for v5.4.0-rc3\n  * Add BuildOrigin field to podman info\n  * artifact: only allow single manifest\n  * test/e2e: improve write/removeConf()\n  * Add --noheading to artifact ls\n  * Add --no-trunc to artifact ls\n  * Add type and annotations to artifact add\n  * pkg/api: honor cdi devices from the hostconfig\n  * util: replace Walk with WalkDir\n  * fix(pkg/rootless): avoid memleak during init() contructor.\n  * Add `machine init --playbook`\n  * RPM: include empty check to silence rpmlint\n  * RPM: adjust qemu dependencies\n  * Force use of iptables on Windows WSL\n  * rpm: add attr as dependency for podman-tests\n  * update gvproxy version\n  * [v5.4] Bump Buildah to v1.39.0\n  * podman exec: correctly support detaching\n  * libpod: remove unused ExecStartAndAttach()\n  * [v5.4] Bump c/storage to v1.57.1, c/image v5.34.0, c/common v0.62.0\n  * Move detection of libkrun and intel\n  * Prevent two podman machines running on darwin\n  * Remove unnecessary error handling\n  * Remove usused Kind() function\n  * Bump to v5.4.0-dev\n  * Bump to v5.4.0-rc2\n  * Update release notes for v5.4.0-rc2\n  * Safer use of `filepath.EvalSymlinks()` on Windows\n  * error with libkrun on intel-based machines\n  * chore(deps): update dependency pytest to v8.3.4\n  * test/buildah-bud: skip two new problematic tests on remote\n  * Fix podman-restart.service when there are no containers\n  * Avoid upgrading from v5.3.1 on Windows\n  * Clean up after unexpectedly terminated build\n  * system-tests: switch ls with getfattr for selinux tests\n  * vendor latest c/{buildah,common,image,storage}\n  * Makefile: Add validatepr description for \u0027make help\u0027 output\n  * docs: Enhance podman build --secret documentation and add examples\n  * docs: mount.md - idmapped mounts only work for root user\n  * Define, and use, PodmanExitCleanlyWithOptions\n  * Eliminate PodmanSystemdScope\n  * Fix image ID query\n  * Revert \"Use the config digest to compare images loaded/pulled using different methods\"\n  * Update c/image after https://github.com/containers/image/pull/2613\n  * Update expected errors when pulling encrypted images\n  * Eliminate PodmanExtraFiles\n  * Introduce PodmanTestIntegration.PodmanWithOptions\n  * Restructure use of options\n  * Inline PodmanBase into callers\n  * Pass all of PodmanExecOptions to various [mM]akeOptions functions\n  * Turn PodmanAsUserBase into PodmanExecBaseWithOptions\n  * Avoid indirect links through quadlet(5)\n  * do not set the CreateCommand for API users\n  * Add podman manifest rm --ignore\n  * Bump to v5.4.0-dev\n  * Bump to v5.4.0-rc1\n  * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.2\n  * podman artifact\n  * vendor latest c/{common,image,storage}\n  * fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.3.2\n  * cirrus: bump macos machine test timeout\n  * pkg/machine/e2e: improve podman.exe match\n  * pkg/machine/e2e: improve \"list machine from all providers\"\n  * Remove JSON tag from UseImageHosts in ContainerConfig\n  * Set network ID if available during container inspect\n  * Stop creating a patch for v5.3.1 upgrades on windows\n  * compose docs: fix typo\n  * Document kube-play CDI support\n  * docs: Add quadlet debug method systemd-analyze\n  * Replace instances of PodmanExitCleanly in play_kube_test.go\n  * docs: add \u0027initialized\u0027 state to status filters\n  * fix(deps): update module google.golang.org/protobuf to v1.36.3\n  * Switch all calls of assert.Nil to assert.NoError\n  * Add --no-hostname option\n  * Fix unescaping octal escape sequence in values of Quadlet unit files\n  * Remove `.exe` suffix if any\n  * Add kube play support for CDI resource allocation\n  * add support to `;` for comments in unit files as per systemd documentation\n  * Use PodmanExitCleanly in attach_test.go\n  * Introduce PodmanTestIntegration.PodmanExitCleanly\n  * chore(deps): update dependency setuptools to ~=75.8.0\n  * Add newer c/i to support artifacts\n  * fix(deps): update module golang.org/x/tools to v0.29.0\n  * fix(deps): update module golang.org/x/net to v0.34.0\n  * specgenutil: Fix parsing of mount option ptmxmode\n  * namespaces: allow configuring keep-id userns size\n  * Update description for completion\n  * Quadlet - make sure the /etc/containers/systemd/users is traversed in rootless\n  * Document .build for Image .container option\n  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.9.1\n  * New VM Images\n  * update golangci/golangci-lint to v1.63.4\n  * fix(deps): update module google.golang.org/protobuf to v1.36.2\n  * chore(deps): update dependency setuptools to ~=75.7.0\n  * Fixing ~/.ssh/identity handling\n  * vendor latest c/common from main\n  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.12\n  * fix(deps): update module github.com/opencontainers/runc to v1.2.4\n  * specgen: fix comment\n  * Add hint to restart Podman machine to really accept new certificates\n  * fix(deps): update module github.com/onsi/gomega to v1.36.2\n  * fix(deps): update module github.com/moby/term to v0.5.2\n  * Pass container hostname to netavark\n  * Fix slirp4netns typo in podman-network.1.md\n  * Add support to ShmSize in Pods with Quadlet\n  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.22.1\n  * chore(deps): update module golang.org/x/crypto to v0.31.0 [security]\n  * fix(deps): update module golang.org/x/net to v0.33.0 [security]\n  * Kube volumes can not container _\n  * fix(deps): update module github.com/docker/docker to v27.4.1+incompatible\n  * test/system: fix \"podman play --build private registry\" error\n  * test/system: CopyDirectory() do not chown files\n  * test/system: remove system dial-stdio test\n  * shell completion: respect CONTAINERS_REGISTRIES_CONF\n  * fix(deps): update module github.com/cpuguy83/go-md2man/v2 to v2.0.6\n  * When generating host volumes for k8s, force to lowercase\n  * test: enable newly added test\n  * vfkit:\u202fUse 0.6.0 binary\n  * gvproxy:\u202fUse 0.8.1 binary\n  * systemd: simplify parser and fix infinite loop\n  * Revert \"win-installer test: revert to v5.3.0\"\n  * Avoid rebooting twice when installing WSL\n  * Avoid rebooting on Windows when upgrading and WSL isn\u0027t installed\n  * Add win installer patch\n  * Bump WiX toolset version to 5.0.2\n  * test/e2e: SkipOnOSVersion() add reason field\n  * test/e2e: remove