Container summary for suse/sle-micro/5.5

SUSE-IU-2024:1603-1

This update for podman fixes the following issues:

• CVE-2024-9676: Fixed symlink traversal vulnerability in the containers/storage library that could cause Denial of Service (DoS) (bsc#1231698)

SUSE-IU-2024:1584-1

This update for podman fixes the following issues:

• CVE-2024-9675: Fixed cache arbitrary directory mount (bsc#1231499).
• CVE-2024-9407: Fixed improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction (bsc#1231208).

• rootless ipv6 containers can't be started (bsc#1214612).

SUSE-IU-2024:1578-1

SUSE-IU-2024:1577-1

SUSE-IU-2024:1563-1

This update for gcc14 fixes the following issues:
This update ships the GNU Compiler Collection GCC 14.2. (jsc#PED-10474)
The compiler runtime libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 13 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP5 and SP6, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc14 compilers use:

• install 'gcc14' or 'gcc14-c++' or one of the other 'gcc14-COMPILER' frontend packages.
• override your Makefile to use CC=gcc14, CXX=g++14 and similar overrides for the other languages.

• Add libquadmath0-devel-gcc14 sub-package to allow installing quadmath.h and SO link without installing the fortran frontend

• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Remove timezone Recommends from the libstdc++6 package. [bsc#1221601]
• Revert libgccjit dependency change. [bsc#1220724]
• Fix libgccjit-devel dependency, a newer shared library is OK.
• Fix libgccjit dependency, the corresponding compiler isn't required.
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Re-enable AutoReqProv for cross packages but filter files processed via __requires_exclude_from and __provides_exclude_from. [bsc#1219031]
• Package m2rte.so plugin in the gcc14-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc14 from gcc14-m2 as m2 programs are linked against libstdc++6.

SUSE-IU-2024:1496-1

SUSE-IU-2024:1492-1

This update for bash fixes the following issues:

• Load completion file eveh if a brace expansion is in the command line included (bsc#1227807).

SUSE-IU-2024:1486-1

This update for podman fixes the following issues:

• CVE-2024-9341: Fixed FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library (bsc#1231230)

This update for elemental-toolkit contains the following fix:

• Update to version 1.1.6: * Run KVM tests on ubuntu-latest * Install qemu in github workflow * Do not return error for efi.ReadLoadOption

SUSE-IU-2024:1462-1

SUSE-IU-2024:1445-1

This update for dracut fixes the following issue:

• Version update, check for presence of legacy rules (bsc#1230330).
• Version update, handle all possible options in `rd.dasd` (bsc#1230110).

This update for e2fsprogs fixes the following issue:

• resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145).

SUSE-IU-2024:1438-1

This update for expat fixes the following issues:

• CVE-2024-45492: integer overflow in function nextScaffoldPart. (bsc#1229932)
• CVE-2024-45491: integer overflow in dtdCopy. (bsc#1229931)
• CVE-2024-45490: negative length for XML_ParseBuffer not rejected. (bsc#1229930)

This update for runc fixes the following issues:

• Update to runc v1.1.14
• CVE-2024-45310: Fixed an issue where runc can be tricked into creating empty files/directories on host. (bsc#1230092)

This update for util-linux fixes the following issue:

• Skip aarch64 decode path for rest of the architectures (bsc#1229476).

This update for strace fixes the following issue:

• Change the license to the correct LGPL-2.1-or-later (bsc#1228216).

This update for ncurses fixes the following issues:

• Allow the terminal description based on static fallback entries to be freed (bsc#1229028)

This update for pam-config fixes the following issues:

• Improved check for existence of modules (bsc#1227216)

This update for curl fixes the following issue:

• Make special characters in URL work with aws-sigv4 (bsc#1230516).

This update for mdadm fixes the following issues:

• mdadm: define DEV_MD_DIR (bsc#1226413).
• mdadm: refactor ident-name handling (bsc#1226413).
• mdadm: Follow POSIX Portable Character Set (bsc#1226413).
• Detail: remove duplicated code (bsc#1226413).
• mdadm: Fix native --detail --export (bsc#1226413).

This update for logrotate fixes the following issues:

• Backport 'ignoreduplicates' configuration flag (jsc#PED-10366)

This update for glibc fixes the following issue:

• fix memory malloc problem: Initiate tcache shutdown even without allocations (bsc#1228661).

SUSE-IU-2024:1200-1

This update for curl fixes the following issues:

• CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093)

SUSE-IU-2024:1191-1

SUSE-IU-2024:1181-1

This update for glibc fixes the following issue:

• s390x: Fix segfault in wcsncmp (bsc#1228043).

SUSE-IU-2024:1172-1

SUSE-IU-2024:1165-1

This update for dracut fixes the following issues:

• Version update with: * feat(systemd*) include systemd config files from /usr/lib/systemd (bsc#1228398). * fix(convertfs) error in conditional expressions (bsc#1228847).

This update for systemd fixes the following issues:

• CVE-2023-7008: Fixed man-in-the-middle due to unsigned name response in signed zone not refused when DNSSEC=yes (bsc#1218297)

• Unit: drop ProtectClock=yes from systemd-udevd.service (bsc#1226414)
• Don't mention any rpm macros inside comments, even if escaped (bsc#1228091)
• Skip redundant dependencies specified the LSB description that references the file name of the service itself for early boot scripts (bsc#1221479).

SUSE-IU-2024:1157-1

SUSE-IU-2024:1149-1

This update for mozilla-nss fixes the following issues:

• FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).

SUSE-IU-2024:1148-1

This update for glib2 fixes the following issues:

• Fixed a possible use after free regression introduced by CVE-2024-34397 patch (bsc#1224044).

SUSE-IU-2024:1139-1

This update for curl fixes the following issues:
- CVE-2024-7264: Fixed out-of-bounds read in ASN.1 date parser GTime2str() (bsc#1228535)

This update for kernel-firmware fixes the following issues:

• CVE-2023-31315: Fixed validation in a model specific register (MSR) that lead to modification of SMM configuration by malicious program with ring0 access (bsc#1229069)

SUSE-IU-2024:1128-1

This update for selinux-policy fixes the following issues:
Update to version 20230511+git17.e258ac27:

• Fix mkhomedir_helper label to match on sbin (bsc#1229701)

SUSE-IU-2024:1081-1

This update for shadow fixes the following issues:

• CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).

This update for open-vm-tools fixes the following issues:

• There are no new features in the open-vm-tools release (bsc#1227181). This is primarily a maintenance release that addresses a few critical problems, including: - A Github pull request and associated issue has been handled. Please see the Resolved Issues section of the Release Notes - A number of issues flagged by Coverity and ShellCheck have been addressed - A vmtoolsd process hang related to nested logging from an RPC Channel error has been fixed

This update for mozilla-nss fixes the following issues:

• Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).
• Added 'Provides: nss' so other RPMs that require 'nss' can be installed (jira PED-6358).

• FIPS: added safe memsets (bsc#1222811)
• FIPS: restrict AES-GCM (bsc#1222830)
• FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118)
• FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)
• FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)

• Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh depends on it and will create a broken, empty config, if sed is missing (bsc#1227918)

• bmo#1905691 - ChaChaXor to return after the function

• GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.

• add diagnostic assertions for SFTKObject refcount.
• freeing the slot in DeleteCertAndKey if authentication failed
• fix formatting issues.
• Add Firmaprofesional CA Root-A Web to NSS.
• remove invalid acvp fuzz test vectors.
• pad short P-384 and P-521 signatures gtests.
• remove unused FreeBL ECC code.
• pad short P-384 and P-521 signatures.
• be less strict about ECDSA private key length.
• Integrate HACL* P-521.
• Integrate HACL* P-384.
• memory leak in create_objects_from_handles.
• ensure all input is consumed in a few places in mozilla::pkix
• SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
• clean up escape handling
• Use lib::pkix as default validator instead of the old-one
• Need to add high level support for PQ signing.
• Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
• SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
• Allow for non-full length ecdsa signature when using softoken
• Modification of .taskcluster.yml due to mozlint indent defects
• Implement support for PBMAC1 in PKCS#12
• disable VLA warnings for fuzz builds.
• remove redundant AllocItem implementation.
• add PK11_ReadDistrustAfterAttribute.
• - Clang-formatting of SEC_GetMgfTypeByOidTag update
• Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
• sftk_getParameters(): Fix fallback to default variable after error with configfile.
• Switch to the mozillareleases/image_builder image

• switch from ec_field_GFp to ec_field_plain

• merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
• remove ckcapi.
• avoid a potential PK11GenericObject memory leak.
• Remove incomplete ESDH code.
• Decrypt RSA OAEP encrypted messages.
• Fix certutil CRLDP URI code.
• Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
• Add ability to encrypt and decrypt CMS messages using ECDH.
• Correct Templates for key agreement in smime/cmsasn.c.
• Moving the decodedCert allocation to NSS.
• Allow developers to speed up repeated local execution of NSS tests that depend on certificates.

• Removing check for message len in ed25519 (bmo#1325335)
• add ed25519 to SECU_ecName2params. (bmo#1884276)
• add EdDSA wycheproof tests. (bmo#1325335)
• nss/lib layer code for EDDSA. (bmo#1325335)
• Adding EdDSA implementation. (bmo#1325335)
• Exporting Certificate Compression types (bmo#1881027)
• Updating ACVP docker to rust 1.74 (bmo#1880857)
• Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
• Add NSS_CMSRecipient_IsSupported. (bmo#1877730)

• (CVE-2023-5388) Timing attack against RSA decryption in TLS
• Certificate Compression: enabling the check that the compression was advertised
• Move Windows workers to nss-1/b-win2022-alpha
• Remove Email trust bit from OISTE WISeKey Global Root GC CA
• Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
• Certificate Compression: Updating nss_bogo_shim to support Certificate compression
• TLS Certificate Compression (RFC 8879) Implementation
• Add valgrind annotations to freebl kyber operations for constant-time execution tests
• Set nssckbi version number to 2.66
• Add Telekom Security roots
• Add D-Trust 2022 S/MIME roots
• Remove expired Security Communication RootCA1 root
• move keys to a slot that supports concatenation in PK11_ConcatSymKeys
• remove unmaintained tls-interop tests
• bogo: add support for the -ipv6 and -shim-id shim flags
• bogo: add support for the -curves shim flag and update Kyber expectations
• bogo: adjust expectation for a key usage bit test
• mozpkix: add option to ignore invalid subject alternative names
• Fix selfserv not stripping `publicname:` from -X value
• take ownership of ecckilla shims
• add valgrind annotations to freebl/ec.c
• PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
• Update zlib to 1.3.1

• make Xyber768d00 opt-in by policy
• add libssl support for xyber768d00
• add PK11_ConcatSymKeys
• add Kyber and a PKCS#11 KEM interface to softoken
• add a FreeBL API for Kyber
• part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
• part 1: add a script for vendoring kyber from pq-crystals repo
• Removing the calls to RSA Blind from loader.*
• fix worker type for level3 mac tasks
• RSA Blind implementation
• Remove DSA selftests
• read KWP testvectors from JSON
• Backed out changeset dcb174139e4f
• Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
• Wrap CC shell commands in gyp expansions

• Use pypi dependencies for MacOS worker in ./build_gyp.sh
• p7sign: add -a hash and -u certusage (also p7verify cleanups)
• add a defensive check for large ssl_DefSend return values
• Add dependency to the taskcluster script for Darwin
• Upgrade version of the MacOS worker for the CI

• Bump builtins version number.
• Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
• Remove 4 DigiCert (Symantec/Verisign) Root Certificates
• Remove 3 TrustCor Root Certificates from NSS.
• Remove Camerfirma root certificates from NSS.
• Remove old Autoridad de Certificacion Firmaprofesional Certificate.
• Add four Commscope root certificates to NSS.
• Add TrustAsia Global Root CA G3 and G4 root certificates.
• Include P-384 and P-521 Scalar Validation from HACL*
• Include P-256 Scalar Validation from HACL*.
• After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
• Add means to provide library parameters to C_Initialize
• add OSXSAVE and XCR0 tests to AVX2 detection.
• Typo in ssl3_AppendHandshakeNumber
• Introducing input check of ssl3_AppendHandshakeNumber
• Fix Invalid casts in instance.c

• Updated code and commit ID for HACL*
• update ACVP fuzzed test vector: refuzzed with current NSS
• Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
• NSS needs a database tool that can dump the low level representation of the database
• declare string literals using char in pkixnames_tests.cpp
• avoid implicit conversion for ByteString
• update rust version for acvp docker
• Moving the init function of the mpi_ints before clean-up in ec.c
• P-256 ECDH and ECDSA from HACL*
• Add ACVP test vectors to the repository
• Stop relying on std::basic_string
• Transpose the PPC_ABI check from Makefile to gyp

• Update zlib in NSS to 1.3.
• softoken: iterate hashUpdate calls for long inputs.
• regenerate NameConstraints test certificates (bsc#1214980).

• Set nssckbi version number to 2.62
• Add 4 Atos TrustedRoot Root CA certificates to NSS
• Add 4 SSL.com Root CA certificates
• Add Sectigo E46 and R46 Root CA certificates
• Add LAWtrust Root CA2 (4096)
• Remove E-Tugra Certification Authority root
• Remove Camerfirma Chambers of Commerce Root.
• Remove Hongkong Post Root CA 1
• Remove E-Tugra Global Root CA ECC v3 and RSA v3
• Avoid redefining BYTE_ORDER on hppa Linux

• Implementation of the HW support check for ADX instruction
• Removing the support of Curve25519
• Fix comment about the addition of ticketSupportsEarlyData
• Adding args to enable-legacy-db build
• dbtests.sh failure in 'certutil dump keys with explicit default trust flags'
• Initialize flags in slot structures
• Improve the length check of RSA input to avoid heap overflow
• Followup Fixes
• avoid processing unexpected inputs by checking for m_exptmod base sign
• add a limit check on order_k to avoid infinite loop
• Update HACL* to commit 5f6051d2
• add SHA3 to cryptohi and softoken
• HACL SHA3
• Disabling ASM C25519 for A but X86_64

• GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
• clean up escape handling.
• remove redundant AllocItem implementation.
• Disable ASM support for Curve25519.
• Disable ASM support for Curve25519 for all but X86_64.

This update for dracut fixes the following issues:

• Version update: * feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529) * fix(mdraid): try to assemble the missing raid device (bsc#1226412) * fix(dracut-install): continue parsing if ldd prints 'cannot be preloaded' (bsc#1208690)

This update for container-selinux fixes the following issue:

• Allow iptables_t list directory permissions of container_file_t (bsc#1227442)

This update of various packages delivers 32bit variants to allow running Wine on SLE PackageHub 15 SP6.

This update for runc fixes the following issues:

• Update to runc v1.1.13, changelog is available at https://github.com/opencontainers/runc/releases/tag/v1.1.13
• Fix a performance issue when running lots of containers caused by too many mount notifications (bsc#1214960)

This update for shadow fixes the following issues:

• Fixed not copying of skel files (bsc#1228770)

This update for util-linux fixes the following issues:

• agetty: Prevent login cursor escape (bsc#1194818).
• Document unexpected side effects of lazy destruction (bsc#1159034).
• Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285).
• agetty: Prevent login cursor escape (bsc#1194818).
• Document unexpected side effects of lazy destruction (bsc#1159034).
• Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285).
• agetty: Prevent login cursor escape (bsc#1194818).
• Document unexpected side effects of lazy destruction (bsc#1159034).
• Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285).

This update for openssl-1_1 fixes the following issues:

• CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138)

• Build with no-afalgeng (bsc#1226463)

This update for pam fixes the following issue:

• Prevent cursor escape from the login prompt (bsc#1194818).

SUSE-IU-2024:683-1

SUSE-IU-2024:665-1

SUSE-IU-2024:642-1

This update for oniguruma fixes the following issues:

• CVE-2019-13225: Fixed null-pointer dereference in match_at() in regexec.c (bsc#1141157).

SUSE-IU-2024:624-1

This update for krb5 fixes the following issues:

• CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
• CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).

This update for xfsprogs fixes the following issue:

• xfs_copy: don't use cached buffer reads until after libxfs_mount (bsc#1227150)

SUSE-IU-2024:600-1

This update for scap-security-guide and openscap provides the SCAP tooling for SLE Micro 5.3, 5.4, 5.5.
This includes shipping openscap dependencies libxmlsec1-1 and libxmlsec1-openssl for SLE Micro.

This update for libndp fixes the following issues:

• CVE-2024-5564: Add a check on the route information option length field. (bsc#1225771)

This update for podman fixes the following issues:

• CVE-2024-6104: Fixed a potential leak of sensitive information on HTTP log file (bsc#1227052).

This update for libxml2 fixes the following issues:

• CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282).

This update for elemental-operator1.5, elemental-operator1.5-crds-helm, elemental-operator1.5-helm, operator-image1.5, seedimage-builder1.5 contains the following fixes:
Changes in elemental-operator1.5:

• Update to version 1.5.4: * [BACKPORT] Ensure re-sync is triggered * [BACKPORT] operator: fix ManagedOSVersionChannel sync

• Update to version 1.5.4.

SUSE-IU-2024:567-1

This update for sysconfig fixes the following issues:

• Update to version 0.85.9
• Revert to recommend wicked-service on <= 15.4
• netconfig: remove sed dependency
• netconfig/dns-resolver: remove search limit of 6 domains (bsc#1199093)
• netconfig: cleanup /var/run leftovers (bsc#1194557)
• netconfig: update ntp man page documentation, fix typos
• spec: drop legacy migration (from sle11) and rpm-utils
• netconfig: revert NM default policy change change (bsc#1185882) With the change to the default policy, netconfig with NetworkManager as network.service accepted settings from all services/programs directly instead only from NetworkManager, where plugins/services have to deliver their settings to apply them

SUSE-IU-2024:558-1

SUSE-IU-2024:555-1

This update for gcc13 fixes the following issues:
Update to GCC 13.3 release

• Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18.
• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Make requirement to lld version specific to avoid requiring the meta-package.

SUSE-IU-2024:543-1

This update for jitterentropy fixes the following issues:

• Fixed a stack corruption on s390x: [bsc#1209627] * Output size of the STCKE command on s390x is 16 bytes, compared to 8 bytes of the STCK command. Fix a stack corruption in the s390x version of jent_get_nstime(). Add some more detailed information on the STCKE command.

• add FIPS 140 hints to man page
• simplify the test tool to search for optimal configurations
• fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0
• enhancement: add ARM64 assembler code to read high-res timer

This update for podman fixes the following issues:

• Update to version 4.9.5
• CVE-2024-3727: Fixed a flaw that allowed attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. (bsc#1224122)
• CVE-2024-24786: Fixed an infinite loop in protojson. (bsc#1226136)

This update for openssl-1_1 fixes the following issues:

• CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)

SUSE-IU-2024:486-1

SUSE-IU-2024:484-1

This update for glibc fixes the following issues:

• CVE-2024-33599: Fixed a stack-based buffer overflow in netgroup cache in nscd (bsc#1223423)
• CVE-2024-33600: Avoid null pointer crashes after notfound response in nscd (bsc#1223424)
• CVE-2024-33600: Do not send missing not-found response in addgetnetgrentX in nscd (bsc#1223424)
• CVE-2024-33601, CVE-2024-33602: Fixed use of two buffers in addgetnetgrentX ( bsc#1223425)
• CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425)

• Avoid creating userspace live patching prologue for _start routine (bsc#1221940)

SUSE-IU-2024:468-1

This update for aaa_base fixes the following issues:

• Fix the typo to set JAVA_BINDIR in the csh variant of the alljava profile script (bsc#1221361)

This update for suse-module-tools fixes the following issues:

• Include unblacklist in initramfs (bsc#1224320)
• regenerate-initrd-posttrans: run update-bootloader --refresh for XEN (bsc#1223278)
• 60-io-scheduler.rules: test for 'scheduler' sysfs attribute (bsc#1216717)

SUSE-IU-2024:467-1

SUSE-IU-2024:464-1

This update for e2fsprogs fixes the following issues:
EA Inode handling fixes:

• ext2fs: avoid re-reading inode multiple times (bsc#1223596)
• e2fsck: fix potential out-of-bounds read in inc_ea_inode_refs() (bsc#1223596)
• e2fsck: add more checks for ea inode consistency (bsc#1223596)
• e2fsck: fix golden output of several tests (bsc#1223596)

This update for openssl-1_1 fixes the following issues:

• CVE-2024-2511: Fixed unconstrained session cache growth in TLSv1.3 (bsc#1222548).

This update for util-linux fixes the following issues:

• Processes not cleaned up after failed SSH session are using up 100% CPU (bsc#1220117)
• lscpu: Add more ARM cores (bsc#1223605)
• Document that chcpu -g is not supported on IBM z/VM (bsc#1218609)

This update for glib2 fixes the following issues:

• CVE-2024-34397: Fixed signal subscription unicast spoofing vulnerability (bsc#1224044).

This update for elemental-operator, elemental-operator-crds-helm, elemental-operator-helm, elemental-operator1.5, elemental-operator1.5-crds-helm, elemental-operator1.5-helm, operator-image, operator-image1.5, seedimage-builder contains the following fixes:
Changes in elemental-operator:

• Update to version 1.4.4: * Added the ability to create a node reset marker for unmanaged hosts

• Update to version 1.4.4

• Update to version 1.5.3: * register: don't send new Disks and Controllers data
• Update to version 1.5.2: * Added the ability to create a node reset marker for unmanaged hosts * seedimage: use ClusterIP Services

• Update to version 1.5.3
• Update to version 1.5.2

SUSE-IU-2024:447-1

SUSE-IU-2024:443-1

This update for SLE-Micro, SLE-Micro-base, SLE-Micro-kvm, SLE-Micro-rt, build-iso, build-iso-base, elemental, elemental-channel-image, elemental-channel1.5-image, elemental-operator1.5, elemental-operator1.5-crds-helm, elemental-operator1.5-helm, elemental-rt-channel-image, elemental-rt-channel1.5-image, elemental-toolkit, operator-image1.5, seedimage-builder, seedimage-builder1.5, systemd-presets-branding-SLE-Micro-for-Rancher fixes the following issues:
Changes in SLE-Micro:

• Update to version 2.0.4: * [v2.0.x] Hostname backports (#1371) * Fix kvm and rt dockerfile arguments * Make sure no variables in /etc/os-release are duplicated * Fix endless reboot on FORCE upgrades (v2.0.x backport) (#1258)

• Update to version 2.0.4: * [v2.0.x] Hostname backports (#1371) * Fix kvm and rt dockerfile arguments * Make sure no variables in /etc/os-release are duplicated

• Update to version 2.0.3: * Fix endless reboot on FORCE upgrades (v2.0.x backport) (#1258)

• Update to version 2.0.4: * [v2.0.x] Hostname backports (#1371) * Fix kvm and rt dockerfile arguments * Make sure no variables in /etc/os-release are duplicated

• Update to version 2.0.3: * Fix endless reboot on FORCE upgrades (v2.0.x backport) (#1258)

• Update to version 2.0.4: * [v2.0.x] Hostname backports (#1371) * Fix kvm and rt dockerfile arguments * Make sure no variables in /etc/os-release are duplicated

• Update to version 2.0.3: * Fix endless reboot on FORCE upgrades (v2.0.x backport) (#1258)

• Update to version 2.0.4: * Fix kvm and rt dockerfile arguments * Make sure no variables in /etc/os-release are duplicated

• Update to version 2.0.3

• Update to version 2.0.4: * Fix kvm and rt dockerfile arguments * Make sure no variables in /etc/os-release are duplicated

• Update to version 2.0.3

• Update to version 2.0.4: * [v2.0.x] Hostname backports (#1371) * Fix kvm and rt dockerfile arguments * Make sure no variables in /etc/os-release are duplicated

• Update to version 2.0.3: * Fix endless reboot on FORCE upgrades (v2.0.x backport) (#1258)

• Adapt Dockerfile to pull explicitly elemental-register instead of the newer 1.5 version of it

• Add v2.0.2 image to channel

• Add v2.0.2 image to channel

• Remove `for Rancher` suffix

• Channel adapted to 'suse/sle-micro' images

• Update to version 1.5.1: * Repurpose v1.5.x branch for SLE Micro 5.5 * Micro rename (#684) * elemental-operator registration cleanups (#689) * Sanitize elemental-operator dependencies (#690) * github actions: add airgap script test * [Airgap] minor: fix debug message * [Airgap] add script tests * Bump docker/setup-buildx-action from 3.1.0 to 3.2.0 * Bump docker/login-action from 3.0.0 to 3.1.0 * Bump docker/build-push-action from 5.2.0 to 5.3.0 * Add extension to seedimage url (#682) * registration: allow dots in machineInventory names * registration: decouple replacing data-labels from sanitizing strings * registration: move sanitize code in sanitizeString() * Fix ManagedOSImage cloudConfig (#671) * New name is elemental-rootfs * Use /run/elemental and elemental- services (#675) * Update github.com/golang/protobuf * Run make vendor * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 * Bump docker/build-push-action from 5.1.0 to 5.2.0 * [Airgap] fix channel.json extraction (#669) * [Airgap] fix 'channel.image'/'channel.repository' value in 'next steps' (#665) * Align DrainSpec to system-upgrade-controller defaults (#668) * operator/Dockerfile: tag IMAGE_REPO with :latest * seedimage: add tag to IMG_REPO * Dockerfile: SLE_VERSION -> SLEMICRO_VERSION * operator: switch to toolbox for ALP * seedimage: switch labelprefix to com.suse.elemental * seedimage: Switch to toolbox for ALP * Drain nodes by default on upgrade (#660) * [Airgap] fix missing return code value * [Airgap] Use bash test syntax * [Airgap] make the script work with both legacy and newer charts * [Airgap] fix the airgap script

• Update to version 1.5.0: * Enable ManagedOSImage updates (#658) * Review omitempty flag on API json converter * charts: backport changes from Rancher Marketplace chart (#652) * Make snapshotter configurable (#651) * [Airgap] fix the airgap script (#654) * Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 * [Airgap] add support to Hauler in the airgap script (#647) * Fix channel synchronization * Bump docker/metadata-action from 4.1.1 to 5.5.1 * Requeue reconcile loop for ongoing synchronizations * elemental-register: collect OS data for MachineInventories annotations (#642) * Bump go to 1.22 (#643) * Make channel sync more robust (#638) * Makefile/setup-full-cluster: build seedimage-builder image too (#639) * Makefile: fix commit date for local builds (#631) * Requeue after 1 second in case of failures * Recover on syncer pod creation failures * Bump docker/build-push-action from 3.2.0 to 5.1.0 * Bump docker/setup-buildx-action from 2.2.1 to 3.0.0 * Bump golangci/golangci-lint-action from 3 to 4 * Bump github/codeql-action from 2 to 3 * Update system-upgrade-controller test version (#630) * Add dev baseimage build (#619) * Test against k8s v1.27, rancher v2.8.2, and upgrade all test dependendencies (#628) * Use go 1.20 * Use rancher/yip v1.4.10 * Use go.mod ginkgo version * SeedImage builder arguments in wrong order * Use newer xorriso (#624) * Bump codecov/codecov-action from 3 to 4 * Bump docker/login-action from 2.1.0 to 3.0.0 * Bump actions/dependency-review-action from 2 to 4 * Update actions/labeler config * Make linter happy * Bump actions/labeler from 4 to 5 * README: drop legacy docs (#616) * Add dependabot config for actions * Bump github actions * Do not adopt machineinventories undergoing deletion/reset (#605) * Update seedimage build-disk command * Fix inversed reset options (#604) * Print system architecture (#603) * hostname: set the hostname on the newer location too * Charts/Makefile: fix default OS channel repo name (#594) * Add hostname to system-data * Add elemental-seedimage-hooks package (#592) * Restrict package arch to x86_64 and aarch64 * Update copyright year (2024) * Update copyright year (2024) * Change raw SeedImage deploy-command * Add target platform validation test * Add kubebuilder example and validation * Add TargetPlatform to SeedImageSpec * Fix default values in questions.yaml file * Bump golang.org/x/crypto to 0.17.0 * Add disable-boot-entry flag to reset command * Always pull channel image on channel sync * Fix channel sync bug * Avoid repeating package name in summary * Make summary start with a capital letter * Unify all chart files under .obs/charfile * Add warning if both device and device-selector set * Add grub package to seedimage built in OBS (#568) * Fix device-selector logic (#571) * Add missing questions.yaml file * Implement picking dynamic installation device (#561) * Build raw disk images in SeedImage (#557) * charts: fix annotations (#566) * ci: fix SeedImage builder used image * Bump github.com/docker/docker from 20.10.24+incompatible to 24.0.7+incompatible (#560) * Update google.golang.org/grpc to v1.56.3 * Keep old output-name * Add slem4r images in channel (#544) * Bring your own SeedImage builder (#542)

• Update to version 1.4.3: * registration: allow dots in machineInventory names * registration: decouple replacing data-labels from sanitizing strings * registration: move sanitize code in sanitizeString() * V1.4.x fix channel synchronization (#683) * linter: fix copyright dates * Make linter happy

• Update to version 1.4.2: * Fix inversed reset options (#604) * Add hostname to system-data

• Fix default values in questions.yaml file

• ExclusiveArch x86_64 and aarch64 (bsc#1218560)

• Update to version 1.4.1

• Always pull channel image on channel sync
• Fix channel sync bug

• Avoid repeating package name in summary

• Make summary start with a capital letter

• Update to version 1.4.0+git20231129.c7f1dc1: * Add slem4r images in channel (#544) * Unify all chart files under .obs/charfile

• Update to version 1.4.0+git20231127.55a37d4: * Add warning if both device and device-selector set * Fix device-selector logic (#571) * Implement picking dynamic installation device (#561) * Add missing questions.yaml file * charts: fix annotations (#566) * Make sure to not overlap with the already existing channel and use RT for tests * Remove use of images from quay.io * Prevent installing if previous CRDs are pending to be removed * elemental-airgap: allow to just create the channel (#548) * bump go to 1.20 or later * Bump dependencies (#540) * ci: bump k8s and Rancher Manager versions * Use helm/kind-action to install kind * ci: fix action versions used * Disable local plan for elemental-system-agent * Improve error management * Patch already existing versions on channel sync * Improve update events filtering to actually ignore status updates * Add some improvements * Run all syncers in a pod * Fix e2e workflow * elemental-airgap: fix skipping http/https URLs * Use the proper format for command arguments * Prevent recalling bootstrap.sh on 'systemctl restart elemental-system-agent' * elemental-airgap: fix automatic image channel name (#521) * register: add no-toolkit unit tests * register: add os.unmanaged inventory annotation * register: add no-toolkit option * make verify: stay on mockgen v0.2.0 (#523) * elemental-airgap: add support to OS images (#518) * Small refactor to centralize registration config checks * Ensure Elemental registration data includes the registration URL * Remove --debug flag from helm pull * Attempt to use charts from PR project in e2e tests * Publish OBS charts to gh-pages * elemental-airgap: allow to pass dev | staging | stable as argument * elemental-airgap: pick the operator chart as an argument * elemental-airgap: add script to help airgap deployment * Apply a regex on tags to match the same criteria as in OBS * Charts: fix OBS build * Publish all OBS repositories on PRs * Fix repository url * Charts: always use camelCase for values (#507) * Revert not-needed marker fix * Set default spec.config.elemental.reset block for MachineRegistration * Use elemental-register-reset service (#502) * Use OBS PR builds for the e2e tests * Build and publish charts for OBS/IBS artifacts in gh-pages