outdated SkipOnOSVersion() calls\n  * Update VM images\n  * fix(deps): update module golang.org/x/crypto to v0.31.0 [security]\n  * fix(deps): update module github.com/crc-org/crc/v2 to v2.45.0\n  * fix(deps): update module github.com/opencontainers/runc to v1.2.3\n  * quadlet: fix inter-dependency of containers in `Network=`\n  * Add man pages to Mac installer\n  * fix(deps): update module github.com/onsi/gomega to v1.36.1\n  * fix(deps): update module github.com/docker/docker to v27.4.0+incompatible\n  * Fix device limitations in podman-remote update on remote systems\n  * Use latest version of VS BuildTools\n  * bin/docker: fix broken escaping and variable substitution\n  * manifest annotate: connect IndexAnnotations\n  * Fix panic in `manifest annotate --index`\n  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.5\n  * fix(deps): update module golang.org/x/net to v0.32.0\n  * fix(deps): update module golang.org/x/tools to v0.28.0\n  * fix(deps): update module golang.org/x/crypto to v0.30.0\n  * fix(deps): update module golang.org/x/sys to v0.28.0\n  * Fix overwriting of LinuxResources structure in the database\n  * api: replace inspectID with name\n  * fix(deps): update github.com/opencontainers/runtime-tools digest to f7e3563\n  * Replace ExclusiveArch with ifarch\n  * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.1\n  * Improve platform specific URL handling in `podman compose` for machines\n  * Fix `podman info` with multiple imagestores\n  * Switch to fixed common\n  * refact: use uptime.minutes instead of uptime.seconds\n  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.11\n  * fix(deps): update golang.org/x/exp digest to 2d47ceb\n  * fix(deps): update github.com/godbus/dbus/v5 digest to c266b19\n  * Cover Unix socket in inpect test on Windows platform\n  * Add a test for forcing compression and v2s2 format\n  * fix(deps): update module github.com/crc-org/vfkit to v0.6.0\n  * Package podman-machine on supported architectures only.\n  * Fixes missing binary in systemd.\n  * stats: ignore errors from containers without cgroups\n  * api: Error checking before NULL dereference\n  * [skip-ci] Packit/copr: switch to fedora-all\n  * make remotesystem: fail early if serial tests fail\n  * spec: clamp rlimits without CAP_SYS_RESOURCE\n  * Clarify the reason for skip_if_remote\n  * Sanity-check that the test is really using partial pulls\n  * Fix apparent typos in zstd:chunked tests\n  * Fix compilation issues in QEMU machine files (Windows platform)\n  * Mount volumes before copying into a container\n  * Revert \"libpod: remove shutdown.Unregister()\"\n  * docs: improve documentation for internal networks\n  * docs: document bridge mode option\n  * [skip-ci] Packit: remove epel and re-enable c9s\n  * chore(deps): update dependency golangci/golangci-lint to v1.62.2\n  * vendor: update containers/common\n  * OWNERS: remove edsantiago\n  * fix(deps): update module github.com/onsi/gomega to v1.36.0\n  * fix(deps): update github.com/containers/common digest to ceceb40\n  * refact: EventerType and improve consistency\n  * Add --hosts-file flag to container and pod commands\n  * Add nohosts option to /build and /libpod/build\n  * fix(deps): update module github.com/stretchr/testify to v1.10.0\n  * Quadlet - Use = sign when setting the pull arg for build\n  * win-installer test: revert to v5.3.0\n  * fix(deps): update module github.com/crc-org/crc/v2 to v2.44.0\n  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.22.0\n  * chore(deps): update dependency setuptools to ~=75.6.0\n  * Update windows installer tests\n  * Windows: don\u0027t install WSL/HyperV on update\n  * Switch to non-installing WSL by default\n  * fix(deps): update github.com/containers/buildah digest to 52437ef\n  * Configure HealthCheck with `podman update`\n  * CI: --image-volume test: robustify\n  * docs: add 5.3 as Reference version\n  * Bump CI VMs\n  * libpod: pass down NoPivotRoot to Buildah\n  * vendor: bump containers/buildah\n  * fix(deps): update module github.com/opencontainers/runc to v1.2.2\n  * Overlay mounts supersede image volumes \u0026 volumes-from\n  * libpod: addHosts() prevent nil deref\n  * only read ssh_config for non machine connections\n  * ssh_config: allow IdentityFile file with tilde\n  * ssh_config: do not overwrite values from config file\n  * connection: ignore errors when parsing ssh_config\n  * Bump bundled krunkit to 0.1.4\n  * fix(deps): update module google.golang.org/protobuf to v1.35.2\n  * add support for driver-specific options during container creation\n  * doc: fix words repetitions\n  * Update release notes on main for v5.3.0\n  * chore(deps): update dependency setuptools to ~=75.5.0\n  * CI: system tests: parallelize 010\n  * fix podman machine init --ignition-path\n  * vendor: update containers/common\n  * spec: clamp rlimits in a userns\n  * Add subpath support to volumes in `--mount` option\n  * refactor: simplify LinuxNS type definition and String method\n  * test/e2e: remove FIPS test\n  * vendor containers projects to tagged versions\n  * fix(deps): update module github.com/moby/sys/capability to v0.4.0\n  * chore(deps): update dependency setuptools to ~=75.4.0\n  * system tests: safer install_kube_template()\n  * Buildah treadmill tweaks\n  * update golangci-lint to v1.62.0\n  * fix(deps): update module golang.org/x/net to v0.31.0\n  * fix(deps): update module golang.org/x/tools to v0.27.0\n  * Revert \"Reapply \"CI: test nftables driver on fedora\"\"\n  * Yet another bump, f41 with fixed kernel\n  * test: add zstd:chunked system tests\n  * pkg/machine/e2e: remove dead code\n  * fix(deps): update module golang.org/x/crypto to v0.29.0\n  * kube SIGINT system test: fix race in timeout handling\n  * New `system connection add` tests\n  * Update codespell to v2.3.0\n  * Avoid printing PR text to stdout in system test\n  * Exclude symlink from pre-commit end-of-file-fixer\n  * api: Add error check\n  * [CI:ALL] Bump main to v5.4.0-dev\n  * test/buildah-bud: build new inet helper\n  * test/system: add regression test for TZDIR local issue\n  * vendor latest c/{buildah,common,image,storage}\n  * Reapply \"CI: test nftables driver on fedora\"\n  * Revert \"cirrus: test only on f40/rawhide\"\n  * test f41 VMs\n  * AdditionalSupport for SubPath volume mounts\n  * wsl-e2e: Add a test to ensure port 