• Update to version 1.3.2+git20230824.c90c1c8: * Disable service triggers on staging (#498) * Add CAPI cluster role to helm chart (#500) * Charts: sync OBS charts * tests: fix e2e workflow * tests: fix chart workflow * Makefile: add the REGISTRY_URL var * Charts: add registry templating for custom airgap * Charts: add README * Charts: enforce templating on the channel resource * Charts: update rancher annotations * Bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible (#442) * Fixed a typo in the version string for elemental-teal-channel in helm chart (#495) * Implement remote machines reset (#489) * Remove custom default config-dir on installation media * Remove SLE Micro reference from elemental-operator images * Include crds chart in OBS workflow * Update OBS workflow to the new project setup * Make SLE Micro version from image references dynamic (#480) * Recreate service account token secret if missing * Adds ca-certificates and ca-certificates-mozilla in operator image * Adapt .spec file to non-SUSE distributions (#482) * Improve re-registration (#479) * Do not make use of ServiceAccount.Secrets list * Fix elemental managed label value to match backup operator expectations * Make explicit elemental-operator image is under l3 support * Add CONTRIBUTING.md (#472) * Handle mkdir error * Create registration config directory if not exist * Persist registration state * Omit confusing debug message * Fix error formatting * Handle MsgUpdate response on client side * Remove unnecessary MsgUpdate payload. Rely on authentication data instead * Handle sendUpdate error * Do not terminate serveLoop on MsgUpdate * - Check protocol version before sending MsgUpdate - Use MsgUpdate to notify registration update only * Charts: add a new chart to host the pre-hook migration template * Charts: add template checking crds installation * Prevent registration update if MachineInventory is not found * Do not retry registration when on installed system and using randomized TPM seed * Do not retry registration when not on live system * Check for live registration config when no arguments passed * operator: copy cloud-config file not its link (#468) * Update README installation section (#465) * SeedImage: manage updates of builder Pod under deletion * SeedImage: add ResourcesNotCreatedYet Ready condition * SeedImage: reset download URL on Pod deletion * SeedImage: allow the controller full control on configmaps * SeedImage: isolate all the config map logic in a separate function * SeedImage: on retriggerBuild delete owned SeedImage resources * SeedImage: drop redundant set of retriggerBuild * The job was missing a templated name for the serviceaccount to be fully consistent * Update charts/crds/Chart.yaml * Update .obs/chartfile/crds/Chart.yaml * Add upgrade hook * Include channel as part of the installation * Adapt tests and Makefile * Split chart into crds chart and operator chart * websocket/trivial: messages: annotate version of introduction * register client: make linter happy * register client: annotate auth method used for registration * register client: rework getHostMacAddr() * register client: add 'mac' and 'sys-uuid' Plain Auth * register client: set TPM as default authentication method * operator: enable plain auth * operator: add plain auth * elemental api: add fields to support plain authentication * Bump rancher and k8s for e2e tests (#449) * OBS PR workflow: set the right project to disable images repo * Fix OBS PR workflow * goreleaser: fix releases CI (#444) * Chart: add logo and Rancher display-name annotation (#440) * Add channel hook-failed delete policy * Include display name field on ManagedOSVersions * Add ISO type in ManagedOSVersions * SeedImage: add to the github release workflow * Fix template * Include elemental-teal-channel by default on chart install * Merge default command and image in containersSpec * Add tests for containerized base ISO and utilities * Pull iso as a container * SeedImage extended API: drop debug log * SeedImage: extended api doesn't expect the iso name anymore * SeedImage: inject MachineRegistration and date in the built iso name * httpfy: allow to serve single file * SeedImage: pass whole SeedImage reference to fillBuildImagePod * SeedImage: add more seedimage_controller tests * Utils: generalize IsPodOwned func to IsObecjtOwned() and add tests * SeedImage: make the linter happy... * SeedImage: controller logic for the pod cleanup/retrigger * SeedImage: add image timeout and retrigger fields * httpfy: add timeout parameter * Use config map in seedimage pod (#423) * SeedImage: check OwnerReference in controller tests * SeedImage: retrieve MachineRegistration just once * SeedImage: set OwnerReferences * Add seedimage-builder into the OBS workflow * Feat: add CODEOWNERS * OBS: build ssl default certificates in SeedImage build image * Update default values file in OBS * SeedImage: set build image PullPolicy from the operator chart * unit-tests: cover MAC and Used Memory in labels test * unit-tests/trivial: move server.go test to the new server_test.go file * OBS: use SeedImage build image from OBS for the chart * Bump github.com/docker/docker from 20.10.22+incompatible to 20.10.24+incompatible (#410) * Update to go 1.19 (#408) * SeedImage: add Dockerfile for OBS build * httpfy: support automated building * Build elemental-operator image from scratch * Prevent a nil pointer dereference panic error * Fix event filters * Prevent retriggering a reconcile on ownership setup * Do not start error messages with capital letters * Extend unit tests for inventory and selector resources * Adapt unit tests to new condition states * Selector and inventory cleanup * Ensure optimistic locking is set on machine selectors * Adapt info and debug logging for the inventory and selector controllers * Read machine inventory only once on selector reconcile * Sets a validation process for Machine Inventory adoption * Enble cache for MachineInventorySelector resources * SeedImage: update OBS build recipes * SeedImage: busybox base64 decodes with -d only * SeedImage: pass the build image from the operator chart * SeedImage: build image for the builder pod * Add cloud-config support to seedImage (#399) * SeedImage: fix registration yaml name (#394) * operator: ensure elemental finalizers are removed if present (#393) * SeedImage: move sync status with running pod to new func * operator: allow seedimage download from the extended API * SeedImage: add DownloadToken in the Status * operator: return http 401 error on registration auth failure * operator: report error on unrecognized auth websocket connections * operator: drop build-image api (#389) * unit-tests: ensure resources cleanup (#390) * SeedImage: drop finalizer tests * SeedImage: check conditions and return early when needed * SeedImage: add more tests * Adapt tests to drop finalizers * Stop using finalizers if not extrictly needed * operator: add SeedImage CRD (#377) * Prevent MachineInventorySelector from being cached * Set object not found as a debug message * Update logs to not use info with custom depth * operator: use opensuse nginx to serve build-img ISO (#369) * Use variadic arguments in klog instead of slices * operator: register the host IP in MachineInventory annotations (#350) * Unify logging * operator: labels minor improvements (#363) * build-image API: add build job with single pod lifecycle (#362) * Turn MachineInventoryRef into LocalObjectReference (#359) * Remove branch filter on tag events (#361) * Update actions/download-artifact to v3.0.2 * Filter inventory list with a labelSelector and not with a labels map (#358) * Move system-data labels to templating * operator: let build-image API GET to return the image URL (#351) * register client: isolate TPM auth code (#346) * operator: fix label name (#348) * operator: fix MachineInventory search during registration (#342) * operator: always use software UUID as default machine name (#340) * Set default elemental-operator USER * operator: add support to old register clients (#338) * Lints * Update wharfie to 0.5.3 * register client: allow to register against lower version operators (#332) * Replace action engineerd/setup-kind (#328) * Copyright date-range 2022 - 2023 (#327) * Use go 1.18 * operator: expose build-image API (#315) * Fix node-labels regression * Do not store cpu info if not available (#321) * docs: add ref to the official docs in the chart readme (#316) * linter: fix go-header check (#319) * unit-tests: disable parallelization (#312) * Change tar-file layout in elemental-support * Add default config-dir value (#313) * Re-add config-dir install flag (#309) * Return registration errors to client (#301) * Properly sanitize extra system data (#307) * Improve unit tests (#308) * Derive TPM seed from system UUID (#297) * Add disable-boot-entry flag in install structure (#302) * Fetch commit and date from obsinfo file (#300) * operator: add back debug logs for logrus (registration) (#299) * [tpm] Set a random seed if emulated tpm seed is set to -1 (#282) * Include _helmignore file (#295) * Add OBS build repcipes into the repository (#294) * Drop legacy catalog for tests (#291) * Kubebuilder: fix MachineRegistration search during registration (#280) (#293) * Send full system data on registration (#276) * Bump rancher version in e2e tests (#290) * Set default syncTime when not provided (#289) * Remove invalid conditions from objects (#284) * operator: don't try to patch an empty MachineInventory (#274) * Backport minor fixes (#271) * Merge all main logic in one file (#270) * [controller_runtime] add registration protocol version (#266) * Kubebuilder: Remove unused code (#267) * [controller_runtime] operator/registration: switch to Kubebuilder client (#256) * Refactor ManagedOsImage e2e tests (#263) * Add a rate limiter to managedosversionchannel reconciler (#260) * Refactor MachineRegistration e2e tests (#253) * Drop requeuer, not needed anymore (#255) * Improve syncer (#252) * New syncer logic (#245) * Fix make verify (#248) * controller: add Secret name reference to the ServiceAccount (#247) * Kubebuilder: Add 'verify' workflow (#244) * Add remaining controllers (#232) * Kubebuilder: Add machine inventory selector controller (#224) * Kubebuilder: Add remaining API types (#225) * Kubebuilder: Add machine inventory controller (#221) * Kubebuilder: Add machine registration controller (#206) * Kubebuilder: Run new code and generate RBAC (#203) * Kubebuilder: Add make tasks for different tools (#194) * Add kubebuilder API definitions (#184) * Change yaml-marshalling of node-labels file (#287) * Remove yaml typo (#286) * Add helm labels and annotations to all crds (#281) * Set helm labels on CRDs (#277) * Change the helm chart oci reference to be aligned with other elemental images (#268) * Add version commands/flags for all binaries (#262) * Use custom names in upgrade objects (#254) * Several improvements to the support command (#258) * Also trigger Dev rebuild on tag push (#249) * Propagate inventory labels to node on bootstrap plan (#243) * Add codeql + escape user input before processing (#237) * Create dependency-review.yml (#236) * Bump golangci action (#234) * Stop elemental-system-agent when the node is ready (#231) * Fix docker and gorelease jobs (#230) * operator: improve logging of the MachineRegistration controller * operator: move ServiceAccount creation to a separate func * operator: drop duplicated import * operator: enforce ServiceAccount's Secret link * operator: create ServiceAccounts before their Secrets * operator: unit-tests: add coverage for unauthenticatedResponse() (#217) * coverity: make patch status informational (#219) * tests: Add k8s 1.24 and default to rancher 2.6.9 (#220) * tests: use latest url for rancher charts (#218) * Elemental Operator: manage empty config in MachineRegistrations (#213) * Label other objects created by elemental-operator (#216) * Only read yaml files included in the given directories (#215) * Label secrets managed by elemental-operator (#212) * Allow custom config files for elemental-cli (#210) * Collect operator logs after running tests (#204) * Audit and update elemental-operator RBAC ClusterRole (#196) * Add config for e2e tests (#201) * Add OBS workflow to update elemental-operator package (#200) * Add vendor for obs integration (#198) * release: enhance release pipeline (#195) * operator: drop duplicated import of elemental APIs (#199) * Disable CGO under arm for register binaries + restore SBOM (#193) * Revert 'Add sbom to releases and attach to containers' (#191) * Add elemental GlobalRole for Rancher UI (#187) * Add reasons for conditions (#185) * lint: dont overshadow var (#172)

• elemental-register needs lvm2 for running blkdeactivate.

• Update to version 0.6.0+git20220923.ffdff84: * Add v0.6.0 changelog (#182)

• Update to version 0.6.0+git20220923.f022acb: * unit-tests: add support to Secrets in registraion's OnChange() * operator: log the creation of a new registration token * operator: explicitly add Secrets to registration ServiceAccounts * operator: return error when the ServiceAccount has no secrets

• Update to version 0.5.0+git20220922.17d9d21: * support command improvements (#173)

• make elemental-support a sub-package
• disable chart building, was not packaged

• Update to version 0.5.0+git20220912.846c610: * Add sbom to releases and attach to containers (#160) * Use BCI Golang image to build image * register: fix CGO build in Dockerfile * register: build it with CGO (#169) * tests(registration): More unit tests (#167) * Rework client to accept a ClientInterface (#166) * tests(inventory): Add unit tests for inventory methods (#164) * register/operator: drop MachineInventory labels passed from the client * unit-tests: check default machine name * go mod tidy * operator: change default MachineInventory name * Add simple changelog (#158)

• Update to version 0.5.0+git20220902.3d28c5d: * Configure custom smbios data (#157)

• Update to version 0.4.4+git20220902.64f4703: * operator: ensure inventory.Labels is not nil before adding labels

• Update to version 0.4.4+git20220901.75792d6: * Add extra labels with smbios data (#155) * Fix secretname for the apiService (#153) * unit-tests: add websocket coverage * operator: add unit-test for mergeInventoryLabels() * operator/register: drop unused code * operator/register: rework the registration protocol * websocket: add helper functions * register: set a timeout for retrieving the installation config * drop unused labels on bootstrap (#154) * Fix missing cosign and run command (#151) * Enable deploying operator replicas (#150) * register: take control of the registration process * bump github.com/rancher-sandbox/go-tpm * fix linter: cyclomatic complexity of ServeHTTP is 16 * operator: move websocket management logic out of the tpm package * minor: drop duplicated logging * operator/http: check websocket upgrade header in HTTP connections

• Update to version 0.4.3+git20220831.7e58679: * Add image signing to push jobs (#148) * Add local plan to rancher-system-agent to stop elemental-system-agent (#146)

• Update to version 0.4.3+git20220822.f0bd8f4: * log: report elemental installation completion * Fix e2e discovery tests (#138)

• Update to version 0.4.3+git20220812.72971ff: * Backwards compatibility for smbios headers (#137) * Only decode some smbios data (#134) * Drop uneeded files and add extra label (#135) * Split header into 7Kb of data (#133) * Add auto labeler (#125) * Remove default value for flag and expand description (#126) * [chart] only add default-registry if specified (#128) * Store binary artifacts on PR/master (#127) * [tests] fix nginx deploy url (#129) * Bundle support bin with register (#124)

• build elemental-operator without CGO_ENABLED (doesn't need tpm)

• Update to version 0.4.2+git20220805.5b64a77: * Set the proper namespace (#117)

• Update to version 0.4.2+git20220805.485ff21: * Add CAs to docker artifact (#120)

• Update to version 0.4.2+git20220804.76f61f5: * Store all registration data on installation (#116)

• Update to version 0.4.2+git20220803.6d730d3: * Set fixed hostname and make it persistent (#106)

• Update to version 0.4.2+git20220803.f4ba471: * Add 'support' to 'make build' (#111)

• Update to version 0.4.2+git20220803.10d3621: * Add a elemental-support binary (#109)

• Update to version 0.4.2+git20220802.f243498: * Add missing register command to bootstrap (#104) * Couple of tests for config mapstructure (#102)

• Update to version 0.4.2+git20220801.ea7884e: * Produce 2 binaries instead of one (#99) * Push master merges to elemental-operator-ci (#100) * operator: pass all the registration fields on unauthenticated query

• Update to version 0.4.2+git20220801.846d313: * Add missing mapstructure annotations to config (#101) * operator: drop duplicated MachineInventory init code

• Update to version 0.4.2+git20220729.6b52b44

• Bump to v0.4.2

• Update to version 0.4.1+git20220729.6b52b44: * Set a fixed name config for rke/k3s deployments (#97)

• Update to version 0.4.1+git20220728.896efee: * mend * Drop unneeded code

• Update to version 0.4.1+git20220728.38929d2: * Update elemental api resources for upgrades (#95)

• Update to version 0.4.1+git20220728.b5c35b9: * operator: fix adding machineInventoryLabels after initial registration

• Update to version 0.4.1+git20220727.68b87dd: * Drop setting a custom providerID (#91)

• Update to version 0.4.0+git20220727.3241cfd: * Bump rancher version (#89)

• Update to version 0.4.0+git20220722.ea618ea: * elemental-operator register: keep system CAs when passing a custom CA * elemental-operator register: add some more logging * add github.com/sanity-io/litter module * ensure all the structs include proper yaml labels * Add a target to setup a clean cluster (#79) * [register] Check for path error before doing anything (#80) * Make /oem/registration the default configuration dir (#81) * Add README to elemetal-operator helm chart (#56) * Store registration yaml in installed system (#71) * Fix 'make unit-tests'

• Update to version 0.3.0+git20220722.f2ab68c: * [register] Check for path error before doing anything (#80)

• Update to version 0.3.0+git20220722.cf20bc6: * Make /oem/registration the default configuration dir (#81)

• Update to version 0.3.0+git20220722.9b9844b: * Add README to elemetal-operator helm chart (#56)

• Update to version 0.3.0+git20220721.52c3cbb: * Store registration yaml in installed system (#71)

• Remove elemental-operator.service, as this is now executed as part of the cloud-config shipped with elemental. See https://github.com/rancher/elemental/pull/178

• Update to version 0.3.0+git20220721.e15e76e: * Fix 'make unit-tests' * Do note fetch cloud-config on unauthenticated registartion calls (#67) * Change the default machine name to include the UUID

• read config from /run/initramfs/live

• Update to version 0.3.0+git20220720.90791e4: * Update MachineRegistration example

• Update to version 0.3.0+git20220720.79d957e: * Adds support for cloud-config data in machine registration (#61)

• Update to version 0.2.1+git20220719.489d40f: * review elemental installer env vars (#59)

• Run elemental-operator.service after cos-setup-network.service is completely done. Add back a dependency with multi-user.target to ensure it is pulled by some target at boot.

• Run elemental-operator.service after mutli-user.target to ensure it is executed after all boot services are ready

• only run in live mode

• Update to version 0.2.1+git20220718.3530dc5: * ensure install struct includes proper yaml labels (#57)

• Update to version 0.2.1+git20220718.6e2f20f: * Pass debug flag to elemental client if requested (#58)

• Update to version 0.2.1+git20220715.2381ebc: * Do not attempt to install in already installed systems (#55) * Some fixes for the release pipelines (#53)

• Update to 0.2.0

• Update to version 0.1.1+git20220715.618d3c4: * Log the version, commit and commit date on start (#43)

• Update to version 0.1.1+git20220715.bd811be: * Remove obsolete logic from former ros-installer (#45)

• pass COMMITDATE to build

• Update to version 0.1.1+git20220714.a05a2db: * elemental-operator register: enable local plans

• Update to version 0.1.1+git20220714.602178c: * elemental-operator register: allow cacert passed as file or data (#44) * Makefile: fix make build-docker (#41)

• On behalf of commit 62bac1d (#38) `elemental install` is called within the `elemental-operator register` command, so the unit file only needs to call `elemental-operator register`

• drop elemental-installer and -chart subpackages
• add elemental-operator.service file

• build with TPM emulation

• Update to version 0.1.1+git20220713.adfff7c: * Some register fixes (#40) * elemental-operator register: add elemental cli call (#38) * Fix building the operator/installer with emulatedTPM (#39) * Return a Config.Config in MachineInventory (#35) * Use cacert from rancher and use serverl-url from rancher (#36)

• Update to version 0.1.1+git20220713.bcfe4d0: * Add test for chart values (#31)

• Update to version 0.1.1+git20220712.14d4d95: * Share installation configuration structures (#24) * bump github.com/docker/distribution to 2.8.1 (#29) * Bump image-spec to 1.0.2 (#28) * Bump system-agent to 0.2.8 (#17) * update testhelpers * Update go.sum * [ci] Up the go version and restore the proper cache * Fix go.sum * [test] Remove focus * [lint] ignore generated files

• Update to version 0.1.1+git20220707.39177e8: * Rename RancherOS to Elemental in installer logic * Merge elemental installer (#20) * renamed to elemental-operator and switched to system agent * Fix wrong key in example full reference * Rename rancheros->elemental in README * tests: Use helpers from testlib * tests: Add upgrades e2e test * ci: detect when deployments are already there * Update missing policy rule * Sort env to avoid updating same bundle

• Update to version 0.1.1+git20220707.1d97f14: * Merge elemental installer (#20) * renamed to elemental-operator and switched to system agent * Fix wrong key in example full reference * Rename rancheros->elemental in README * tests: Use helpers from testlib * tests: Add upgrades e2e test * ci: detect when deployments are already there * Update missing policy rule * Sort env to avoid updating same bundle * Be sure to not push same env multiple times

• Update to version 0.0.0+git20220707.0c6dcff: * Adapat Dockerfile and golreleaser to keep releasing and building elemental-operator as they used to * Update .github/workflows/unit-tests.yaml * Update Makefile

• Update to version 0.0.0+git20220707.4b69306: * Adding installer unit tests * Add elemental-installer * Move main into a cmd/operator package

• Update to version 0.0.0+git20220704.211ad46: * renamed to elemental-operator and switched to system agent * Fix wrong key in example full reference * Rename elemental->elemental in README * tests: Use helpers from testlib * tests: Add upgrades e2e test * ci: detect when deployments are already there * Update missing policy rule * Sort env to avoid updating same bundle * Be sure to not push same env multiple times * Update pkg/controllers/inventory/inventory.go

• adapt machine-registration.yaml and create-cluster.yaml to system-agent

• Update to version 0.1.0+git20220622.84e703a: * added registration command and support for using elemental as a cluster api infrastructure provider * wip * renamed to elemental-operator and switched to system agent

• Update to version 0.1.0+git20220603.19a5e9e: * Fix wrong key in example full reference * Rename elemental->elemental in README

• rename binary to elemental-operator

• Update to version 0.1.0+git20220420.6e6aa51:

• Update to version 0.1.0+git20220525.9e1d451: * rename pathes to 'elemental' * rename files to 'elemental' * rename directories to 'elemental' * tests: Use helpers from testlib * tests: Add upgrades e2e test * ci: detect when deployments are already there * Update missing policy rule * Sort env to avoid updating same bundle * Be sure to not push same env multiple times * Update pkg/controllers/inventory/inventory.go

• renamed the api spec in the sample .yaml files

• Update to version 0.1.0+git20220525.9e1d451: * rename pathes to 'elemental' * rename files to 'elemental' * rename directories to 'elemental' * tests: Use helpers from testlib * tests: Add upgrades e2e test * ci: detect when deployments are already there * Update missing policy rule * Sort env to avoid updating same bundle * Be sure to not push same env multiple times * Update pkg/controllers/inventory/inventory.go

• Update to version 0.1.0+git20220420.6e6aa51: * tests: Use helpers from testlib * tests: Add upgrades e2e test * ci: detect when deployments are already there * Update missing policy rule * Sort env to avoid updating same bundle * Be sure to not push same env multiple times * Update pkg/controllers/inventory/inventory.go * Rework * Add events on errors * e2e-ci: add some missing check on errors

• Update to version 0.1.0+git20220518.f916493: * rename to elemental-operator

• update default kubernetesVersion to 1.22.7

• Update machine-registration.yaml * add hostname * put 'install' section below 'elemental'

• Update to version 0.1.0+git20220420.6e6aa51: * tests: Use helpers from testlib * tests: Add upgrades e2e test * ci: detect when deployments are already there * Update missing policy rule * Sort env to avoid updating same bundle * Be sure to not push same env multiple times * Update pkg/controllers/inventory/inventory.go * Rework * Add events on errors

• Update to version 0.1.0-alpha23+git20220408.cd4553f: * e2e-ci: add some missing check on errors * Bump ele-testhelpers version * e2e-ci: move some functions to ele-testhelpers * Update README * Do not make kube calls blocking * Test env metadata injection * Correctly annotate env vars from metadata * Adapt tests, add test cases * Respect upgradeContainerSpec from ManagedOSVersion * Do allocate the event recorder once in the syncer * Refactor out recorder boilerplate * Collect errors when syncing * Refactor out requeuer to not be blocking * Add test for event broadcasting * Set appropriate rules for broadcasting events * go gen * Record invalid specs back to the VersionChannel * Build general event interface from raw k8s into client * Add reconciler * Wrong obs workflow name :facepalm: * Add OBS workflow to trigger rpm build * Use operator image for wait and display hook * CLI fixups * Allow to specify a mountpath * Add requeue mechanism * Disable mounting SA token by default on sync pod * Implement Custom syncer * Lower the ticker for testing * Set the default update to 60m * Add sync-interval flag * Add owner reference on ManagedOSVersion * Bump rancher version used in tests * Don't watch over specific namespaces * Add make target to test local changes in kind * Enhance tests * Allow to set a bridge ip * Allow to selectively sync user-defined namespaces * Add MachineOSVersionChannel JSON tests * Implement JSON syncer logic * Very basic sync service logic * ManagedOSVersionChannel sync service * Add ManagedOSVersionChannel and skeleton for sync service

• Initial version 0.1.0~alpha23

• Update to version 1.5.1: * Sanitize elemental-operator dependencies (#690) * Fix ManagedOSImage cloudConfig (#671) * Align DrainSpec to system-upgrade-controller defaults (#668) * Drain nodes by default on upgrade (#660)

• Update to version 1.5.0: * Make snapshotter configurable (#651) * Make channel sync more robust (#638) * Test against k8s v1.27, rancher v2.8.2, and upgrade all test dependendencies (#628) * Add kubebuilder example and validation * Add TargetPlatform to SeedImageSpec * Add disable-boot-entry flag to reset command

• Update to version 1.4.3

• Update to version 1.4.2

• Update to version 1.4.1

• Update to version 1.4.0+git20231128.a867d93: * Unify all chart files under .obs/charfile

• Update to version 1.3.2+git20230824.c90c1c8: * Charts: sync OBS charts * Update .obs/chartfile/crds/Chart.yaml * Adapt tests and Makefile * Split chart into crds chart and operator chart

• Update to version 0.5.0+git20220902.3d28c5d: * Configure custom smbios data (#157)

• Update to version v0.4.4: * Fix secretname for the apiService (#153) * Enable deploying operator replicas (#150)

• Update to version 0.4.3+git20220822.f0bd8f4: * log: report elemental installation completion * Fix e2e discovery tests (#138)

• Update to version v0.4.3: * Remove default value for flag and expand description (#126) * [chart] only add default-registry if specified (#128) * Set the proper namespace (#117)

• Bump to v0.4.2

• Bump to v0.4.1

• Update to version v0.4.0: * Add README to elemetal-operator helm chart (#56)

• Update Chart.yaml to the right elemental-operator version

• Update to elemental-operator v0.3.0

• Improve Makefile to get image tag from github

• Update Makefile and build elemental-operator.tar

• Bump version to 0.2.1
• Bump elemental-operator tag image to 0.2.1-10.1

• Bump elemental-operator tag image to 0.2.0-9.1

• Update _helmignore file

• Update Makefile and fix build issues

• Add _helmignore file

• Update to version 0.1.1+git2022-07-13.adfff7c: * Use cacert from rancher and use serverl-url from rancher (#36)

• Update image repository in values-overwrite.yaml

• Initial commit for elemental-operator helm chart

• Update to version 1.5.1

• Update to version 1.5.0: * Enable ManagedOSImage updates (#658) * charts: backport changes from Rancher Marketplace chart (#652) * Test against k8s v1.27, rancher v2.8.2, and upgrade all test dependendencies (#628) * Fix default values in questions.yaml file * Unify all chart files under .obs/charfile * charts: fix annotations (#566) * Add slem4r images in channel (#544) * Charts: fix OBS build * Charts: sync OBS charts * Fixed a typo in the version string for elemental-teal-channel in helm chart (#495)

• Update to version 1.4.3

• Update to version 1.4.2

• Fix default values in questions.yaml file

• Update to version 1.4.1

• Update to version 1.4.0+git20231129.c7f1dc1: * Add slem4r images in channel (#544)

• Update to version 1.4.0+git20231128.a867d93: * Unify all chart files under .obs/charfile * charts: fix annotations (#566) * Charts: fix OBS build

• Update to version 1.3.2+git20230824.c90c1c8: * Charts: sync OBS charts * Fixed a typo in the version string for elemental-teal-channel in helm chart (#495) * Remove SLE Micro reference from elemental-operator images * Make SLE Micro version from image references dynamic (#480) * Adapt tests and Makefile * Split chart into crds chart and operator chart

• Update to version 0.5.0+git20220902.3d28c5d: * Configure custom smbios data (#157)

• Update to version v0.4.4: * Fix secretname for the apiService (#153) * Enable deploying operator replicas (#150)

• Update to version 0.4.3+git20220822.f0bd8f4: * log: report elemental installation completion * Fix e2e discovery tests (#138)

• Update to version v0.4.3: * Remove default value for flag and expand description (#126) * [chart] only add default-registry if specified (#128) * Set the proper namespace (#117)

• Bump to v0.4.2

• Bump to v0.4.1

• Update to version v0.4.0: * Add README to elemetal-operator helm chart (#56)

• Update Chart.yaml to the right elemental-operator version

• Update to elemental-operator v0.3.0

• Improve Makefile to get image tag from github

• Update Makefile and build elemental-operator.tar

• Bump version to 0.2.1
• Bump elemental-operator tag image to 0.2.1-10.1

• Bump elemental-operator tag image to 0.2.0-9.1

• Update _helmignore file

• Update Makefile and fix build issues

• Add _helmignore file

• Update to version 0.1.1+git2022-07-13.adfff7c: * Use cacert from rancher and use serverl-url from rancher (#36)

• Update image repository in values-overwrite.yaml

• Initial commit for elemental-operator helm chart

• Adapt the Dockerfile to explicitly pull elemental-register (v1.4) instead of the newer 1.5 variant of it.

• Fix RT URLs and use import channel.json file from previous build stage

• Only build for x86_64

• Add SLE Micro RT v2.0.2 to channel

• Fix RT URLs and use import channel.json file from previous build stage

• Only build for x86_64

• Add SLE Micro RT v2.0.2 to channel

• Adapt channel to the new 'suse/sle-micro' images

• Update to version 1.1.5: * [v1.1.x] Move recovery hostname to cloud-config-defaults (#2047)

• Update to version 1.1.4: * Add default rootfs settings * Install podman in example Dockerfiles (#1959)

• Update to version 1.1.2: * Remove unused method * Update copyright year (2024) * Update workflow to trigger for go.mod * Bump moby@v25.0.1 * Bump docker@v23.0.8 * Bump go-git@v5.11.0 * Bump containerd@v1.7.12

• Update to version 1.5.1: * Repurpose v1.5.x branch for SLE Micro 5.5

• Update to version 1.5.0: * Micro rename (#684) * operator/Dockerfile: tag IMAGE_REPO with :latest

• Update to version 1.4.3

• Update to version 1.4.2

• Update to version 1.4.1

• Adding a changes file

• Update to version 1.4.3

• Update to version 1.5.1: * Repurpose v1.5.x branch for SLE Micro 5.5

• Update to version 1.5.0: * Micro rename (#684) * seedimage: add tag to IMG_REPO * seedimage: switch labelprefix to com.suse.elemental * seedimage: Switch to toolbox for ALP * Add elemental-seedimage-hooks package (#592) * Add grub package to seedimage built in OBS (#568) * Build raw disk images in SeedImage (#557)

• Update to version 1.4.3

• Update to version 1.4.2

• Update to version 1.4.1

• Adding changes file

SUSE-IU-2024:442-1

SUSE-IU-2024:439-1

This update for perl fixes the following issues:
Security issues fixed:

• CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216)
• CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233)

• make Net::FTP work with TLS 1.3 (bsc#1213638)

SUSE-IU-2024:436-1

SUSE-IU-2024:434-1

This update for coreutils fixes the following issues:

• ls: avoid triggering automounts (bsc#1221632)

This update for open-vm-tools fixes the following issues:

• Remove protobuf less than v22 dependency from spec file (bsc#1217478)
• Use for updating open-vm-tools to new version (bsc#1222089)
• There are no new features in the current open-vm-tools release This is primarily a maintenance release that addresses a few critical problems
• Use %patch -P N instead of deprecated %patchN
• Own %{_modulesloaddir}: used to be present via udev-mini - kmod - suse-module-tools dependency before
• Fix outdated libxmlsec1 dependency version Updates to open-vm-tools for SLES 12 SP4 and SP5 are now being built againt against libxmlsec1-1-1.2.37. Update the spec file to now require libxmlsec1-openssl1 v1.2.37 or above. (bsc#1217796)
• limit to protobuf less than v22 for now until build failures have been fixed pam-vmtoolsd patch as instructed by vmware (bsc#1171003). This should fix both (bsc#1171003) and (bsc#1172693)
• Update vmtoolsd.service to support cloud-init customization by default (bsc#994598)
• Enable vgauth for openSUSE Leap 42.1 (bsc#952645)
• Extensive rewrite of the spec file
• rename vmware-KMP to vmware-guest-KMP for easier identification

SUSE-IU-2024:433-1

SUSE-IU-2024:430-1

This update for libcontainers-common fixes the following issues:
New release 20240206:

• bump bundled c/common to 0.57.4
• bump bundled c/image to 0.29.2
• conditionally require libcontainers-sles-mounds for product(SLE-Micro) as well (SLE Micro 6.0 now no longer provides product(SUSE_SLE) and instead only provides product(SLE-Micro)), fixes bsc#1216443

• bump c/common to 0.57.0

• bump c/storage to 1.51.0

• bump c/image to 5.29.0

• bump c/image to 5.28.0

• bump c/storage to 1.48.0

• bump c/image to 5.27.0

• bump c/common to 0.55.3

• Disable CNI related configs on ALP (bsc#1213556)

• Resolve choice on openSUSE distributions for libcontainer-policy by suggesting the libcontainers-openSUSE-policy explicitly.