2222 is free with usermode networking\n  * winmake.ps1: Fix the syntax of the function call Win-SSHProxy\n  * volume ls: fix race that caused it to fail\n  * gvproxy: Disable port-forwarding on WSL\n  * build: update gvisor-tap-vsock to 0.8.0\n  * podman: update roadmap\n  * Log network creation and removal events in Podman\n  * libpod: journald do not lock thread\n  * Add key to control if a container can get started by its pod\n  * Honor users requests in quadlet files\n  * CI: systests: workaround for parallel podman-stop flake\n  * Fix inconsistent line ending in win-installer project\n  * fix(deps): update module github.com/opencontainers/runc to v1.2.1\n  * Quadlet - support image file based mount in container file\n  * API: container logs flush status code\n  * rework event code to improve API errors\n  * events: remove memory eventer\n  * libpod: log file use Wait() over event API\n  * Makefile: vendor target should always remove toolchain\n  * cirrus: check consitent vendoring in test/tools\n  * test/tools/go.mod: remove toolchain\n  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.10\n  * fix(deps): update module github.com/onsi/gomega to v1.35.1\n  * doc: explain --interactive in more detail\n  * fix(deps): update golang.org/x/exp digest to f66d83c\n  * fix(deps): update github.com/opencontainers/runtime-tools digest to 6c9570a\n  * fix(deps): update github.com/linuxkit/virtsock digest to cb6a20c\n  * add default polling interval to Container.Wait\n  * Instrument cleanup tracer to log weird volume removal flake\n  * make podman-clean-transient.service work as user\n  * Add default remote socket path if empty\n  * Use current user if no user specified\n  * Add support for ssh_config for connection\n  * libpod: use pasta Setup() over Setup2()\n  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.21.0\n  * fix(deps): update module github.com/onsi/gomega to v1.35.0\n  * logformatter: add cleanup tracer log link\n  * docs: fix broken example\n  * docs: add missing swagger links for the stable branches\n  * readthedocs: build extra formats\n  * pkg/machine/e2e: remove debug\n  * fix(docs): Integrate pasta in rootless tutorial\n  * chore(deps): update dependency setuptools to ~=75.3.0\n  * libpod: report cgroups deleted during Stat() call\n  * chore: fix some function names in comment\n  * CI: parallelize 450-interactive system tests\n  * CI: parallelize 520-checkpoint tests\n  * CI: make 070-build.bats use safe image names\n  * test/system: add podman network reload test to distro gating\n  * System tests: clean up unit file leaks\n  * healthcheck: do not leak service on failed stop\n  * healthcheck: do not leak statup service\n  * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.0\n  * Add Startup HealthCheck configuration to the podman inspect\n  * buildah version display: use progress()\n  * new showrun() for displaying and running shell commands\n  * Buildah treadmill: redo the .cirrus.yml tweaks\n  * Buildah treadmill: more allow-empty options\n  * Buildah treadmill: improve test-failure instructions\n  * Buildah treadmill: improve wording in test-fail instructions\n  * doc: Remove whitespace before comma\n  * fix(deps): update module github.com/checkpoint-restore/checkpointctl to v1.3.0\n  * ps: fix display of exposed ports\n  * ps: do not loop over port protocol\n  * readme: Add reference to pasta in the readme\n  * test/system: Fix spurious \"duplicate tests\" failures in pasta tests\n  * Improve \"podman load - from URL\"\n  * Try to repair c/storage after removing an additional image store\n  * Use the config digest to compare images loaded/pulled using different methods\n  * Simplify the additional store test\n  * Fix the store choice in \"podman pull image with additional store\"\n  * Bump to v5.3.0-dev\n  * Bump to v5.3.0-rc1\n  * Set quota on volume root directory, not _data\n  * fix(deps): update module github.com/opencontainers/runc to v1.2.0\n  * test: set soft ulimit\n  * Vagrantfile: Delete\n  * Enable pod restore with crun\n  * vendor: update c/{buildah,common,image,storage}\n  * Fix 330-corrupt-images.bats in composefs test runs\n  * quadlet: add default network dependencies to all units\n  * quadlet: ensure user units wait for the network\n  * add new podman-user-wait-network-online.service\n  * contrib/systemd: switch user symlink for file symlinks\n  * Makefile: remove some duplication from install.systemd\n  * contrib/systemd: move podman-auto-update units\n  * quadlet: do not reject RemapUsers=keep-id as root\n  * test/e2e: test quadlet with and without --user\n  * CI: e2e: fix checkpoint flake\n  * APIv2 test fix: image history\n  * pasta udp tests: new bytecheck helper\n  * Document packaging process\n  * [skip-ci] RPM: remove dup Provides\n  * Update dependency setuptools to ~=75.2.0\n  * System tests: safer pause-image creation\n  * Update module github.com/opencontainers/selinux to v1.11.1\n  * Added escaping to invoked powershell command for hyperv stubber.\n  * use slices.Clone instead of assignment\n  * libpod API: only return exit code without conditions\n  * Housekeeping: remove duplicates from success_task\n  * Thorough overhaul of CONTRIBUTING doc.\n  * api: Replace close function in condition body\n  * test/e2e: fix default signal exit code test\n  * Test new VM build\n  * CI: fix changing-rootFsSize flake\n  * scp: add option types\n  * Unlock mutex before returning from function\n  * Note in the README that we are moving to timed releases\n  * cirrus: let tar extract figure out the compression\n  * Make error messages more descriptive\n  * Mention containers.conf settings for podman machine commands\n  * [skip-ci] Packit: re-enable CentOS Stream 10/Fedora ELN teasks\"\n  * cmd: use logrus to print error\n  * podman: do not set rlimits to the default value\n  * spec: always specify default rlimits\n  * vendor: update containers/common\n  * Note in the README that we are moving to timed releases\n  * Revert \"CI: test nftables driver on fedora\"\n  * cirrus: use zstd over bzip2 for repo archive\n  * cirrus: use shared repo_prep/repo_artifacts scripts\n  * cirrus: speed up postbuild\n  * cirrus: change alt arch task to only compile binaries\n  * cirrus: run make with parallel jobs where useful\n  * Makefile: allow man-page-check to be run in parallel\n  * cirrus: use fastvm for builds\n  * test/e2e: skip some Containerized checkpoint tests\n  * test: update timezone checks\n  * cirrus: update CI images\n  * test/e2e: try debug potential pasta issue\n  * CI: quadlet system tests: use airgapped testimage\n  * Allow removing implicit quadlet systemd dependencies\n  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4\n  * libpod API: make wait endpoint better against rm races\n  * podman-remote run: improve how we get the exit code\n  * [skip-ci] Packit: constrain koji and bodhi jobs to fedora package to avoid dupes\n  * 055-rm test: clean up a test, and document\n  * CI: remove skips for libkrun\n  * Bump bundled krunkit to 0.1.3\n  * fix(deps): update module google.golang.org/protobuf to v1.35.0\n  * fix(deps): update module golang.org/x/net to v0.30.0\n  * server: fix url parsing in info\n  * fix(deps): update module golang.org/x/tools to v0.26.0\n  * Makefile: fix ginkgo FOCUS option\n  * fix(deps): update module golang.org/x/crypto to v0.28.0\n  * podman-systemd.unit.5: adjust example options\n  * docs: prefer --network to --net\n  * fix(deps): update module golang.org/x/term to v0.25.0\n  * fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.24\n  * fix(deps): update module golang.org/x/sys to v0.26.0\n  * OWNERS file audit and update\n  * Exposed ports are only included when not --net=host\n  * libpod: hasCurrentUserMapped checks for gid too\n  * [CI:DOCS] Document TESTFLAGS in test README file\n  * Validate the bind-propagation option to `--mount`\n  * Fix typo in secret inspect examples\n  * Mention `no_hosts` and `base_hosts_file` configs in CLI option docs\n  * Fixes for vendoring Buildah\n  * vendor: update buildah to latest\n  * Makefile - silence skipped tests when focusing on a file\n  * vendor: update to latest c/common\n  * Quadlet - prefer \"param val\" over \"param=val\" to allow env expansion\n  * System tests: sdnotify: wait for socket file creation\n  * Switch to moby/sys/capability\n  * platformInspectContainerHostConfig: rm dead code\n  * CI: require and test CI_DESIRED_NETWORK on RHEL\n  * Add ExposedPorts to Inspect\u0027s ContainerConfig\n  * fix(deps): update golang.org/x/exp digest to 701f63a\n  * quadlet: allow variables in PublishPort\n  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.9\n  * fix(deps): update github.com/godbus/dbus/v5 digest to a817f3c\n  * Document that zstd:chunked is downgraded to zstd when encrypting\n  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3\n  * chore(deps): update dependency ubuntu to v24\n  * rpm: do not load iptables modules on f41+\n  * adding docs for network-cmd-path\n  * Include exposed ports in inspect output when net=host\n  * feat(libpod): support kube play tar content-type (#24015)\n  * podman mount: some better error wrapping\n  * podman mount: ignore ErrLayerUnknown\n  * Quadlet - make sure the order of the UnitsDir is deterministic\n  * packit: disable Centos Stream/fedora ELN teasks\n  * libpod: remove shutdown.Unregister()\n  * libpod: rework shutdown handler flow\n  * libpod: ensure we are not killed during netns creation\n  * Update module github.com/moby/sys/capability to v0.3.0\n  * Update documentation of `--no-hosts`, `--hostname`, and `--name` CLI options\n  * Update documentation of `--add-host` CLI option\n  * System tests: set a default XDG_RUNTIME_DIR\n  * Modify machine \"Remove machine\" test\n  * CORS system test: clean up\n  * Add --health-max-log-count, --health-max-log-size, --health-log-destination flags\n  * troubleshooting: adjust home path in tip 44\n  * test/system: For pasta port forwarding tests don\u0027t bind socat server\n  * Update connection on removal\n  * Simplify `RemoveConnections`\n  * Move `DefaultMachineName` to `pkg/machine/define`\n  * vendor: update containers/image\n  * vendor: update containers/storage\n  * CI: skip the flaking quadlet test\n  * CI: make systemd tests parallel-safe (*)\n  * CI: run and collect cleanup tracer logs\n  * add epbf program to trace podman cleanup errors\n  * CI: parallelize logs test as much as possible\n  * CI: format test: use local registry if available\n  * CI: make 700-play parallel-safe\n  * docs: Fix missing negation\n  * bin/docker support warning message suppression from user config dir\n  * Update module github.com/docker/docker to v27.3.1+incompatible\n  * Quadlet - add full support for Symlinks\n  * libpod: setupNetNS() correctly mount netns\n  * vendor latest c/common\n  * docs: remove usage of deprecated `--storage`\n  * Update module github.com/docker/docker to v27.3.0+incompatible\n  * CI: Quadlet rootfs test: use container image as rootfs\n  * CI: system test registry: use --net=host\n  * CI: rm system test: bump grace period\n  * CI: system tests: minor documentation on parallel\n  * fix typo in error message Fixes: containers/podman#24001\n  * CI: system tests: always create pause image\n  * CI: quadlet system test: be more forgiving\n  * vendor latest c/common\n  * CI: make 200-pod parallel-safe\n  * allow exposed sctp ports\n  * test/e2e: add netns leak check\n  * test/system: netns leak check for rootless as well\n  * test/system: Improve TODO comments on IPv6 pasta custom DNS forward test\n  * test/system: Clarify \"Local forwarder\" pasta tests\n  * test/system: Simplify testing for nameserver connectivity\n  * test/system: Consolidate \"External resolver\" pasta tests\n  * test/system: Move test for default forwarder into its own case\n  * CI: make 090-events parallel-safe\n  * Misc minor test fixes\n  * Add network namespace leak check\n  * Add workaround for buildah parallel bug\n  * registry: lock start attempts\n  * Update system test template and README\n  * bats log: differentiate parallel tests from sequential\n  * ci: bump system tests to fastvm\n  * clean_setup: create pause image\n  * CI: make 012-manifest parallel-safe\n  * podman-manifest-remove: update docs and help output\n  * test/system: remove wait workaround\n  * wait: fix handling of multiple conditions with exited\n  * Match output of Compat Top API to Docker\n  * system test parallelization: enable two-pass approach\n  * New VMs: test crun 1.17\n  * libpod: hides env secrets from container inspect\n  * CI: e2e: workaround for events out-of-sequence flake\n  * update golangci-lint to 1.61.0\n  * libpod: convert owner IDs only