• Enforce BCI verification via Podman on openSUSE distributions using the already shipped container signing keys. (bsc#1197030)

SUSE-IU-2024:429-1

SUSE-IU-2024:425-1

This update for less fixes the following issues:

• CVE-2024-32487: Fixed mishandling of \n character in paths when LESSOPEN is set leads to OS command execution. (bsc#1222849)

SUSE-IU-2024:421-1

This update for catatonit fixes the following issues:

• Update to catatonit v0.2.0
• Change license to GPL-2.0-or-later

SUSE-IU-2024:379-1

This update for rpm fixes the following issues:
Security fixes:

• CVE-2021-3521: Fixed missing subkey binding signature checking (bsc#1191175)

• accept more signature subpackets marked as critical (bsc#1218686)
• backport limit support for the autopatch macro (bsc#1189495)

SUSE-IU-2024:365-1

SUSE-IU-2024:363-1

This update for aaa_base fixes the following issues:

• home and end button not working from ssh client (bsc#1221407)
• use autosetup in prep stage of specfile
• drop the stderr redirection for csh (bsc#1221361)
• drop sysctl.d/50-default-s390.conf (bsc#1211721)
• make sure the script does not exit with 1 if a file with content is found (bsc#1222547)

SUSE-IU-2024:354-1

SUSE-IU-2024:353-1

This update for unixODBC, libtool and libssh2_org fixes the following issue:

• Ship 2 additional 32bit packages: unixODBC-32bit and libssh2-1-32bit for SLES (bsc#1221941).
• Fix an issue with Encrypt-then-MAC family. (bsc#1221622)

This update for openssh fixes the following issues:

• Fix hostbased ssh login failing occasionally with 'signature unverified: incorrect signature' by fixing a typo in patch (bsc#1221123)
• Avoid closing IBM Z crypto devices nodes. (bsc#1218871)
• Allow usage of IBM Z crypto adapter cards in seccomp filters (bsc#1216474)

• Change the default value of UpdateHostKeys to Yes (unless VerifyHostKeyDNS is enabled).

This update for glibc fixes the following issues:

• iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961, bsc#1222992)

This update for polkit fixes the following issues:

• Change permissions for rules folders (bsc#1209282)

This update for systemd-default-settings fixes the following issues:

• Disable pids controller limit under user instances (jsc#SLE-10123)
• Disable controllers by default (jsc#PED-2276)
• The usage of drop-ins is now the official way for configuring systemd and its various daemons on Factory/ALP, hence the early drop-ins SUSE specific 'feature' has been abandoned.
• User priority '26' for SLE-Micro
• Convert more drop-ins into early ones

This update for vim fixes the following issues:

• Fix segmentation fault after updating to version 9.1.0111-150500.20.9.1 (bsc#1220763)

SUSE-IU-2024:325-1

This update for runc fixes the following issues:
Update to runc v1.1.11:

• CVE-2024-21626: Fixed container breakout. (bsc#1218894)

This update for aaa_base fixes the following issues:

• Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

This update for podman fixes the following issues:

• Update to version 4.8.3: * Update RELEASE_NOTES.md * update module golang.org/x/crypto [security] * Error on HyperV VM start when gvproxy has failed to start

• Refactor network backend dependencies: * podman requires either netavark or cni-plugins. On ALP, require netavark, otherwise prefer netavark but don't force it. * This fixes missing cni-plugins in some scenarios * Default to netavark everywhere where it's available

• Update to version 4.8.2: * Update RELEASE_NOTES.md * Kube Play - set ReportWriter when building an image * Fix user-mode net init flag on first time install

• Default to the new networking backend, netavark, on openSUSE (bsc#1217828)

• Update to version 4.8.1: * Handle symlinks when checking DB vs runtime configs * libpod: Detect whether we have a private UTS namespace on FreeBSD * pkg/bindings: add new APIVersionError error type * fix podman-remote exec regression with v4.8 * sqlite: fix issue in ValidateDBConfig() * sqlite: fix missing Commit() in RemovePodContainers() * sqlite: set busy timeout to 100s * Fix locking error in WSL machine rm -f * Gating test fixes * If API calls for kube play --replace, then replace pod * Fix wsl.conf generation when user-mode-networking is disabled

• Update to version 4.8.0: * Bump to Buildah v1.33.2 * [CI:DOCS] Update release notes * machine applehv: create better error on start failure * Cirrus: Update operating branch * rootless_tutorial: modernize * Update to libhvee 0.5.0 * vmtypes names cannot be used as machine names * Add support for --compat-auth-file in login/logout * Update tests for a c/common error message change * Update c/image and c/common to latest, c/buildah to main * CI: test overlay and vfs * [CI:DOCS] Add link to podman py docs * Test fixes for debian * pasta tests: remove some skips * VM images: bump to 2023-11-16 * fix(deps): update module k8s.io/kubernetes to v1.28.4 [security] * [CI:DOCS] Machine test timeout env var * Quadlet - add support for UID and GID Mapping * Quadlet - Allow using symlink on the base search paths * [skip-ci] Update dessant/lock-threads action to v5 * Avoid empty SSH keys on applehv * qemu,parseUSB: minor refactor * fix(deps): update module github.com/gorilla/handlers to v1.5.2 * docs: fix relabeling command * Pass secrets from the host down to internal podman containers * (Temporary) Emergency CI fix: quay search is broken * Update podman-stats.1.md.in * [CI:BUILD] packit: handle builds for RC releases * Quadlet test - add case for multi = sign in mount * set RLIMIT_NOFILE soft limit to match the hard limit on mac * rootless: use functionalities from c/storage * CI: e2e: fix a smattering of test bugs that slipped in * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.13.1 * vendor: update c/storage * Improve the documentation of quadlet * Fix socket mapping socket mapping nits * fix(deps): update module golang.org/x/tools to v0.15.0 * fix(deps): update github.com/containers/libhvee digest to 9651e31 * [skip-ci] Update github/issue-labeler action to v3.3 * Document --userns=auto behaviour for rootless users * machine: qemu: add usb host passthrough * fix(deps): update module golang.org/x/net to v0.18.0 * fix(deps): update module github.com/onsi/gomega to v1.30.0 * Refactor Ignition configuration for virt providers * [CI:BUILD] rpm: disable GOPROXY * Automatic code cleanups [JetBrains] * Refactor key machine objects * systests: add [NNN] prefix in logs, NNN = filename * systests: add a last-minute check for db backend * applehv: allow virtiofs to mount to root * Run codespell on podman * update completion scripts for cobra v1.8.0 * Fix man page display of podman-kube-generate * Try to fix the broken formatting of man podman-kube-apply(1). * fix(deps): update module golang.org/x/text to v0.14.0 * docs: make CNI removal explicit * fix(deps): update module github.com/gorilla/mux to v1.8.1 * fix(deps): update module github.com/spf13/cobra to v1.8.0 * fix(deps): update module golang.org/x/sync to v0.5.0 * fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.18 * Podman push --help should reveal default compression * Update container-device-interface (CDI) to v0.6.2 * fix: adjust helper string in machine_common * fix: adjust helper string in machine_common * remote,test: remove .dockerignore which is a symlink * [CI:DOCS] Update dependency golangci/golangci-lint to v1.55.2 * fix: adjust helper string in machine_common * vendor: update github.com/coreos/go-systemd/v22 to latest main * CI: default to sqlite * vendor: update c/common * check system connections before machine init * Consume OCI images for machine image * freebsd: drop dead code * libpod: make removePodCgroup linux specific * containers: drop special handling for ErrCgroupV1Rootless * compose: fix compose provider debug message * image: replace GetStoreImage with ResolveReference * vendor: bump c/image to 373c52a9466f * Refactor machine socket mapping * AppleHV: Fix machine rm error message * Add status messages to podman --remote commit * End-of-Life policy for github issues * fix(deps): update module github.com/shirou/gopsutil/v3 to v3.23.10 * Support passing of Ulimits as -1 to mean max * fix(deps): update github.com/docker/go-connections digest to 0b8c1f4 * fix(deps): update github.com/crc-org/vfkit digest to f3c783d * Log gvproxy and server9 to file on log-level=debug * Change to using gopsutil for cross-OS process ops * Initial addition of 9p code to Podman * libpod: fix /etc/hostname with --uts=host * systests: stty test: retry once on flake * systests: pasta: avoid hangs * Fix secrets scanning GHA Workflow * [skip-ci] Update dawidd6/action-send-mail action to v3.9.0 * docs: clarify systemd cgroup mount * podman build --remote URI Dockerfile shoud not be treated as file * Small fixes for wacko CI environments * Do not add powercap mask if no paths are masked * compose: try all possible providers before throwing an error * podman kube play --replace should force removal of pods and containers * Sort kube options alphabetically * container.conf: support attributed string slices * CI: podman farm tests cleanup * Mask /sys/devices/virtual/powercap * Update module github.com/google/uuid to v1.4.0 * fix(deps): update module github.com/docker/docker to v24.0.7+incompatible * fix(deps): update module go.etcd.io/bbolt to v1.3.8 * CI: systest: safer random_rfc1918_subnet * CI: e2e: safer GetPort() * Fix broken code block markup in Introduction.rst * chore(deps): update module google.golang.org/grpc to v1.57.1 [security] * chore: remove npipe const and use vmtype const for checking * Update module github.com/onsi/gomega to v1.29.0 * CI: try to fix more networking flakes * fix: check wsl npipe when executing podman compose * [CI:DOCS] Update dependency golangci/golangci-lint to v1.55.1 * Quadlet - explicit support for read-only-tmpfs * compat API: fix image-prune --all * Makefile - allow more control over Ginkgo parameters * Add e2e tests for farm build * vendor c/{buildah,common}: appendable containers.conf strings, Part 1 * Add podman farm build command * Add emulation package * Use buildah default isolation when working with podman play kube * docs(API): Fix compat network (dis-)connect * test/e2e: do not import buildah * pkg/specgen: remove config_unsupported.go * pkg/parallel/ctr: add !remote tag * pkg/domain/filters: add !remote tag * pkg/ps: add !remote tag * pkg/systemd/generate: add !remote tag * libpod: add !remote tag * pkg/autoupdate: add !remote tag * vendor latest c/common * libpod: remove build support non linux/freebsd * Fix typo * test/apiv2: adapt apiv2 test on cgroups v1 environment * ginkgo setup: retry cache pulls * Support size option when creating tmpfs volumes * not mounted layers should be reported as info not error * CI: stop using registry.k8s.io * fix(deps): update module github.com/vbatts/git-validation to v1.2.1 * test fixes for c/common tag chnages * vendor latest c/common * hyperV: Update lastUp time * [CI:DOCS] Update dependency golangci/golangci-lint to v1.55.0 * lint: disable testifylint * lint: fix warnings found by perfsprint * lint: fix warnings found by inamedparam * lint: fix warnings found by protogetter * libpod: skip DBUS_SESSION_BUS_ADDRESS in conmon * Use node hostname in kube play when hostNetwork=true * cirrus setup: special-case perl unicode * network: document ports and macvlan interaction * quadlet: document cgroupv2 requirement * [skip-ci] Update actions/checkout digest to b4ffde6 * Revert 'Emergency workaround for CI breakage' * remote: exec: do not leak session IDs on errors * fix(deps): update github.com/containers/storage digest to 79aa304 * fix(deps): update module k8s.io/kubernetes to v1.28.3 * System tests: fix broken silence127 * Add TERM iff TERM not defined in container when podman exec -t * Emergency workaround for CI breakage * Kill gvproxy when machine rm -f * Fix path for omvf vars on Darwin/arm64 * Allow systemd specifiers in User and Group Quadlet keys * libpod: rename confusing import name * use FindInitBinary() for init binary * vendor latest c/common * exec: do not leak session IDs on errors * systests: cp test: lots of cleanup * Define better error message for container name conflicts with external storage. * Quadlet - support ImageName for .image files * test/system: ignore 127 if it is the expected rc * test/apiv2/20-containers.at: fix NanoCPUs tests on cgroups v1 * image history: fix walking layers * fix(api): Ensure compatibality for network connect * [CI:DOCS] Add cross-build target info. * machine set: document --rootful better * libpod: restart+userns cleanup netns correctly * Minor log and doc fixes * Quadlet man page - discuss volume removal explicitly * Quadlet - add support for KubeDownForce * System Test - Quadlet kube oneshot * Fix output of podman --remote top * buildah-bud: test relative TMPDIR * Fix handling of --read-only-tmpfs flag * Vendor common and buildah main * remote,build: wire unsetlabels * test: build with TMPDIR as relative * docs: add unsetlabel * vendor: bump buildah to v1.32.1-0.20231012130144-244170240d85 * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.6.2 * fix: pull error response docker rest api compatibility * Show client info even if remote connection fails * fix(deps): update github.com/containers/libhvee digest to e51be96 * Run codespell * SetLock for all virt providers * Machine: Teardown on init failure * healthcheck: make sure to always show health_status events * Apply suggestions from code review * [CI:DOCS]rtd: implement v2 build file * Quadlet - support oneshot .kube files * libpod: fix deadlock while parallel container create * fix(deps): update module golang.org/x/net to v0.17.0 * api: add `compatMode` paramenter to libpod's pull endpoint * api: break out compat image pull * fix(deps): update module github.com/cpuguy83/go-md2man/v2 to v2.0.3 * use sqlite as default database * vendor latest c/common * fix(deps): update module github.com/nxadm/tail to v1.4.11 * Check for image with /libpod/containers/create * container: always check if mountpoint is mounted * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.13.0 * vendor: update c/storage * api: drop debug statement * Quadlet - add support for global arguments * Add system test * fix(deps): update module golang.org/x/tools to v0.14.0 * Don't ignore containerfiles outside of build context * fix(deps): update github.com/containers/libhvee digest to fcf1cc2 * fix(deps): update module golang.org/x/term to v0.13.0 * Update module golang.org/x/sys to v0.13.0 * [CI:DOCS] Add updating version on podman.io to release process * containers.conf: add `privileged` field to containers table * Implement secrets/credential scanning * Cirrus: Execute Windows podman-machine e2e tests * vendor: bump c/storage * Update module golang.org/x/sync to v0.4.0 * [CI:DOCS] update swagger version on docs.podman.io * Create Qemu command wrapper * Adjust to path name change for resolved unit * Revert 'Fix WSL systemd detection' * [CI:BUILD] rpm/copr: gvforwarder recommends for RHEL * [CI:DOCS] update kube play delete endpoint docs * [CI:DOCS] Remove dead link from README * test/system: --env-file test fixes * Revert 'feat(env): support multiline in env-file' * Revert 'docs(env-file): improve document description' * Revert 'fix(env): parsing --env incorrect in cli' * Filter health_check and exec events for logging in console * inspect: ignore ENOENT during device lookup * test, manifest: test push retry * Fix locale issues with WSL version detection * vendor: update module github.com/docker/distribution to v2.8.3+incompatible * vendor: bump c/common to v0.56.1-0.20231002091908-745eaa498509 * Update github.com/containers/libhvee digest to e9b1811 * windows: Use prebuilt gvproxy/win-sshproxy binaries * Volume create - fast exit when ignore is set and volume exists * Update golang.org/x/exp digest to 9212866 * Update github.com/opencontainers/runtime-spec digest to c0e9043 * remove selinux tag as not needed anymore * [skip-ci] Improve podmansh(1) * Build applehv for Intel Macs * Revert 'GHA Workflow: Faster discussion-locking' * update vfkit vendored code * Add DefaultMode to kube play * Fix broken podman images filters * Remove `c.ExtraFiles` line in machine * podman: run --replace prints only the new container id * New machines should show Never as LastUp * podman machine: disable zincati update service * Revert 'cirrus setup: install en_US.UTF-8 locale' * Cirrus: CI VM images w/ newer automation-library * CI VMs: bump to f39 + f38 * [CI:DOCS] Update podman load doc * Update mac installer to latest gvproxy release * Fix WSL systemd detection * Add documentation for the vrf option on netavark * fix(deps): update github.com/containers/common digest to 9342cdd * fix: typos in links, path and code example * e2e: ExitCleanly(): manual special cases * e2e: ExitCleanly(): the final fron^Wcommit * [CI:DOCS] Add win-sshproxy target to winmake * wsl: enable machine init tests * Update docs/source/markdown/options/rdt-class.md * move IntelRdtClosID to HostConfig * use default when user does not provide rdt-class * Add documentation for Intel RDT support * Add test for Intel RDT support * Add Intel RDT support * [CI:DOCS] Fix podman form update --help examples * Quadlet container mount - support non key=val options * test/e2e: default to netavark * [skip-ci] Update dawidd6/action-send-mail action to v3.9.0 * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.7.1 * fix(deps): update github.com/containers/common digest to 4619314 * applehv: enable machine tests for start * applehv: machine tests for stop and rm * Update machine tests README * Add podman socket info to machine inspect * Fix podman machine info test for hyperV * libpod: pass entire environment to conmon * e2e: ExitCleanly(): manual fixes to get tests working * e2e: ExitCleanly(): a few more * FCOS+podman-next: correct GHA conditional syntax * pkg/machine/e2e: wsl stop * wsl: machine tests for inspect * wsl: machine tests for ssh * fix(deps): update github.com/containers/common digest to e18cda8 * wsl: machine start test * wsl machine tests: set * wsl: machine tests * Skip proxy test for hyperV * Enable machine e2e test for applehv * hyperV: Respect rootful option on machine init * [CI:BUILD] FCOS image: enable nightly build * e2e: use safe fedora-minimal image * hyperv: machine e2e tests for set command * podman build: correct default pull policy * fix handling of static/volume dir * unbreak CI: useradd not found * hyperv: set more realistic starting state * hyperv: use StopWithForce with remove * Fix all ports exposed by kube play * Fix setting timezone on HyperV * fix(deps): update github.com/containers/gvisor-tap-vsock digest to 97028a6 * Fix farm update to check for connections * Adjust machine CPU tests * Bump version on main * [CI:BUILD] Packit: show SHORT_SHA in `podman --version` for COPR builds * Vendor c/common * pod rm: do not log error if anonymous volume is still used * e2e: ExitCleanly(): manual fixes to get tests passing * e2e: ExitCleanly(): a few more * fixes for pkg/machine/e2e on hyperv * test: fix rootless propagation test * [CI:BUILD] packit: tag @containers/packit-build team on copr build failures * Enable disk resizing for applehv * Various updates for hyperv and machine e2e tests * test: update fedoraMinimal version * specgen, rootless: fix mount of cgroup without a netns * Automatically remove anonymous volumes when removing a container * Use ActiveServiceDestination in ssh remoteConnectionUsername * fix(deps): update github.com/containers/gvisor-tap-vsock digest to 9298405 * e2e: ExitCleanly(): generate_kube_test.go * e2e: generate kube -> kube generate * e2e: ExitCleanly(): generate_kube_test.go * windows cannot 'do' extra files * e2e: ExitCleanly(): Fixes for breaking tests * play kube -> kube play * e2e: ExitCleanly(): play_kube_test.go * introduce pkg/strongunits * Makefile equiv Powershell script * pass --syslog to the cleanup process * vendor of containers/common * fix --authfile auto-update test * compat API: speed up network list * Change priority for cli-flags for remotely operating Podman * libpod: remove unused ContainerState() fucntion * [CI:BUILD] Packit: Enable failure notifications for cockpit tests * e2e: ExitCleanly(): more low-hanging fruit * e2e: ExitCleanly(): more low-hanging fruit * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.12.1 * Enable machine e2e tests for WSL * systests: tighter checks for unwanted warnings * GHA Workflow: Faster discussion-locking * [CI:BUILD] FCOS + podman-next image: pull in wasm * [CI:BUILD] rpm: remove gvproxy subpackage * [CI:DOCS] Tweak podman to Podman in a few farm man pages * Docs on sig-proxy are wrong, we support TTY * e2e: ExitCleanly(): low-hanging fruit, part 2 * e2e: ExitCleanly(): low-hanging fruit, part 1 * Buildtag out unix commands for common OS files * systests: clean up after tests; fix missing path in logs * [CI:BUILD] followup PR for fcos with podman-next * Implement gvproxy networking using cmdline wrapper * fix, test: rmi should work with images w/o layers * vendor: bump c/common to v0.56.1-0.20230919073449-d1d9d38d8282 * Quadlet Image test - rearrange test function * e2e: continuing ExitCleanly() work: manual tweaks * e2e: continuing ExitCleanly() work * [CI:DOCS] Improve podman-tag man page * [CI:DOCS] Improve podman-build man page * [CI:DOCS] Include precheck to release process * [CI:DOCS] consistentize filter options in man pages * Quadlet - add support for .image units * --env-host: use default from containers.conf * error when --module is specified on the command level * man page crossrefs: add --filter autocompletes * Fix specification of unix:///run * Add label! filter and tests to containers and pods * Add test for legacy address without two slashes * Use url with scheme and path for the unix address