with :idmap\n  * Podman CLI --add-host with multiple host for a single IP\n  * Quadlet - Split getUnitDirs to small functions\n  * fix(deps): update module github.com/cpuguy83/go-md2man/v2 to v2.0.5\n  * chore(deps): update dependency setuptools to ~=75.1.0\n  * Fxi typo in cache-ttl.md\n  * Get WSL disk as an OCI artifact\n  * CI: make 260-sdnotify parallel-safe\n  * quadlet: do not log ENOENT errors\n  * pkg/specgen: allow pasta when running inside userns\n  * troubleshooting: add tip about the user containers\n  * chore(deps): update dependency setuptools to v75\n  * Convert windows paths in volume arg of the build command\n  * Improve error when starting multiple machines\n  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2\n  * Minor typo noticed when reading podman man page\n  * Remove `RemoveFilesAndConnections`\n  * Add `GetAllMachinesAndRootfulness`\n  * rewrite typo osascript\n  * typo\n  * fix(deps): update module github.com/docker/docker to v27.2.1+incompatible\n  * Add radio buttons to select WSL or Hyper-V in windows setup.exe\n  * [skip-ci] Packit: split out ELN jobs and reuse fedora downstream targets\n  * [skip-ci] Packit: Enable sidetags for bodhi updates\n  * vendor: update c/common\n  * CI: make 710-kube parallel-safe\n  * CI: mark 320-system-df *NOT* parallel safe\n  * Add kube play support for image volume source\n  * refactor: add sshClient function\n  * fix(deps): update module golang.org/x/tools to v0.25.0\n  * CI: make 505-pasta parallel safe\n  * CI: make 020-tag parallel-safe\n  * CI: make 410-selinux parallel-safe\n  * Bump VMs. ShellCheck is now built-in\n  * troubleshooting: add tip about auto, keep-id, nomap\n  * libpod: make use of new pasta option from c/common\n  * vendor latest c/common\n  * podman images: sort repository with tags\n  * Remove containers/common/pkg/config from pkg/util\n  * fix(deps): update module golang.org/x/net to v0.29.0\n  * fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.23\n  * fix(deps): update module golang.org/x/crypto to v0.27.0\n  * Fix CI\n  * Detect and fix typos using codespell\n  * Fix typo: replace buildin with built-in\n  * Add codespell config, pre-commit definition, and move options from Makefile\n  * prune: support clearing build cache using CleanCacheMount\n  * test/e2e: fix network prune flake\n  * Add support for Job to kube generate \u0026 play\n  * Add podman-rootless.7 man page\n  * Add DNS, DNSOption and DNSSearch to quadlet pod\n  * podman.1.md: improve policy.json section\n  * e2e: flake fix: SIGPIPE in hook test\n  * libpod: fix rootless cgroup path with --cgroup-parent\n  * vendor: update c/storage\n  * CI: make 055-rm parallel-safe\n  * CI: make 130-kill parallel-safe\n  * CI: make 125-import parallel-safe\n  * CI: make 110-history parallel-safe\n  * CI: system tests: parallelize low-hanging fruit\n  * Add disclaimer to `podman machine info` manpage.\n  * man pages: refactor two more options\n  * update github.com/opencontainers/runc to v1.2.0-rc.3\n  * update go.etcd.io/bbolt to v1.3.11\n  * update github.com/onsi/{ginkgo,gomega}\n  * Update module github.com/shirou/gopsutil to v4\n  * packit: update fedora and epel targets\n  * bump go to 1.22\n  * cirrus: test only on f40/rawhide\n  * cirrus: remove CI_DESIRED_NETWORK reference\n  * cirrus: prebuild use f40 for extra tests\n  * chore(deps): update dependency setuptools to ~=74.1.0\n  * libpod: fix HostConfig.Devices output from \u0027podman inspect\u0027 on FreeBSD\n  * fix(deps): update golang.org/x/exp digest to 9b4947d\n  * Implement publishing API UNIX socket on Windows platforms\n  * Vendor c/common:8483ef6022b4\n  * quadlet: support container network reusing\n  * docs: update read the docs changes\n  * CI: parallel-safe network system test\n  * Quadlet - Support multiple image tags in .build files\n  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.8.3\n  * cirrus: remove _bail_if_test_can_be_skipped\n  * cirrus: move renovate check into validate\n  * cirrus: remove 3rd party connectivity check\n  * cirrus: remove cross jobs for aarch64 and x86_64\n  * cirrus: do not upload alt arch cross artifacts\n  * cirrus: remove ginkgo-e2e.json artifact\n  * cirrus: fix default timeouts\n  * github: remove fcos-podman-next-build-prepush\n  * Clarify podman machine volume mounting behavior under WSL\n  * machine: Add -all-providers flag to machine list\n  * Create a podman-troubleshooting man page\n  * chore(deps): update dependency setuptools to v74\n  * fix(deps): update module github.com/docker/docker to v27.2.0+incompatible\n  * Fix an improperly ignored error in SQLite\n  * CI: flake workaround: ignore socat waitpid warnings\n  * fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.3.1\n  * Stop skipping machine volume test on Hyper-V\n  * cleanup: add new --stopped-only option\n  * fix races in the HTTP attach API\n  * cirrus: skip windows/macos machine task on RHEL branches\n  * Update module github.com/containers/gvisor-tap-vsock to v0.7.5\n  * run: fix detach passthrough and --rmi\n  * podman run: ignore image rm error\n  * Add support for AddHost in quadlet .pod and .container\n  * [CI:DOCS] Update dependency golangci/golangci-lint to v1.60.3\n  * update github.com/vishvananda/netlink to v1.3.0\n  * build: Update gvisor-tap-vsock to 0.7.5\n  * Quote systemd DefaultEnvironment Proxy values, as documented in systemd.conf man page:\n  * fix typo in podman-network-create.1.md\n  * Use HTTP path prefix of TCP connections to match Docker context behavior\n  * Makefile: remotesystem: use real podman server, no --url\n  * Update module github.com/openshift/imagebuilder to v1.2.15\n  * CI: parallel-safe userns test\n  * Update module github.com/onsi/ginkgo/v2 to v2.20.1\n  * Add support for IP in quadlet .pod files\n  * Specify format to use for referencing fixed bugs.\n  * CI: parallel-safe run system test\n  * Revert \"test/e2e: work around for pasta issue\"\n  * CI: On vX.Y-rhel branches, ensure that some downstream Jira issue is linked\n  * quadlet: support user mapping in pod unit\n  * Update Release Process\n  * Test new VM build\n  * command is not optional to podman exec\n  * CI: parallel-safe namespaces system test\n  * [CI:DOCS] Update dependency golangci/golangci-lint to v1.60.2\n  * quadlet: add key CgroupsMode\n  * Fix `podman stop` and `podman run --rmi`\n  * quadlet: set infra name to %s-infra\n  * chore(deps): update dependency setuptools to v73\n  * [skip-ci] Packit: update targets for propose-downstream\n  * Do not segfault on hard stop\n  * Fix description of :Z to talk about pods\n  * CI: disable ginkgo flake retries\n  * vendor: update go-criu to latest\n  * golangci-lint: make darwin linting happy\n  * golangci-lint: make windows linting happy\n  * test/e2e: remove kernel version check\n  * golangci-lint: remove most skip dirs\n  * set !remote build tags where needed\n  * update golangci-lint to 1.60.1\n  * test/e2e: rm systemd start test\n  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.8.1\n  * podman wait: allow waiting for removal of containers\n  * libpod: remove UpdateContainerStatus()\n  * podman mount: fix storage/libpod ctr race\n  * CI: quadlet tests: make parallel-safe\n  * CI: system tests: make random_free_port() parallel-safe\n  * remove trailing comma in example\n  * CI: format test: make parallel-safe\n  * Fix podman-docker.sh under -eu shells (fixes #23628)\n  * docs: update podman-wait man page\n  * libpod: remove duplicated HasVolume() check\n  * podman volume rm --force: fix ABBA deadlock\n  * test/system: fix network cleanup restart test\n  * libpod: do not stop pod on init ctr exit\n  * libpod: simplify WaitForExit()\n  * CI: remove build-time quay check\n  * Fix known_hosts file clogging and remote host id\n  * Update docker.io/library/golang Docker tag to v1.23\n  * Update dependency setuptools to ~=72.2.0\n  * Update module github.com/docker/docker to v27.1.2+incompatible\n  * healthcheck system check: reduce raciness\n  * CI: healthcheck system test: make parallel-safe\n  * Validate renovate config in every PR\n  * pkg/machine: Read stderr from ssh-keygen correctly\n  * Fix renovate config syntax error\n  * CI: 080-pause.bats: make parallel-safe\n  * CI: 050-stop.bats: make parallel-safe\n  * Additional potential race condition on os.Readdir\n  * pkg/bindings/containers: handle ignore for stop\n  * remote: fix invalid --cidfile + --ignore\n  * Update/simplify renovate config header comment\n  * Migrate renovate config to latest schema\n  * Fix race condition when listing /dev\n  * docs/podman-systemd: Try to clarify `Exec=` more\n  * libpod: reset state error on init\n  * test/system: pasta_test_do add explicit port check\n  * test/e2e: work around new push warning\n  * vendor: update c/common to latest\n  * stopIfOnlyInfraRemains: log all errors\n  * libpod: do not save expected stop errors in ctr state\n  * libpod: fix broken saveContainerError()\n  * Quadlet: fix filters failure when the search paths are symlinks\n  * readme: replace GPG with PGP\n  * Drop APIv2 CNI configuration\n  * De-duplicate docker-py testing\n  * chore(podmansnoop): explain why crun comm is 3\n  * libpod: cleanupNetwork() return error\n  * fix(deps): update module golang.org/x/sys to v0.24.0\n  * Reduce python APIv2 test net dependency\n  * Fix not testing registry.conf updates\n  * test/e2e: improve command timeout handling\n  * Update module github.com/onsi/ginkgo/v2 to v2.20.0\n  * Update module github.com/moby/sys/user to v0.3.0\n  * Add passwd validate and generate steps\n  * podman container cleanup: ignore common errors\n  * Quadlet - Allow the user to override the default service name\n  * CI: e2e: serialize root containerPort tests\n  * Should not force conversion of manifest type to DockerV2ListMediaType\n  * fix(deps): update module golang.org/x/tools to v0.24.0\n  * fix(deps): update github.com/containers/common digest to 05b2e1f\n  * CI: mount system test: parallelize\n  * Update module golang.org/x/net to v0.28.0\n  * Ignore ERROR_SHARING_VIOLATION error on windows\n  * CI: manifest system tests: make parallel-safe\n  * Create volume path before state initialization\n  * vendor: update c/storage\n  * CI: fix broken libkrun test\n  * test/e2e: work around for pasta issue\n  * test/e2e: fix missing exit code checks\n  * Test new CI images\n  * Remove another race condition when mounting containers or images\n  * fix(deps): update github.com/containers/common digest to c0cc6b7\n  * Change Windows installer MajorUpgrade Schedule\n  * Ignore missing containers when calling GetExternalContainerLists\n  * Remove runc edit to lock to specific version\n  * fix(deps): update module golang.org/x/sys to v0.23.0\n  * CI: podman-machine: do not use cache registry\n  * CI: completion system test: use safename\n  * Temporarly disable failing Windows Installer CI test\n  * libpod: fix volume copyup with idmap\n  * libpod: avoid hang on errors\n  * Temp. disable PM basic Volume ops test\n  * Add libkrun Mac task\n  * Never skip checkout step in release workflow\n  * System tests: leak_test: readable output\n  * fix(deps): update github.com/docker/go-plugins-helpers digest to 45e2431\n  * vendor: bump c/common\n  * Version: bump to v5.3.0-dev\n  * libpod: inhibit SIGTERM during cleanup()\n  * Tweak versions in register_images.go\n  * fix network cleanup flake in play kube\n  * WIP: Fixes for vendoring Buildah\n  * Add --compat-volumes option to build and farm build\n  * Bump to Buildah v1.37.0\n  * Quadlet test - Split between success, warning and error cases\n  * libpod: bind ports before network setup\n  * Disable compose-warning-logs if PODMAN_COMPOSE_WARNING_LOGS=false\n  * Use new syntax for selinux options in quadlet\n  * fix(deps): update module github.com/onsi/gomega to v1.34.1\n  * CI: kube test: fix broken external-storage test\n  * Update dependency setuptools to v72\n  * Convert additional build context paths on Windows\n  * pkg/api: do not leak config pointers into specgen\n  * Quadlet - Allow the user to set the service name for .pod files\n  * Quadlet tests - allow overriding the expected service name\n  * fix(deps): update module github.com/moby/sys/user to v0.2.0\n  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.7.5\n  * CI: enable root user namespaces\n  * libpod: force rootfs for OCI path with idmap\n  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1\n  * Add test steps for automount with multi images\n  * CI: cp tests: use safename\n  * [skip-ci] RPM: podman-iptables.conf only on Fedora\n  * CI: 700-play: fix a leaked non-safename\n  * test: check that kube generate/play restores the userns\n  * test: disable artifacts cache with