• Use crun only on selected archs

This update for runc fixes the following issues:

• Update to runc v1.1.12 (bsc#1218894)

This update for conmon fixes the following issues:

• New upstream release 2.1.10

• New upstream release 2.1.9

This update for openssl-1_1 fixes the following issues:

• CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

This update for libxml2 fixes the following issues:

• CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

This update for openssh fixes the following issues:

• CVE-2023-51385: Limit the use of shell metacharacters in host- and user names to avoid command injection. (bsc#1218215)

This update for mozilla-nss fixes the following issues:
Update to NSS 3.90.2:

• CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)

This update for rpm fixes the following issues:

• backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)

This update for netcfg fixes the following issues:

• Add krb-prop entry (bsc#1211886)

This update for duktape fixes the following issues:

• Ship libduktape206-32bit: needed by libproxy since version 0.5.

This update for wpa_supplicant fixes the following issues:

• CVE-2023-52160: Bypassing WiFi Authentication (bsc#1219975).

This update for libssh fixes the following issues:

• Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385)

This update for timezone fixes the following issues:

• Update to version 2024a
• Kazakhstan unifies on UTC+5
• Palestine springs forward a week later than previously predicted in 2024 and 2025
• Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00
• From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00
• In 1911 Miquelon adopted standard time on June 15, not May 15
• The FROM and TO columns of Rule lines can no longer be 'minimum'
• localtime no longer mishandle some timestamps
• strftime %s now uses tm_gmtoff if available
• Ittoqqortoormiit, Greenland changes time zones on 2024-03-31
• Vostok, Antarctica changed time zones on 2023-12-18
• Casey, Antarctica changed time zones five times since 2020
• Code and data fixes for Palestine timestamps starting in 2072
• A new data file zonenow.tab for timestamps starting now
• Much of Greenland changed its standard time from -03 to -02 on 2023-03-25
• localtime.c no longer mishandles TZif files that contain a single transition into a DST regime
• tzselect no longer creates temporary files
• tzselect no longer mishandles the following: * Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION. * TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/ * ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments * Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension * zic no longer mishandles data for Palestine after the year 2075

This update for sudo fixes the following issues:

• CVE-2023-42465: Try to make sudo less vulnerable to ROWHAMMER attacks (bsc#1219026).

This update for cpio fixes the following issues:

• Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

This update for selinux-policy fixes the following issues:

• Don't audit getty and plymouth the checkpoint_restore capability (bsc#1220361)

This update for aaa_base fixes the following issues:

• Silence the output in the case of broken symlinks (bsc#1218232)

This update for glibc fixes the following issues:
Security issues fixed:

• qsort: harden handling of degenerated / non transient compare function (bsc#1218866)

• getaddrinfo: translate ENOMEM to EAI_MEMORY (bsc#1217589, BZ #31163)
• aarch64: correct CFI in rawmemchr (bsc#1217445, BZ #31113)

This update for sudo fixes the following issues:

• CVE-2023-42465: Fixed issues introduced by first patches (bsc#1221151, bsc#1221134).

This update for systemd-presets-common-SUSE fixes the following issues:

• Split hcn-init.service to hcn-init-NetworkManager and hcn-init-wicked (bsc#1200731)
• Support both the old and new service to avoid complex version interdependency

This update for audit fixes the following issue:

• Fix plugin termination when using systemd service units (bsc#1215377)

This update for coreutils fixes the following issues:

• tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321)

This update for pam-config fixes the following issues:

• Fix pam_gnome_keyring module for AUTH (bsc#1219767)

This update for systemd-rpm-macros fixes the following issue:

• Order packages that requires systemd after systemd-sysvcompat if needed. (bsc#1217964)

This update for runc fixes the following issues:

• Add upstream patch to properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050

This update for krb5 fixes the following issues:

• CVE-2024-26458: Fixed memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770).
• CVE-2024-26461: Fixed memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (bsc#1220771).
• CVE-2024-26462: Fixed memory leak at /krb5/src/kdc/ndr.c (bsc#1220772).

This update for shadow fixes the following issues:

• CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).
• CVE-2023-4641: Fixed possible password leak during passwd(1) change (bsc#1214806).

• bsc#1176006: Fix chage date miscalculation
• bsc#1188307: Fix passwd segfault
• bsc#1203823: Remove pam_keyinit from PAM config files
• bsc#1213189: Change lock mechanism to file locking to prevent

This update for avahi fixes the following issues:

• CVE-2023-38471: Fixed reachable assertion in dbus_set_host_name (bsc#1216594).
• CVE-2023-38469: Fixed reachable assertions in avahi (bsc#1216598).

This update for sed fixes the following issues:

• 'sed -i' now creates temporary files with correct umask (bsc#1221218)

This update for xfsprogs-scrub fixes the following issues:

• Added missing xfsprogs-scrub to Package Hub for SLE-15-SP5 and SLE-15-SP4 (bsc#1190495)

This update for dracut fixes the following issues:

• Update to version 055+suse.382.g80b55af2: * Fix regression with multiple `rd.break=` options (bsc#1221675) * Do not call `strcmp` if the `value` argument is NULL (bsc#1219841) * Correct shellcheck regression when parsing ccw args (bsc#1220485) * Skip README for AMD microcode generation (bsc#1217083)

This update for rpm fixes the following issues:

• Turn on IMA/EVM file signature support, move the imaevm code that needs the libiamevm library into a plugin, and install this plugin as part of a new 'rpm-imaevmsign' subpackage (jsc#PED-7246).

• Backport signature reserved space handling from upstream.

This update for docker fixes the following issues:

• Overlay files are world-writable (bsc#1220339)
• Allow disabling apparmor support (some products only support SELinux)

This update for expat fixes the following issues:

• CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559)
• CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289)

This update for ncurses fixes the following issues:

• CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061).

This update for podman fixes the following issues:

• CVE-2024-1753: Fixed an issue to prevent a full container escape at build time. (bsc#1221677)

This update for curl fixes the following issues:

• CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665)
• CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667)

This update for nghttp2 fixes the following issues:

• CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399)

This update for util-linux fixes the following issues:

• CVE-2024-28085: Properly neutralize escape sequences in wall. (bsc#1221831)

This update for multipath-tools fixes the following issues:

• Fixed activation of LVM volume groups during coldplug (bsc#1219142)
• Avoid changing SCSI timeouts in 'multipath -d' (bsc#1213809)
• Fixed dev_loss_tmo even if not set in configuration (bsc#1212440)
• Backport of upstream bug fixes (bsc#1220374):

This update for less fixes the following issues:

• CVE-2022-48624: Fixed LESSCLOSE handling in less that does not quote shell metacharacters (bsc#1219901).

This update for xfsprogs-scrub fixes the following issues:

• Added missing xfsprogs-scrub to Package Hub for SLE-15-SP5 (bsc#1190495)
• Added missing jctools to Package Hub for SLE-15-SP5 (bsc#1213418)

This update for rpm fixes the following issues:

• remove imaevmsign plugin from rpm-ndb [bsc#1222259]

This update for glibc fixes the following issues:

• duplocale: protect use of global locale (bsc#1220441, BZ #23970)

This update for gcc13 fixes the following issues:

• Fix unwinding for JIT code. [bsc#1221239]
• Revert libgccjit dependency change. [bsc#1220724]
• Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520]
• Add support for -fmin-function-alignment. [bsc#1214934]
• Use %{_target_cpu} to determine host and build.
• Fix for building TVM. [bsc#1218492]
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6.
• Fixed building mariadb on i686. [bsc#1217667]
• Avoid update-alternatives dependency for accelerator crosses.
• Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence.
• Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450]

This update for elemental-operator, elemental-operator-crds-helm, elemental-operator-helm, operator-image contains the following fixes:

• Update to version 1.4.3: * registration: allow dots in machineInventory names * registration: decouple replacing data-labels from sanitizing strings * registration: move sanitize code in sanitizeString() * V1.4.x fix channel synchronization (#683) * linter: fix copyright dates * Make linter happy

This update for vim fixes the following issues:
Updated to version 9.1.0111, fixes the following security problems

• CVE-2023-48231: Use-After-Free in win_close() (bsc#1217316).
• CVE-2023-48232: Floating point Exception in adjust_plines_for_skipcol() (bsc#1217320).
• CVE-2023-48233: overflow with count for :s command (bsc#1217321).
• CVE-2023-48234: overflow in nv_z_get_count (bsc#1217324).
• CVE-2023-48235: overflow in ex address parsing (CVE-2023-48235).
• CVE-2023-48236: overflow in get_number (bsc#1217329).
• CVE-2023-48237: overflow in shift_line (bsc#1217330).
• CVE-2023-48706: heap-use-after-free in ex_substitute (bsc#1217432).
• CVE-2024-22667: stack-based buffer overflow in did_set_langmap function in map.c (bsc#1219581).
• CVE-2023-4750: Heap use-after-free in function bt_quickfix (bsc#1215005).

SUSE-IU-2024:92-1

This update for openslp fixes the following issues:

• CVE-2017-17833: Prevent heap-related memory corruption issue which may have manifested itself as a denial-of-service or a remote code-execution vulnerability (bsc#1090638)
• Prevent out of bounds reads in message parsing

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This update for fuse fixes the following issues:

• CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update for sysstat fixes the following issues:
Sysstat was updated to 12.0.2, bringing new features and bugfixes (fate#326576, bsc#1089883)

• It contains lots of improvements in SVG output.
• New metric additions for hugepages.
• New options

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for nfsidmap fixes the following issues:

• Improve support for SAMBA with Active Directory. (bsc#1098217)

This update for rpcbind fixes the following issues:

• Fix tool stack buffer overflow aborting (bsc#969953)

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for psmisc provides the following fix:

• Make the fuser option -m work even with mountinfo. (bsc#1098697)
• Support also btrFS entries in mountinfo, that is use stat(2) to determine the device of the mounted subvolume (bsc#1098697, bsc#1112780)

This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:

• Update to Firefox ESR 60.4 (bsc#1119105)
• CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
• CVE-2018-18492: Fixed a use-after-free with select element
• CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
• CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
• CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
• CVE-2018-12405: Fixed a few memory safety bugs

• Update to NSS 3.40.1 (bsc#1119105)
• CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
• CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
• CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
• Fixed a decryption failure during FFDHE key exchange
• Various security fixes in the ASN.1 code

• Update mozilla-nspr to 4.20 (bsc#1119105)

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:
Security issues fixed:

• CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
• CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
• CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
• CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967).

• Update shell completion to use Group: System/Shells.
• Add daemon.json file with rotation logs configuration (bsc#1114832)
• Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
• Update go requirements to >= go1.10
• Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
• Remove the usage of 'cp -r' to reduce noise in the build logs.

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for libmspack fixes the following issues:
Security issues fixed:

• CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038)
• CVE-2018-18585: chmd_read_headers accepted a filename that has '\0' as its first or second character (such as the '/\0' name). (bsc#1113039)
• Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for sysstat fixes the following issues:
Security issues fixed:

• CVE-2018-19416: Fixed out-of-bounds read during a memmove call inside the remap_struct function (bsc#1117001).
• CVE-2018-19517: Fixed out-of-bounds read during a memset call inside the remap_struct function (bsc#1117260).

This update for tar fixes the following issues:
Security issues fixed:

• CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
• CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for sensors fixes the following issues:
sensors was updated to version 3.5.0:
The following changes were done:

• soname was bumped due to commit dcf2367 which introduced an ABI change. (This was reverted for the SUSE packages, as it was not necessary)

• Fixed disappearance of certain hwmon chips with 4.19+ kernels (bsc#1116021).
• Add the find-driver script for debugging.
• Various documentation and man page improvements.
• Fix various issues found by Coverity Scan.
• Updated links in documentation to reflect the new home of lm_sensors.
• sensors.1: Add reference to sensors-detect and document -j option (json output).
• sensors: Add support for json output, add support for power min, lcrit, min_alarm, lcrit_alarm.
• sensors-detect changes:

• configs: Add sample configuration files.
• sensors.conf.default:

• vt1211_pwm: replaced deprecated sub shell syntax, run with bash instead of sh.
• pwmconfig: replaced deprecated sub shell syntax.
• fancontrol: replaced deprecated sub shell syntax, save original pwm values.
• fancontrol.8: replaced deprecated sub shell syntax.
• libsensors:

• Undo unnecessary libsensors version bump.
• Undo the SENSORS_API_VERSION change, to stay source-compatible with upstream.

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for rpcbind fixes the following issues:

• Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659)
• Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update.

This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709]

This update for timezone fixes the following issues:

• Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation.

This update for openslp fixes the following issues:

• Use tcp connects to talk with other directory agents (DAs) (bsc#1117969)
• Fix segfault in predicate match if a registered service has a malformed attribute list (bsc#1136136)

This update for sysstat fixes the following issues:

• Fix scaling issue with mtab symlinks and automounter. (bsc#1138767)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :

• New function in pk11pub.h: PK11_FindRawCertsWithSubject
• The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374)
• Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
• Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
• Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
• Add IPSEC IKE support to softoken (bmo#1546229)
• Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
• Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed.
• Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.

• Changed prbit.h to use builtin function on aarch64.
• Removed Gonk/B2G references.

This update for sysstat fixes the following issues:

• Remove deprecated gettext and require gettext-runtime during build only. (bsc#1142470)

This update for pinentry fixes the following issues:

• Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883)

This is a version update for podman to version 1.4.4 (bsc#1143386).
Additional changes by SUSE on top:

• Remove fuse-overlayfs because it's (currently) an unsatisfied dependency on SLE (bsc#1143386)
• Update libpod.conf to use correct infra_command
• Update libpod.conf to use better versioned pause container
• Update libpod.conf to use official kubic pause container
• Update libpod.conf to match latest features set: detach_keys, lock_type, runtime_supports_json
• Add podman-remote varlink client

• Features

• Bugfixes

• Misc

• Fixed a bug where Podman could not run containers using an older version of Systemd as init
• Updated vendored Buildah to v1.9.0 to resolve a critical bug with Dockerfile RUN instructions
• The error message for running podman kill on containers that are not running has been improved
• Podman remote client can now log to a file if syslog is not available
• The podman exec command now sets its error code differently based on whether the container does not exist, and the command in the container does not exist
• The podman inspect command on containers now outputs Mounts JSON that matches that of docker inspect, only including user-specified volumes and differentiating bind mounts and named volumes
• The podman inspect command now reports the path to a container's OCI spec with the OCIConfigPath key (only included when the container is initialized or running)
• The podman run --mount command now supports the bind-nonrecursive option for bind mounts
• Fixed a bug where podman play kube would fail to create containers due to an unspecified log driver
• Fixed a bug where Podman would fail to build with musl libc
• Fixed a bug where rootless Podman using slirp4netns networking in an environment with no nameservers on the host other than localhost would result in nonfunctional networking
• Fixed a bug where podman import would not properly set environment variables, discarding their values and retaining only keys
• Fixed a bug where Podman would fail to run when built with Apparmor support but run on systems without the Apparmor kernel module loaded
• Remote Podman will now default the username it uses to log in to remote systems to the username of the current user
• Podman now uses JSON logging with OCI runtimes that support it, allowing for better error reporting
• Updated vendored containers/image to v2.0
• Update conmon to v0.3.0
• Support OOM Monitor under cgroup V2
• Add config binary and make target for configuring conmon with a go library for importing values

• Podman checkpoint and podman restore commands can now be used to migrate containers between Podman installations on different systems.
• The podman cp now supports pause flag.
• The remote client now supports a configuration file for pre-configuring connections to remote Podman installations
• CVE-2019-10152: Fixed an iproper dereference of symlinks of the the podman cp command which introduced in version 1.1.0 (bsc#1136974).
• Fixed a bug where podman commit could improperly set environment variables that contained = characters
• Fixed a bug where rootless podman would sometimes fail to start containers with forwarded ports
• Fixed a bug where podman version on the remote client could segfault
• Fixed a bug where podman container runlabel would use /proc/self/exe instead of the path of the Podman command when printing the command being executed
• Fixed a bug where filtering images by label did not work
• Fixed a bug where specifying a bing mount or tmpfs mount over an image volume would cause a container to be unable to start
• Fixed a bug where podman generate kube did not work with containers with named volumes
• Fixed a bug where rootless podman would receive permission denied errors accessing conmon.pid
• Fixed a bug where podman cp with a folder specified as target would replace the folder, as opposed to copying into it
• Fixed a bug where rootless Podman commands could double-unlock a lock, causing a crash
• Fixed a bug where podman incorrectly set tmpcopyup on /dev/ mounts, causing errors when using the Kata containers runtime
• Fixed a bug where podman exec would fail on older kernels
• Podman commit command is now usable with the Podman remote client
• Signature-policy flag has been deprecated
• Updated vendored containers/storage and containers/image libraries with numerous bugfixes
• Updated vendored Buildah to v1.8.3
• Podman now requires Conmon v0.2.0
• The podman cp command is now aliased as podman container cp
• Rootless podman will now default init_path using root Podman's configuration files (/etc/containers/libpod.conf and /usr/share/containers/libpod.conf) if not overridden in the rootless configuration
• Added fuse-overlayfs dependency to support overlay based rootless image manipulations
• The podman cp command can now read input redirected to STDIN, and output to STDOUT instead of a file, using - instead of an argument.
• The podman remote client now displays version information from both the client and server in podman version
• The podman unshare command has been added, allowing easy entry into the user namespace set up by rootless Podman (allowing the removal of files created by rootless podman, among other things)
• Fixed a bug where Podman containers with the --rm flag were removing created volumes when they were automatically removed
• Fixed a bug where container and pod locks were incorrectly marked as released after a system reboot, causing errors on container and pod removal
• Fixed a bug where Podman pods could not be removed if any container in the pod encountered an error during removal
• Fixed a bug where Podman pods run with the cgroupfs CGroup driver would encounter a race condition during removal, potentially failing to remove the pod CGroup
• Fixed a bug where the podman container checkpoint and podman container restore commands were not visible in the remote client
• Fixed a bug where podman remote ps --ns would not print the container's namespaces
• Fixed a bug where removing stopped containers with healthchecks could cause an error
• Fixed a bug where the default libpod.conf file was causing parsing errors
• Fixed a bug where pod locks were not being freed when pods were removed, potentially leading to lock exhaustion
• Fixed a bug where 'podman run' with SD_NOTIFY set could, on short-running containers, create an inconsistent state rendering the container unusable
• The remote Podman client now uses the Varlink bridge to establish remote connections by default
• Fixed an issue with apparmor_parser (bsc#1123387)

• Update to libpod v1.4.0 (bsc#1137860):
• The podman checkpoint and podman restore commands can now be used to migrate containers between Podman installations on different systems
• The podman cp command now supports a pause flag to pause containers while copying into them
• The remote client now supports a configuration file for pre-configuring connections to remote Podman installations
• Fixed CVE-2019-10152 - The podman cp command improperly dereferenced symlinks in host context
• Fixed a bug where podman commit could improperly set environment variables that contained = characters
• Fixed a bug where rootless Podman would sometimes fail to start containers with forwarded ports
• Fixed a bug where podman version on the remote client could segfault
• Fixed a bug where podman container runlabel would use /proc/self/exe instead of the path of the Podman command when printing the command being executed
• Fixed a bug where filtering images by label did not work
• Fixed a bug where specifying a bing mount or tmpfs mount over an image volume would cause a container to be unable to start
• Fixed a bug where podman generate kube did not work with containers with named volumes
• Fixed a bug where rootless Podman would receive permission denied errors accessing conmon.pid
• Fixed a bug where podman cp with a folder specified as target would replace the folder, as opposed to copying into it
• Fixed a bug where rootless Podman commands could double-unlock a lock, causing a crash
• Fixed a bug where Podman incorrectly set tmpcopyup on /dev/ mounts, causing errors when using the Kata containers runtime
• Fixed a bug where podman exec would fail on older kernels
• The podman commit command is now usable with the Podman remote client
• The --signature-policy flag (used with several image-related commands) has been deprecated
• The podman unshare command now defines two environment variables in the spawned shell: CONTAINERS_RUNROOT and CONTAINERS_GRAPHROOT, pointing to temporary and permanent storage for rootless containers
• Updated vendored containers/storage and containers/image libraries with numerous bugfixes
• Updated vendored Buildah to v1.8.3
• Podman now requires Conmon v0.2.0
• The podman cp command is now aliased as podman container cp
• Rootless Podman will now default init_path using root Podman's configuration files (/etc/containers/libpod.conf and /usr/share/containers/libpod.conf) if not overridden in the rootless configuration

• Update to image v1.5.1
• Vendor in latest containers/storage
• docker/docker_client: Drop redundant Domain(ref.ref) call
• pkg/blobinfocache: Split implementations into subpackages
• copy: progress bar: show messages on completion
• docs: rename manpages to *.5.command
• add container-certs.d.md manpage
• pkg/docker/config: Bring auth tests from docker/docker_client_test
• Don't allocate a sync.Mutex separately

• Add function to parse out mount options from graphdriver
• Merge the disparate parts of all of the Unix-like lockfiles
• Fix unix-but-not-Linux compilation
• Return XDG_RUNTIME_DIR as RootlessRuntimeDir if set
• Cherry-pick moby/moby #39292 for CVE-2018-15664 fixes
• lockfile: add RecursiveLock() API
• Update generated files
• Fix crash on tesing of aufs code
• Let consumers know when Layers and Images came from read-only stores
• chown: do not change owner for the mountpoint
• locks: correctly mark updates to the layers list
• CreateContainer: don't worry about mapping layers unless necessary
• docs: fix manpage for containers-storage.conf
• docs: sort configuration options alphabetically
• docs: document OSTree file deduplication
• Add missing options to man page for containers-storage
• overlay: use the layer idmapping if present
• vfs: prefer layer custom idmappings
• layers: propagate down the idmapping settings
• Recreate symlink when not found
• docs: fix manpage for configuration file
• docs: add special handling for manpages in sect 5
• overlay: fix single-lower test
• Recreate symlink when not found
• overlay: propagate errors from mountProgram
• utils: root in a userns uses global conf file
• Fix handling of additional stores
• Correctly check permissions on rootless directory
• Fix possible integer overflow on 32bit builds
• Evaluate device path for lvm
• lockfile test: make concurrent RW test determinisitc
• lockfile test: make concurrent read tests deterministic
• drivers.DirCopy: fix filemode detection
• storage: move the logic to detect rootless into utils.go
• Don't set (struct flock).l_pid
• Improve documentation of getLockfile
• Rename getLockFile to createLockerForPath, and document it
• Add FILES section to containers-storage.5 man page
• add digest locks
• drivers/copy: add a non-cgo fallback

• CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() (bsc#1123156)

• fuse3 and fuse-overlayfs to support rootless containers.

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

This update for rpcbind fixes the following issues:

• Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343)

This is a version update for pciutils-ids to version 20190830 (bsc#1133581, bsc#1127840)

This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

• Fix CPU summary showing old data. (bsc#1121753)

• library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures
• library: Just check for SIGLOST and don't delete it
• library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
• library: Use size_t for alloc functions CVE-2018-1126
• library: Increase comm size to 64
• pgrep: Fix stack-based buffer overflow CVE-2018-1125
• pgrep: Remove >15 warning as comm can be longer
• ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
• ps: Increase command name selection field to 64
• top: Don't use cwd for location of config CVE-2018-1122
• update translations
• library: build on non-glibc systems
• free: fix scaling on 32-bit systems
• Revert 'Support running with child namespaces'
• library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
• doc: Document I idle state in ps.1 and top.1
• free: fix some of the SI multiples
• kill: -l space between name parses correctly
• library: dont use vm_min_free on non Linux
• library: don't strip off wchan prefixes (ps & top)
• pgrep: warn about 15+ char name only if -f not used
• pgrep/pkill: only match in same namespace by default
• pidof: specify separator between pids
• pkill: Return 0 only if we can kill process
• pmap: fix duplicate output line under '-x' option
• ps: avoid eip/esp address truncations
• ps: recognizes SCHED_DEADLINE as valid CPU scheduler
• ps: display NUMA node under which a thread ran
• ps: Add seconds display for cputime and time
• ps: Add LUID field
• sysctl: Permit empty string for value
• sysctl: Don't segv when file not available
• sysctl: Read and write large buffers
• top: add config file support for XDG specification
• top: eliminated minor libnuma memory leak
• top: show fewer memory decimal places (configurable)
• top: provide command line switch for memory scaling
• top: provide command line switch for CPU States
• top: provides more accurate cpu usage at startup
• top: display NUMA node under which a thread ran
• top: fix argument parsing quirk resulting in SEGV
• top: delay interval accepts non-locale radix point
• top: address a wishlist man page NLS suggestion
• top: fix potential distortion in 'Mem' graph display
• top: provide proper multi-byte string handling
• top: startup defaults are fully customizable
• watch: define HOST_NAME_MAX where not defined
• vmstat: Fix alignment for disk partition format
• watch: Support ANSI 39,49 reset sequences

This update for sysstat fixes the following issue:

• CVE-2019-16167: Fixed a memory corruption due to an integer overflow. (bsc#1150114)

This update for timezone fixes the following issues:

• Fiji observes DST from 2019-11-10 to 2020-01-12.
• Norfolk Island starts observing Australian-style DST.

This update for runc fixes the following issues:
Security issue fixed:

• CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)

• Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libidn2 to version 2.2.0 fixes the following issues:

• CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
• CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

This update for sysstat fixes the following issues:

• Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:

• CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
• CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
• CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).

• Whitespace in C files was cleaned up and no longer uses tab characters for indenting.

This update for openslp doesn't fix any user visible bugs.

This update for procps fixes the following issues:

• Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

This update for pam fixes the following issues:

• Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

This update for PAM fixes the following issue:

• The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510)

This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues:
podman was updated to 1.8.0:

• CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the host when copying a symlink in the container that included a glob operator (#3829 bsc#1155217)

• The name of the cni-bridge in the default config changed from 'cni0' to 'podman-cni0' with podman-1.6.0. Add a %trigger to rename the bridge in the system to the new default if it exists. The trigger is only excuted when updating podman-cni-config from something older than 1.6.0. This is mainly needed for SLE where we're updating from 1.4.4 to 1.8.0 (bsc#1160460).

• Features

• Bugfixes

• Misc

• Add apparmor-abstractions as required runtime dependency to have `tunables/global` available.