composefs\n  * test: fix podman pull tests\n  * vendor: bump c/storage\n  * Update module github.com/cyphar/filepath-securejoin to v0.3.1\n  * Add /run/containers/systemd, ${XDG_RUNTIME_DIR}/containers/systemd quadlet dirs\n  * build: Update gvisor-tap-vsock to 0.7.4\n  * test/system: fix borken pasta interface name checks\n  * test/system: fix bridge host.containers.internal test\n  * api: honor the userns for the infra container\n  * play: handle \u0027private\u0027 as \u0027auto\u0027\n  * kube: record infra user namespace\n  * infra: user ns annotation higher precedence\n  * specgenutil: record the pod userns in the annotations\n  * kube: invert branches\n  * CI: system log test: use safe names\n  * Update encryption tests to avoid a warning if zstd:chunked is the default\n  * Fix \"podman pull and decrypt\"/\"from local registry\"\n  * Use unique image names for the encrypted test images\n  * CI: system tests: instrument to allow failure analysis\n  * Fix outdated comment for the build step win-gvproxy\n  * Add utility to convert VMFile to URL for UNIX sockets\n  * Run codespell on source\n  * fix(deps): update module github.com/docker/docker to v27.1.0+incompatible\n  * chore(deps): update dependency setuptools to ~=71.1.0\n  * logformatter: tweaks to pass html tidy\n  * More information for podman --remote build and running out of space.\n  * Fix windows installer deleting machine provider config file\n  * Use uploaded .zip for Windows action\n  * pr-should-include-tests: no more CI:DOCS override\n\n- Depend on runc unconditionally, not only on SLE 15 (bsc#1239088)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLE-Micro-6.1-292",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20805-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:20805-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520805-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:20805-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042136.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1239088",
        "url": "https://bugzilla.suse.com/1239088"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1242132",
        "url": "https://bugzilla.suse.com/1242132"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1245320",
        "url": "https://bugzilla.suse.com/1245320"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6032 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6032/"
      }
    ],
    "title": "Security update for podman",
    "tracking": {
      "current_release_date": "2025-10-01T13:49:25Z",
      "generator": {
        "date": "2025-10-01T13:49:25Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:20805-1",
      "initial_release_date": "2025-10-01T13:49:25Z",
      "revision_history": [
        {
          "date": "2025-10-01T13:49:25Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "podman-5.4.2-slfo.1.1_1.1.aarch64",
                "product": {
                  "name": "podman-5.4.2-slfo.1.1_1.1.aarch64",
                  "product_id": "podman-5.4.2-slfo.1.1_1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "podman-remote-5.4.2-slfo.1.1_1.1.aarch64",
                "product": {
                  "name": "podman-remote-5.4.2-slfo.1.1_1.1.aarch64",
                  "product_id": "podman-remote-5.4.2-slfo.1.1_1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "podmansh-5.4.2-slfo.1.1_1.1.aarch64",
                "product": {
                  "name": "podmansh-5.4.2-slfo.1.1_1.1.aarch64",
                  "product_id": "podmansh-5.4.2-slfo.1.1_1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "podman-docker-5.4.2-slfo.1.1_1.1.noarch",
                "product": {
                  "name": "podman-docker-5.4.2-slfo.1.1_1.1.noarch",
                  "product_id": "podman-docker-5.4.2-slfo.1.1_1.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "podman-5.4.2-slfo.1.1_1.1.ppc64le",
                "product": {
                  "name": "podman-5.4.2-slfo.1.1_1.1.ppc64le",
                  "product_id": "podman-5.4.2-slfo.1.1_1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "podman-remote-5.4.2-slfo.1.1_1.1.ppc64le",
                "product": {
                  "name": "podman-remote-5.4.2-slfo.1.1_1.1.ppc64le",
                  "product_id": "podman-remote-5.4.2-slfo.1.1_1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "podmansh-5.4.2-slfo.1.1_1.1.ppc64le",
                "product": {
                  "name": "podmansh-5.4.2-slfo.1.1_1.1.ppc64le",
                  "product_id": "podmansh-5.4.2-slfo.1.1_1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "podman-5.4.2-slfo.1.1_1.1.s390x",
                "product": {
                  "name": "podman-5.4.2-slfo.1.1_1.1.s390x",
                  "product_id": "podman-5.4.2-slfo.1.1_1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "podman-remote-5.4.2-slfo.1.1_1.1.s390x",
                "product": {
                  "name": "podman-remote-5.4.2-slfo.1.1_1.1.s390x",
                  "product_id": "podman-remote-5.4.2-slfo.1.1_1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "podmansh-5.4.2-slfo.1.1_1.1.s390x",
                "product": {
                  "name": "podmansh-5.4.2-slfo.1.1_1.1.s390x",
                  "product_id": "podmansh-5.4.2-slfo.1.1_1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "podman-5.4.2-slfo.1.1_1.1.x86_64",
                "product": {
                  "name": "podman-5.4.2-slfo.1.1_1.1.x86_64",
                  "product_id": "podman-5.4.2-slfo.1.1_1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "podman-remote-5.4.2-slfo.1.1_1.1.x86_64",
                "product": {
                  "name": "podman-remote-5.4.2-slfo.1.1_1.1.x86_64",
                  "product_id": "podman-remote-5.4.2-slfo.1.1_1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "podmansh-5.4.2-slfo.1.1_1.1.x86_64",
                "product": {
                  "name": "podmansh-5.4.2-slfo.1.1_1.1.x86_64",
                  "product_id": "podmansh-5.4.2-slfo.1.1_1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Micro 6.1",
                "product": {
                  "name": "SUSE Linux Micro 6.1",
                  "product_id": "SUSE Linux Micro 6.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sl-micro:6.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podman-5.4.2-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.aarch64"