• fixed the --force flag for the 'container prune' command. (https://github.com/containers/libpod/issues/4844)

• Features

• Bugfixes

• Misc

• Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher
• Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers
• Suppress spurious log messages when running rootless Podman
• Update vendored containers/storage to v1.13.6
• Fix a deadlock related to writing events
• Do not use the journald event logger when it is not available

• Features

• Bugfixes

• Misc

• Features

• Bugfixes

• Misc

• Add katacontainers as a recommended package, and include it as an additional OCI runtime in the configuration.

• Features

• Bugfixes

• Misc

• Add zsh completion for podman commands

• Features

• Bugfixes

• Misc

• Update libpod.conf to support latest path discovery feature for `runc` and `conmon` binaries.

• do not look in lower layers for the ino if there is no origin xattr set
• attempt to use the file path if the operation on the fd fails with ENXIO
• do not expose internal xattrs through listxattr and getxattr
• fix fallocate for deleted files.
• ignore O_DIRECT. It causes issues with libfuse not using an aligned buffer, causing write(2) to fail with EINVAL.
• on copyup, do not copy the opaque xattr.
• fix a wrong lookup for whiteout files, that could happen on a double unlink.
• fix possible segmentation fault in direct_fsync()
• use the data store to create missing whiteouts
• after a rename, force a directory reload
• introduce inodes cache
• correctly read inode for unix sockets
• avoid hash map lookup when possible
• use st_dev for the ino key
• check whether writeback is supported
• set_attrs: don't require write to S_IFREG
• ioctl: do not reuse fi->fh for directories
• fix skip whiteout deletion optimization
• store the new mode after chmod
• support fuse writeback cache and enable it by default
• add option to disable fsync
• add option to disable xattrs
• add option to skip ino number check in lower layers
• fix fd validity check
• fix memory leak
• fix read after free
• fix type for flistxattr return
• fix warnings reported by lgtm.com
• enable parallel dirops

• Set correct CNI version for 99-loopback.conf

• Library changes:

• Documentation & Convention changes:

• Spec changes:

• Library changes:

• Install sleep binary into CNI plugin directory

• add support for mips64le
• Add missing cniVersion in README example
• bump go-iptables module to v0.4.5
• iptables: add idempotent functions
• portmap doesn't fail if chain doesn't exist
• fix portmap port forward flakiness
• Add Bruce Ma and Piotr Skarmuk as owners

• Enhancements: * static: prioritize the input sources for IPs (#400). * tuning: send gratuitous ARP in case of MAC address update (#403). * bandwidth: use uint64 for Bandwidth value (#389). * ptp: only override DNS conf if DNS settings provided (#388). * loopback: When prevResults are not supplied to loopback plugin, create results to return (#383). * loopback support CNI CHECK and result cache (#374).

• Better input validation: * vlan: add MTU validation to loadNetConf (#405). * macvlan: add MTU validation to loadNetConf (#404). * bridge: check vlan id when loading net conf (#394).

• Bugfixes:

• Docs:

• New features:

• Bug fixes: * Fix: failed to set bridge addr: could not add IP address to 'cni0': file exists * host-device: revert name setting to make retries idempotent (#357). * Vendor update go-iptables. Vendor update go-iptables to obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10 * Update go.mod & go.sub * Remove link Down/Up in MAC address change to prevent route flush (#364). * pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall error message is 'invalid argument' not 'file exists' * bump containernetworking/cni to v0.7.1

• Bugs:

• Improvements: * host-device: add pciBusID property

• New plugins:

• Plugin features / changelog:

• Bug fixes & minor changes * Correctly DEL on ipam failure for all plugins * Fix bug on ip revert if cmdAdd fails on macvlan and host-device * host-device: Ensure device is down before rename * Fix -hostprefix option * some DHCP servers expect to request for explicit router options * bridge: release IP in case of error * change source of ipmasq rule from ipn to ip

• This release takes a minor change to the portmap plugin: * Portmap: append, rather than prepend, entry rules

• This fixes a potential issue where firewall rules may be bypassed by port mapping

This update for openslp fixes the following issues:

• Add missing group prerequisites to the openslp-server package. (bsc#1165050)
• Add missing openslp prerequisites to the openslp-server package. (bsc#1165121)

This update for pam fixes the following issues:

• Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

This update for runc fixes the following issues:
runc was updated to v1.0.0~rc10

• CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
• Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).

This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:

• CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

• FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
• FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881)
• FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

This update for pciutils-ids fixes the following issues:

• Update the PCI utilities database to 20200324. (bsc#1170160)

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for jq fixes the following issues:
jq was updated to version 1.6:

• Destructuring Alternation
• many new builtins (see docs)
• Add support for ASAN and UBSAN
• Make it easier to use jq with shebangs
• Add $ENV builtin variable to access environment
• Add JQ_COLORS env var for configuring the output colors
• change: Calling jq without a program argument now always assumes

• Make jq depend on libjq1, so upgrading jq upgrades both

This update for file fixes the following issues:
Security issues fixed:

• CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

• Fixed broken '--help' output (bsc#1169512).

This update for libbsd fixes the following issues:

• CVE-2019-20367: Fixed an out-of-bounds read during a comparison for a symbol names from the string table (bsc#1160551).

This update for timezone fixes the following issues:

• timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists.

This update for psmisc fixes the following issues:

• Allow not unique mounts as well as not unique mountpoint. (bsc#1170247)

This update for grep fixes the following issues:

• Update testsuite expectations, no functional changes (bsc#1155271)

This update for sysstat fixes the following issues:

• CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104).

This update for libmspack fixes the following issues:
Security issue fixed:

• CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file which could have led to information disclosure (bsc#1141680).

• Enable build-time tests (bsc#1130489)

This update for timezone fixes the following issue:

• zdump --version reported 'unknown' (bsc#1172055)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53

• CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
• CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).

This update for cracklib fixes the following issues:

• Fixed a buffer overflow when processing long words.

This update for libtool provides missing the libltdl 32bit library. (bsc#1171566)

This update for diffutils fixes the following issue:

• Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

This update for lshw fixes the following issues:

• Fixes the detection of powerpc products (bsc#1172156)
• Fixed an issue where lshw crashed on powerpc and aarch64 (bsc#1168865, bsc#1169668)

This update for conmon, fuse-overlayfs, libcontainers-common, podman fixes the following issues:
podman was updated to v2.0.6 (bsc#1175821)

• install missing systemd units for the new Rest API (bsc#1175957) and a few man-pages that where missing before
• Drop varlink API related bits (in favor of the new API)
• fix install location for zsh completions

• Features

• Changes

• Bugfixes

• API

• Change hard requires for AppArmor to Recommends. They are not needed for runtime or with SELinux but already installed if AppArmor is used [jsc#SMO-15]
• Add BuildRequires for pkg-config(libselinux) to build with SELinux support [jsc#SMO-15]

• Fixed a bug where the output of podman image search did not populate the Description field as it was mistakenly assigned to the ID field.
• Fixed a bug where podman build - and podman build on an HTTP target would fail.
• Fixed a bug where rootless Podman would improperly chown the copied-up contents of anonymous volumes (#7130).
• Fixed a bug where Podman would sometimes HTML-escape special characters in its CLI output.
• Fixed a bug where the podman start --attach --interactive command would print the container ID of the container attached to when exiting (#7068).
• Fixed a bug where podman run --ipc=host --pid=host would only set --pid=host and not --ipc=host (#7100).
• Fixed a bug where the --publish argument to podman run, podman create and podman pod create would not allow binding the same container port to more than one host port (#7062).
• Fixed a bug where incorrect arguments to podman images --format could cause Podman to segfault.
• Fixed a bug where podman rmi --force on an image ID with more than one name and at least one container using the image would not completely remove containers using the image (#7153).
• Fixed a bug where memory usage in bytes and memory use percentage were swapped in the output of podman stats --format=json.
• Fixed a bug where the libpod and compat events endpoints would fail if no filters were specified (#7078).
• Fixed a bug where the CgroupVersion field in responses from the compat Info endpoint was prefixed by 'v' (instead of just being '1' or '2', as is documented).

• Suggest katacontainers instead of recommending it. It's not enabled by default, so it's just bloat

• Fix handling of entrypoint
• log API: add context to allow for cancelling
• fix API: Create container with an invalid configuration
• Remove all instances of named return 'err' from Libpod
• Fix: Correct connection counters for hijacked connections
• Fix: Hijacking v2 endpoints to follow rfc 7230 semantics
• Remove hijacked connections from active connections list
• version/info: format: allow more json variants
• Correctly print STDOUT on non-terminal remote exec
• Fix container and pod create commands for remote create
• Mask out /sys/dev to prevent information leak from the host
• Ensure sig-proxy default is propagated in start
• Add SystemdMode to inspect for containers
• When determining systemd mode, use full command
• Fix lint
• Populate remaining unused fields in `pod inspect`
• Include infra container information in `pod inspect`
• play-kube: add suport for 'IfNotPresent' pull type
• docs: user namespace can't be shared in pods
• Fix 'Error: unrecognized protocol \'TCP\' in port mapping'
• Error on rootless mac and ip addresses
• Fix & add notes regarding problematic language in codebase
• abi: set default umask and rlimits
• Used reference package with errors for parsing tag
• fix: system df error when an image has no name
• Fix Generate API title/description
• Add noop function disable-content-trust
• fix play kube doesn't override dockerfile ENTRYPOINT
• Support default profile for apparmor
• Bump github.com/containers/common to v0.14.6
• events endpoint: backwards compat to old type
• events endpoint: fix panic and race condition
• Switch references from libpod.conf to containers.conf
• podman.service: set type to simple
• podman.service: set doc to podman-system-service
• podman.service: use default registries.conf
• podman.service: use default killmode
• podman.service: remove stop timeout
• systemd: symlink user->system
• vendor golang.org/x/text@v0.3.3
• Fix a bug where --pids-limit was parsed incorrectly
• search: allow wildcards
• [CI:DOCS]Do not copy policy.json into gating image
• Fix systemd pid 1 test
• Cirrus: Rotate keys post repo. rename
• The libpod.conf(5) man page got removed and all references are now pointing towards containers.conf(5), which will be part of the libcontainers-common package.

• fix race condition in `libpod.GetEvents(...)`
• Fix bug where `podman mount` didn't error as rootless
• remove podman system connection
• Fix imports to ensure v2 is used with libpod
• Update release notes for v2.0.2
• specgen: fix order for setting rlimits
• Ensure umask is set appropriately for 'system service'
• generate systemd: improve pod-flags filter
• Fix a bug with APIv2 compat network remove to log an ErrNetworkNotFound instead of nil
• Fixes --remote flag issues
• Pids-limit should only be set if the user set it
• Set console mode for windows
• Allow empty host port in --publish flag
• Add a note on the APIs supported by `system service`
• fix: Don't override entrypoint if it's `nil`
• Set TMPDIR to /var/tmp by default if not set
• test: add tests for --user and volumes
• container: move volume chown after spec generation
• libpod: volume copyup honors namespace mappings
• Fix `system service` panic from early hangup in events
• stop podman service in e2e tests
• Print errors from individual containers in pods
• auto-update: clarify systemd-unit requirements
• podman ps truncate the command
• move go module to v2
• Vendor containers/common v0.14.4
• Bump to imagebuilder v1.1.6 on v2 branch
• Account for non-default port number in image name
• Changes since v2.0.1
• Update release notes with further v2.0.1 changes
• Fix inspect to display multiple label: changes
• Set syslog for exit commands on log-level=debug
• Friendly amendment for pr 6751
• podman run/create: support all transports
• systemd generate: allow manual restart of container units in pods
• Revert sending --remote flag to containers
• Print port mappings in `ps` for ctrs sharing network
• vendor github.com/containers/common@v0.14.3
• Update release notes for v2.0.1
• utils: drop default mapping when running uid!=0
• Set stop signal to 15 when not explicitly set
• podman untag: error if tag doesn't exist
• Reformat inspect network settings
• APIv2: Return `StatusCreated` from volume creation
• APIv2:fix: Remove `/json` from compat network EPs
• Fix ssh-agent support
• libpod: specify mappings to the storage
• APIv2:doc: Fix swagger doc to refer to volumes
• Add podman network to bash command completions
• Fix typo in manpage for `podman auto update`.
• Add JSON output field for ps
• V2 podman system connection
• image load: no args required
• Re-add PODMAN_USERNS environment variable
• Fix conflicts between privileged and other flags
• Bump required go version to 1.13
• Add explicit command to alpine container in test case.
• Use POLL_DURATION for timer
• Stop following logs using timers
• 'pod' was being truncated to 'po' in the names of the generated systemd unit files.
• rootless_linux: improve error message
• Fix podman build handling of --http-proxy flag
• correct the absolute path of `rm` executable
• Makefile: allow customizable GO_BUILD
• Cirrus: Change DEST_BRANCH to v2.0

• The `podman generate systemd` command now supports the `--new` flag when used with pods, allowing portable services for pods to be created.
• The `podman play kube` command now supports running Kubernetes Deployment YAML.
• The `podman exec` command now supports the `--detach` flag to run commands in the container in the background.
• The `-p` flag to `podman run` and `podman create` now supports forwarding ports to IPv6 addresses.
• The `podman run`, `podman create` and `podman pod create` command now support a `--replace` flag to remove and replace any existing container (or, for `pod create`, pod) with the same name
• The `--restart-policy` flag to `podman run` and `podman create` now supports the `unless-stopped` restart policy.
• The `--log-driver` flag to `podman run` and `podman create` now supports the `none` driver, which does not log the container's output.
• The `--mount` flag to `podman run` and `podman create` now accepts `readonly` option as an alias to `ro`.
• The `podman generate systemd` command now supports the `--container-prefix`, `--pod-prefix`, and `--separator` arguments to control the name of generated unit files.
• The `podman network ls` command now supports the `--filter` flag to filter results.
• The `podman auto-update` command now supports specifying an authfile to use when pulling new images on a per-container basis using the `io.containers.autoupdate.authfile` label.
• Fixed a bug where the `podman exec` command would log to journald when run in containers loggined to journald ([#6555](https://github.com/containers/libpod/issues/6555)).
• Fixed a bug where the `podman auto-update` command would not preserve the OS and architecture of the original image when pulling a replacement ([#6613](https://github.com/containers/libpod/issues/6613)).
• Fixed a bug where the `podman cp` command could create an extra `merged` directory when copying into an existing directory ([#6596](https://github.com/containers/libpod/issues/6596)).
• Fixed a bug where the `podman pod stats` command would crash on pods run with `--network=host` ([#5652](https://github.com/containers/libpod/issues/5652)).
• Fixed a bug where containers logs written to journald did not include the name of the container.
• Fixed a bug where the `podman network inspect` and `podman network rm` commands did not properly handle non-default CNI configuration paths ([#6212](https://github.com/containers/libpod/issues/6212)).
• Fixed a bug where Podman did not properly remove containers when using the Kata containers OCI runtime.
• Fixed a bug where `podman inspect` would sometimes incorrectly report the network mode of containers started with `--net=none`.
• Podman is now better able to deal with cases where `conmon` is killed before the container it is monitoring.

• Fixed a bug where, on FIPS enabled hosts, FIPS mode secrets were not properly mounted into containers
• Fixed a bug where builds run over Varlink would hang
• Fixed a bug where podman save would fail when the target image was specified by digest
• Fixed a bug where rootless containers with ports forwarded to them could panic and dump core due to a concurrency issue (#6018)
• Fixed a bug where rootless Podman could race when opening the rootless user namespace, resulting in commands failing to run
• Fixed a bug where HTTP proxy environment variables forwarded into the container by the --http-proxy flag could not be overridden by --env or --env-file
• Fixed a bug where rootless Podman was setting resource limits on cgroups v2 systems that were not using systemd-managed cgroups (and thus did not support resource limits), resulting in containers failing to start

• Bugfixes

• Features

• Changes

• Bugfixes

• HTTP API

• Misc

• Add 'systemd' BUILDFLAGS to build with support for journald logging (bsc#1162432)

• Features

• Bugfixes

• HTTP API

• Features

• Bugfixes

• HTTP API