        },
        "product_reference": "podman-5.4.2-slfo.1.1_1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podman-5.4.2-slfo.1.1_1.1.ppc64le as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.ppc64le"
        },
        "product_reference": "podman-5.4.2-slfo.1.1_1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podman-5.4.2-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.s390x"
        },
        "product_reference": "podman-5.4.2-slfo.1.1_1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podman-5.4.2-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.x86_64"
        },
        "product_reference": "podman-5.4.2-slfo.1.1_1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podman-docker-5.4.2-slfo.1.1_1.1.noarch as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podman-docker-5.4.2-slfo.1.1_1.1.noarch"
        },
        "product_reference": "podman-docker-5.4.2-slfo.1.1_1.1.noarch",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podman-remote-5.4.2-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.aarch64"
        },
        "product_reference": "podman-remote-5.4.2-slfo.1.1_1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podman-remote-5.4.2-slfo.1.1_1.1.ppc64le as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.ppc64le"
        },
        "product_reference": "podman-remote-5.4.2-slfo.1.1_1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podman-remote-5.4.2-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.s390x"
        },
        "product_reference": "podman-remote-5.4.2-slfo.1.1_1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podman-remote-5.4.2-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.x86_64"
        },
        "product_reference": "podman-remote-5.4.2-slfo.1.1_1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podmansh-5.4.2-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.aarch64"
        },
        "product_reference": "podmansh-5.4.2-slfo.1.1_1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podmansh-5.4.2-slfo.1.1_1.1.ppc64le as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.ppc64le"
        },
        "product_reference": "podmansh-5.4.2-slfo.1.1_1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podmansh-5.4.2-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.s390x"
        },
        "product_reference": "podmansh-5.4.2-slfo.1.1_1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "podmansh-5.4.2-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
          "product_id": "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.x86_64"
        },
        "product_reference": "podmansh-5.4.2-slfo.1.1_1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-6032",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6032"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.aarch64",
          "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.ppc64le",
          "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.s390x",
          "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.x86_64",
          "SUSE Linux Micro 6.1:podman-docker-5.4.2-slfo.1.1_1.1.noarch",
          "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.aarch64",
          "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.ppc64le",
          "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.s390x",
          "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.x86_64",
          "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.aarch64",
          "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.ppc64le",
          "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.s390x",
          "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6032",
          "url": "https://www.suse.com/security/cve/CVE-2025-6032"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1245320 for CVE-2025-6032",
          "url": "https://bugzilla.suse.com/1245320"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.aarch64",
            "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.ppc64le",
            "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.s390x",
            "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.x86_64",
            "SUSE Linux Micro 6.1:podman-docker-5.4.2-slfo.1.1_1.1.noarch",
            "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.aarch64",
            "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.ppc64le",
            "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.s390x",
            "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.x86_64",
            "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.aarch64",
            "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.ppc64le",
            "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.s390x",
            "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.aarch64",
            "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.ppc64le",
            "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.s390x",
            "SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.x86_64",
            "SUSE Linux Micro 6.1:podman-docker-5.4.2-slfo.1.1_1.1.noarch",
            "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.aarch64",
            "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.ppc64le",
            "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.s390x",
            "SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.x86_64",
            "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.aarch64",
            "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.ppc64le",
            "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.s390x",
            "SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-10-01T13:49:25Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-6032"
    }
  ]
}

CVE-2025-6032 (GCVE-0-2025-6032)

Vulnerability from cvelistv5

Published

2025-06-24 13:50

Modified

2025-11-10 13:52

Severity ?

8.3 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-295 - Improper Certificate Validation

Summary

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

References

URL

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted