{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for buildah","title":"Title of the patch"},{"category":"description","text":"This update for buildah fixes the following issues:\n\nbuildah was updated to v1.17.0 (bsc#1165184):\n\n* Handle cases where other tools mount/unmount containers\n* overlay.MountReadOnly: support RO overlay mounts\n* overlay: use fusermount for rootless umounts\n* overlay: fix umount\n* Switch default log level of Buildah to Warn. Users need to see these messages\n* Drop error messages about OCI/Docker format to Warning level\n* build(deps): bump github.com/containers/common from 0.26.0 to 0.26.2\n* tests/testreport: adjust for API break in storage v1.23.6\n* build(deps): bump github.com/containers/storage from 1.23.5 to 1.23.7\n* build(deps): bump github.com/fsouza/go-dockerclient from 1.6.5 to 1.6.6\n* copier: put: ignore Typeflag='g'\n* Use curl to get repo file (fix #2714)\n* build(deps): bump github.com/containers/common from 0.25.0 to 0.26.0\n* build(deps): bump github.com/spf13/cobra from 1.0.0 to 1.1.1\n* Remove docs that refer to bors, since we're not using it\n* Buildah bud should not use stdin by default\n* bump containerd, docker, and golang.org/x/sys\n* Makefile: cross: remove windows.386 target\n* copier.copierHandlerPut: don't check length when there are errors\n* Stop excessive wrapping\n* CI: require that conformance tests pass\n* bump(github.com/openshift/imagebuilder) to v1.1.8\n* Skip tlsVerify insecure BUILD_REGISTRY_SOURCES\n* Fix build path wrong containers/podman#7993\n* refactor pullpolicy to avoid deps\n* build(deps): bump github.com/containers/common from 0.24.0 to 0.25.0\n* CI: run gating tasks with a lot more memory\n* ADD and COPY: descend into excluded directories, sometimes\n* copier: add more context to a couple of error messages\n* copier: check an error earlier\n* copier: log stderr output as debug on success\n* Update nix pin with make nixpkgs\n* Set directory ownership when copied with ID mapping\n* build(deps): bump github.com/sirupsen/logrus from 1.6.0 to 1.7.0\n* build(deps): bump github.com/containers/common from 0.23.0 to 0.24.0\n* Cirrus: Remove bors artifacts\n* Sort build flag definitions alphabetically\n* ADD: only expand archives at the right time\n* Remove configuration for bors\n* Shell Completion for podman build flags\n* Bump c/common to v0.24.0\n* New CI check: xref --help vs man pages\n* CI: re-enable several linters\n* Move --userns-uid-map/--userns-gid-map description into buildah man page\n* add: preserve ownerships and permissions on ADDed archives\n* Makefile: tweak the cross-compile target\n* Bump containers/common to v0.23.0\n* chroot: create bind mount targets 0755 instead of 0700\n* Change call to Split() to safer SplitN()\n* chroot: fix handling of errno seccomp rules\n* build(deps): bump github.com/containers/image/v5 from 5.5.2 to 5.6.0\n* Add In Progress section to contributing\n* integration tests: make sure tests run in ${topdir}/tests\n* Run(): ignore containers.conf's environment configuration\n* Warn when setting healthcheck in OCI format\n* Cirrus: Skip git-validate on branches\n* tools: update git-validation to the latest commit\n* tools: update golangci-lint to v1.18.0\n* Add a few tests of push command\n* Add(): fix handling of relative paths with no ContextDir\n* build(deps): bump github.com/containers/common from 0.21.0 to 0.22.0\n* Lint: Use same linters as podman\n* Validate: reference HEAD\n* Fix buildah mount to display container names not ids\n* Update nix pin with make nixpkgs\n* Add missing --format option in buildah from man page\n* Fix up code based on codespell\n* build(deps): bump github.com/openshift/imagebuilder from 1.1.6 to 1.1.7\n* build(deps): bump github.com/containers/storage from 1.23.4 to 1.23.5\n* Improve buildah completions\n* Cirrus: Fix validate commit epoch\n* Fix bash completion of manifest flags\n* Uniform some man pages\n* Update Buildah Tutorial to address BZ1867426\n* Update bash completion of manifest add sub command\n* copier.Get(): hard link targets shouldn't be relative paths\n* build(deps): bump github.com/onsi/gomega from 1.10.1 to 1.10.2\n* Pass timestamp down to history lines\n* Timestamp gets updated everytime you inspect an image\n* bud.bats: use absolute paths in newly-added tests\n* contrib/cirrus/lib.sh: don't use CN for the hostname\n* tests: Add some tests\n* Update manifest add man page\n* Extend flags of manifest add\n* build(deps): bump github.com/containers/storage from 1.23.3 to 1.23.4\n* build(deps): bump github.com/onsi/ginkgo from 1.14.0 to 1.14.1\n* CI: expand cross-compile checks\n\nUpdate to v1.16.2:\n\n* fix build on 32bit arches\n* containerImageRef.NewImageSource(): don't always force timestamps\n* Add fuse module warning to image readme\n* Heed our retry delay option values when retrying commit/pull/push\n* Switch to containers/common for seccomp\n* Use --timestamp rather then --omit-timestamp\n* docs: remove outdated notice\n* docs: remove outdated notice\n* build-using-dockerfile: add a hidden --log-rusage flag\n* build(deps): bump github.com/containers/image/v5 from 5.5.1 to 5.5.2\n* Discard ReportWriter if user sets options.Quiet\n* build(deps): bump github.com/containers/common from 0.19.0 to 0.20.3\n* Fix ownership of content copied using COPY --from\n* newTarDigester: zero out timestamps in tar headers\n* Update nix pin with `make nixpkgs`\n* bud.bats: correct .dockerignore integration tests\n* Use pipes for copying\n* run: include stdout in error message\n* run: use the correct error for errors.Wrapf\n* copier: un-export internal types\n* copier: add Mkdir()\n* in_podman: don't get tripped up by $CIRRUS_CHANGE_TITLE\n* docs/buildah-commit.md: tweak some wording, add a --rm example\n* imagebuildah: don’t blank out destination names when COPYing\n* Replace retry functions with common/pkg/retry\n* StageExecutor.historyMatches: compare timestamps using .Equal\n* Update vendor of containers/common\n* Fix errors found in coverity scan\n* Change namespace handling flags to better match podman commands\n* conformance testing: ignore buildah.BuilderIdentityAnnotation labels\n* Vendor in containers/storage v1.23.0\n* Add buildah.IsContainer interface\n* Avoid feeding run_buildah to pipe\n* fix(buildahimage): add xz dependency in buildah image\n* Bump github.com/containers/common from 0.15.2 to 0.18.0\n* Howto for rootless image building from OpenShift\n* Add --omit-timestamp flag to buildah bud\n* Update nix pin with `make nixpkgs`\n* Shutdown storage on failures\n* Handle COPY --from when an argument is used\n* Bump github.com/seccomp/containers-golang from 0.5.0 to 0.6.0\n* Cirrus: Use newly built VM images\n* Bump github.com/opencontainers/runc from 1.0.0-rc91 to 1.0.0-rc92\n* Enhance the .dockerignore man pages\n* conformance: add a test for COPY from subdirectory\n* fix  bug manifest inspct\n* Add documentation for .dockerignore\n* Add BuilderIdentityAnnotation to identify buildah version\n* DOC: Add quay.io/containers/buildah image to README.md\n* Update buildahimages readme\n* fix spelling mistake in 'info' command result display\n* Don't bind /etc/host and /etc/resolv.conf if network is not present\n* blobcache: avoid an unnecessary NewImage()\n* Build static binary with `buildGoModule`\n* copier: split StripSetidBits into StripSetuidBit/StripSetgidBit/StripStickyBit\n* tarFilterer: handle multiple archives\n* Fix a race we hit during conformance tests\n* Rework conformance testing\n* Update 02-registries-repositories.md\n* test-unit: invoke cmd/buildah tests with --flags\n* parse: fix a type mismatch in a test\n* Fix compilation of tests/testreport/testreport\n* build.sh: log the version of Go that we're using\n* test-unit: increase the test timeout to 40/45 minutes\n* Add the 'copier' package\n* Fix & add notes regarding problematic language in codebase\n* Add dependency on github.com/stretchr/testify/require\n* CompositeDigester: add the ability to filter tar streams\n* BATS tests: make more robust\n* vendor golang.org/x/text@v0.3.3\n* Switch golang 1.12 to golang 1.13\n* imagebuildah: wait for stages that might not have even started yet\n* chroot, run: not fail on bind mounts from /sys\n* chroot: do not use setgroups if it is blocked\n* Set engine env from containers.conf\n* imagebuildah: return the right stage's image as the 'final' image\n* Fix a help string\n* Deduplicate environment variables\n* switch containers/libpod to containers/podman\n* Bump github.com/containers/ocicrypt from 1.0.2 to 1.0.3\n* Bump github.com/opencontainers/selinux from 1.5.2 to 1.6.0\n* Mask out /sys/dev to prevent information leak\n* linux: skip errors from the runtime kill\n* Mask over the /sys/fs/selinux in mask branch\n* Add VFS additional image store to container\n* tests: add auth tests\n* Allow 'readonly' as alias to 'ro' in mount options\n* Ignore OS X specific consistency mount option\n* Bump github.com/onsi/ginkgo from 1.13.0 to 1.14.0\n* Bump github.com/containers/common from 0.14.0 to 0.15.2\n* Rootless Buildah should default to IsolationOCIRootless\n* imagebuildah: fix inheriting multi-stage builds\n* Make imagebuildah.BuildOptions.Architecture/OS optional\n* Make imagebuildah.BuildOptions.Jobs optional\n* Resolve a possible race in imagebuildah.Executor.startStage()\n* Switch scripts to use containers.conf\n* Bump openshift/imagebuilder to v1.1.6\n* Bump go.etcd.io/bbolt from 1.3.4 to 1.3.5\n* buildah, bud: support --jobs=N for parallel execution\n* executor: refactor build code inside new function\n* Add bud regression tests\n* Cirrus: Fix missing htpasswd in registry img\n* docs: clarify the 'triples' format\n* CHANGELOG.md: Fix markdown formatting\n* Add nix derivation for static builds\n* Bump to v1.16.0-dev\n\n- Update to v1.15.1\n* Mask over the /sys/fs/selinux in mask branch\n* chroot: do not use setgroups if it is blocked\n* chroot, run: not fail on bind mounts from /sys\n* Allow 'readonly' as alias to 'ro' in mount options\n* Add VFS additional image store to container\n* vendor golang.org/x/text@v0.3.3\n* Make imagebuildah.BuildOptions.Architecture/OS optional\n\nUpdate to v1.15.0:\n\n* Add CVE-2020-10696 to CHANGELOG.md and changelog.txt\n* fix lighttpd example\n* remove dependency on openshift struct\n* Warn on unset build arguments\n* vendor: update seccomp/containers-golang to v0.4.1\n* Updated docs\n* clean up comments\n* update exit code for tests\n* Implement commit for encryption\n* implementation of encrypt/decrypt push/pull/bud/from\n* fix resolve docker image name as transport\n* Add preliminary profiling support to the CLI\n* Evaluate symlinks in build context directory\n* fix error info about get signatures for containerImageSource\n* Add Security Policy\n* Cirrus: Fixes from review feedback\n* imagebuildah: stages shouldn't count as their base images\n* Update containers/common v0.10.0\n* Add registry to buildahimage Dockerfiles\n* Cirrus: Use pre-installed VM packages + F32\n* Cirrus: Re-enable all distro versions\n* Cirrus: Update to F31 + Use cache images\n* golangci-lint: Disable gosimple\n* Lower number of golangci-lint threads\n* Fix permissions on containers.conf\n* Don't force tests to use runc\n* Return exit code from failed containers\n* cgroup_manager should be under [engine]\n* Use c/common/pkg/auth in login/logout\n* Cirrus: Temporarily disable Ubuntu 19 testing\n* Add containers.conf to stablebyhand build\n* Update gitignore to exclude test Dockerfiles\n* Remove warning for systemd inside of container\n\nUpdate to v1.14.6:\n\n* Make image history work correctly with new args handling\n* Don't add args to the RUN environment from the Builder\n\nUpdate to v1.14.5:\n\n* Revert FIPS mode change\n\nUpdate to v1.14.4:\n\n* Update unshare man page to fix script example\n* Fix compilation errors on non linux platforms\n* Preserve volume uid and gid through subsequent commands\n* Fix potential CVE in tarfile w/ symlink\n* Fix .dockerignore with globs and ! commands\n\nUpdate to v1.14.2:\n\n* Search for local runtime per values in containers.conf\n* Set correct ownership on working directory\n* Improve remote manifest retrieval\n* Correct a couple of incorrect format specifiers\n* manifest push --format: force an image type, not a list type\n* run: adjust the order in which elements are added to $\n* getDateAndDigestAndSize(): handle creation time not being set\n* Make the commit id clear like Docker\n* Show error on copied file above context directory in build\n* pull/from/commit/push: retry on most failures\n* Repair buildah so it can use containers.conf on the server side\n* Fixing formatting & build instructions\n* Fix XDG_RUNTIME_DIR for authfile\n* Show validation command-line\n\nUpdate to v1.14.0:\n\n* getDateAndDigestAndSize(): use manifest.Digest\n* Touch up os/arch doc\n* chroot: handle slightly broken seccomp defaults\n* buildahimage: specify fuse-overlayfs mount options\n* parse: don't complain about not being able to rename something to itself\n* Fix build for 32bit platforms\n* Allow users to set OS and architecture on bud\n* Fix COPY in containerfile with envvar\n* Add --sign-by to bud/commit/push, --remove-signatures for pull/push\n* Add support for containers.conf\n* manifest push: add --format option\n\nUpdate to v1.13.1:\n\n* copyFileWithTar: close source files at the right time\n* copy: don't digest files that we ignore\n* Check for .dockerignore specifically\n* Don't setup excludes, if their is only one pattern to match\n* set HOME env to /root on chroot-isolation by default\n* docs: fix references to containers-*.5\n* fix bug Add check .dockerignore COPY file\n* buildah bud --volume: run from tmpdir, not source dir\n* Fix imageNamePrefix to give consistent names in buildah-from\n* cpp: use -traditional and -undef flags\n* discard outputs coming from onbuild command on buildah-from --quiet\n* make --format columnizing consistent with buildah images\n* Fix option handling for volumes in build\n* Rework overlay pkg for use with libpod\n* Fix buildahimage builds for buildah\n* Add support for FIPS-Mode backends\n* Set the TMPDIR for pulling/pushing image to $TMPDIR\n\nUpdate to v1.12.0:\n\n* Allow ADD to use http src\n* imgtype: reset storage opts if driver overridden\n* Start using containers/common\n* overlay.bats typo: fuse-overlays should be fuse-overlayfs\n* chroot: Unmount with MNT_DETACH instead of UnmountMountpoints()\n* bind: don't complain about missing mountpoints\n* imgtype: check earlier for expected manifest type\n* Add history names support\n\nUpdate to v1.11.6:\n\n* Handle missing equal sign in --from and --chown flags for COPY/ADD\n* bud COPY does not download URL\n* Fix .dockerignore exclude regression\n* commit(docker): always set ContainerID and ContainerConfig\n* Touch up commit man page image parameter\n* Add builder identity annotations.\n\nUpdate to v1.11.5:\n\n* buildah: add 'manifest' command\n* pkg/supplemented: add a package for grouping images together\n* pkg/manifests: add a manifest list build/manipulation API\n* Update for ErrUnauthorizedForCredentials API change in containers/image\n* Update for manifest-lists API changes in containers/image\n* version: also note the version of containers/image\n* Move to containers/image v5.0.0\n* Enable --device directory as src device\n* Add clarification to the Tutorial for new users\n* Silence 'using cache' to ensure -q is fully quiet\n* Move runtime flag to bud from common\n* Commit: check for storage.ErrImageUnknown using errors.Cause()\n* Fix crash when invalid COPY --from flag is specified.\n\nUpdate to v1.11.4:\n\n* buildah: add a 'manifest' command\n* pkg/manifests: add a manifest list build/manipulation API\n* Update for ErrUnauthorizedForCredentials API change in containers/image\n* Update for manifest-lists API changes in containers/image\n* Move to containers/image v5.0.0\n* Enable --device directory as src device\n* Add clarification to the Tutorial for new users\n* Silence 'using cache' to ensure -q is fully quiet\n* Move runtime flag to bud from common\n* Commit: check for storage.ErrImageUnknown using errors.Cause()\n* Fix crash when invalid COPY --from flag is specified.\n\nUpdate to v1.11.3:\n\n* Add cgroups2\n* Add support for retrieving context from stdin '-'\n* Added tutorial on how to include Buildah as library\n* Fix --build-args handling\n* Print build 'STEP' line to stdout, not stderr\n* Use Containerfile by default\n\nUpdate to v1.11.2:\n\n* Add some cleanup code\n* Move devices code to unit specific directory.\n\nUpdate to v1.11.1:\n\n* Add --devices flag to bud and from\n* Add support for /run/.containerenv\n* Allow mounts.conf entries for equal source and destination paths\n* Fix label and annotation for 1-line Dockerfiles\n* Preserve file and directory mount permissions\n* Replace --debug=false with --log-level=error\n* Set TMPDIR to /var/tmp by default\n* Truncate output of too long image names\n* Ignore EmptyLayer if Squash is set\n\nUpdate to v1.11.0:\n\n* Add --digestfile and Re-add push statement as debug\n* Add --log-level command line option and deprecate --debug\n* Add security-related volume options to validator\n* Allow buildah bud to be called without arguments\n* Allow to override build date with SOURCE_DATE_EPOCH\n* Correctly detect ExitError values from Run()\n* Disable empty logrus timestamps to reduce logger noise\n* Fix directory pull image names\n* Fix handling of /dev/null masked devices\n* Fix possible runtime panic on bud\n* Update bud/from help to contain indicator for --dns=none\n* Update documentation about bud\n* Update shebangs to take env into consideration\n* Use content digests in ADD/COPY history entries\n* add support for cgroupsV2\n* add: add a DryRun flag to AddAndCopyOptions\n* add: handle hard links when copying with .dockerignore\n* add: teach copyFileWithTar() about symlinks and directories\n* imagebuilder: fix detection of referenced stage roots\n* pull/commit/push: pay attention to $BUILD_REGISTRY_SOURCES\n* run_linux: fix mounting /sys in a userns\n\n\nUpdate to v1.10.1:\n\n* Add automatic apparmor tag discovery\n* Add overlayfs to fuse-overlayfs tip\n* Bug fix for volume minus syntax\n* Bump container/storage v1.13.1 and containers/image v3.0.1\n* Bump containers/image to v3.0.2 to fix keyring issue\n* Fix bug whereby --get-login has no effect\n* Bump github.com/containernetworking/cni to v0.7.1\n- Add appamor-pattern requirement\n\n- Update build process to match the latest repository architecture\n- Update to v1.10.0\n* vendor github.com/containers/image@v3.0.0\n* Remove GO111MODULE in favor of -mod=vendor\n* Vendor in containers/storage v1.12.16\n* Add '-' minus syntax for removal of config values\n* tests: enable overlay tests for rootless\n* rootless, overlay: use fuse-overlayfs\n* vendor github.com/containers/image@v2.0.1\n* Added '-' syntax to remove volume config option\n* delete successfully pushed message\n* Add golint linter and apply fixes\n* vendor github.com/containers/storage@v1.12.15\n* Change wait to sleep in buildahimage readme\n* Handle ReadOnly images when deleting images\n* Add support for listing read/only images\n* from/import: record the base image's digest, if it has one\n* Fix CNI version retrieval to not require network connection\n* Add misspell linter and apply fixes\n* Add goimports linter and apply fixes\n* Add stylecheck linter and apply fixes\n* Add unconvert linter and apply fixes\n* image: make sure we don't try to use zstd compression\n* run.bats: skip the 'z' flag when testing --mount\n* Update to runc v1.0.0-rc8\n* Update to match updated runtime-tools API\n* bump github.com/opencontainers/runtime-tools to v0.9.0\n* Build e2e tests using the proper build tags\n* Add unparam linter and apply fixes\n* Run: correct a typo in the --cap-add help text\n* unshare: add a --mount flag\n* fix push check image name is not empty\n* add: fix slow copy with no excludes\n* Add errcheck linter and fix missing error check\n* Improve tests/tools/Makefile parallelism and abstraction\n* Fix response body not closed resource leak\n* Switch to golangci-lint\n* Add gomod instructions and mailing list links\n* On Masked path, check if /dev/null already mounted before mounting\n* Update to containers/storage v1.12.13\n* Refactor code in package imagebuildah\n* Add rootless podman with NFS issue in documentation\n* Add --mount for buildah run\n* import method ValidateVolumeOpts from libpod\n* Fix typo\n* Makefile: set GO111MODULE=off\n* rootless: add the built-in slirp DNS server\n* Update docker/libnetwork to get rid of outdated sctp package\n* Update buildah-login.md\n* migrate to go modules\n* install.md: mention go modules\n* tests/tools: go module for test binaries\n* fix --volume splits comma delimited option\n* Add bud test for RUN with a priv'd command\n* vendor logrus v1.4.2\n* pkg/cli: panic when flags can't be hidden\n* pkg/unshare: check all errors\n* pull: check error during report write\n* run_linux.go: ignore unchecked errors\n* conformance test: catch copy error\n* chroot/run_test.go: export funcs to actually be executed\n* tests/imgtype: ignore error when shutting down the store\n* testreport: check json error\n* bind/util.go: remove unused func\n* rm chroot/util.go\n* imagebuildah: remove unused dedupeStringSlice\n* StageExecutor: EnsureContainerPath: catch error from SecureJoin()\n* imagebuildah/build.go: return instead of branching\n* rmi: avoid redundant branching\n* conformance tests: nilness: allocate map\n* imagebuildah/build.go: avoid redundant filepath.Join()\n* imagebuildah/build.go: avoid redundant os.Stat()\n* imagebuildah: omit comparison to bool\n* fix 'ineffectual assignment' lint errors\n* docker: ignore 'repeats json tag' lint error\n* pkg/unshare: use ... instead of iterating a slice\n* conformance: bud test: use raw strings for regexes\n* conformance suite: remove unused func/var\n* buildah test suite: remove unused vars/funcs\n* testreport: fix golangci-lint errors\n* util: remove redundant return statement\n* chroot: only log clean-up errors\n* images_test: ignore golangci-lint error\n* blobcache: log error when draining the pipe\n* imagebuildah: check errors in deferred calls\n* chroot: fix error handling in deferred funcs\n* cmd: check all errors\n* chroot/run_test.go: check errors\n* chroot/run.go: check errors in deferred calls\n* imagebuildah.Executor: remove unused onbuild field\n* docker/types.go: remove unused struct fields\n* util: use strings.ContainsRune instead of index check\n* Cirrus: Initial implementation\n* buildah-run: fix-out-of-range panic (2)\n* Update containers/image to v2.0.0\n* run: fix hang with run and --isolation=chroot\n* run: fix hang when using run\n* chroot: drop unused function call\n* remove --> before imgageID on build\n* Always close stdin pipe\n* Write deny to setgroups when doing single user mapping\n* Avoid including linux/memfd.h\n* Add a test for the symlink pointing to a directory\n* Add missing continue\n* Fix the handling of symlinks to absolute paths\n* Only set default network sysctls if not rootless\n* Support --dns=none like podman\n* fix bug --cpu-shares parsing typo\n* Fix validate complaint\n* Update vendor on containers/storage to v1.12.10\n* Create directory paths for COPY thereby ensuring correct perms\n* imagebuildah: use a stable sort for comparing build args\n* imagebuildah: tighten up cache checking\n* bud.bats: add a test verying the order of --build-args\n* add -t to podman run\n* imagebuildah: simplify screening by top layers\n* imagebuildah: handle ID mappings for COPY --from\n* imagebuildah: apply additionalTags ourselves\n* bud.bats: test additional tags with cached images\n* bud.bats: add a test for WORKDIR and COPY with absolute destinations\n* Cleanup Overlay Mounts content\n* Add support for file secret mounts\n* Add ability to skip secrets in mounts file\n* allow 32bit builds\n* fix tutorial instructions\n* imagebuilder: pass the right contextDir to Add()\n* add: use fileutils.PatternMatcher for .dockerignore\n* bud.bats: add another .dockerignore test\n* unshare: fallback to single usermapping\n* addHelperSymlink: clear the destination on os.IsExist errors\n* bud.bats: test replacing symbolic links\n* imagebuildah: fix handling of destinations that end with '/'\n* bud.bats: test COPY with a final '/' in the destination\n* linux: add check for sysctl before using it\n* unshare: set _CONTAINERS_ROOTLESS_GID\n* Rework buildahimamges\n* build context: support https git repos\n* Add a test for ENV special chars behaviour\n* Check in new Dockerfiles\n* Apply custom SHELL during build time\n* config: expand variables only at the command line\n* SetEnv: we only need to expand v once\n* Add default /root if empty on chroot iso\n* Add support for Overlay volumes into the container.\n* Export buildah validate volume functions so it can share code with libpod\n* Bump baseline test to F30\n* Fix rootless handling of /dev/shm size\n* Avoid fmt.Printf() in the library\n* imagebuildah: tighten cache checking back up\n* Handle WORKDIR with dangling target\n* Default Authfile to proper path\n* Make buildah run --isolation follow BUILDAH_ISOLATION environment\n* Vendor in latest containers/storage and containers/image\n* getParent/getChildren: handle layerless images\n* imagebuildah: recognize cache images for layerless images\n* bud.bats: test scratch images with --layers caching\n* Get CHANGELOG.md updates\n* Add some symlinks to test our .dockerignore logic\n* imagebuildah: addHelper: handle symbolic links\n* commit/push: use an everything-allowed policy\n* Correct manpage formatting in files section\n* Remove must be root statement from buildah doc\n* Change image names to stable, testing and upstream\n* Don't create directory on container\n* Replace kubernetes/pause in tests with k8s.gcr.io/pause\n* imagebuildah: don't remove intermediate images if we need them\n* Rework buildahimagegit to buildahimageupstream\n* Fix Transient Mounts\n* Handle WORKDIRs that are symlinks\n* allow podman to build a client for windows\n* Touch up 1.9-dev to 1.9.0-dev\n* Resolve symlink when checking container path\n* commit: commit on every instruction, but not always with layers\n* CommitOptions: drop the unused OnBuild field\n* makeImageRef: pass in the whole CommitOptions structure\n* cmd: API cleanup: stores before images\n* run: check if SELinux is enabled\n* Fix buildahimages Dockerfiles to include support for additionalimages mounted from host.\n* Detect changes in rootdir\n* Fix typo in buildah-pull(1)\n* Vendor in latest containers/storage\n* Keep track of any build-args used during buildah bud --layers\n* commit: always set a parent ID\n* imagebuildah: rework unused-argument detection\n* fix bug dest path when COPY .dockerignore\n* Move Host IDMAppings code from util to unshare\n* Add BUILDAH_ISOLATION rootless back\n* Travis CI: fail fast, upon error in any step\n* imagebuildah: only commit images for intermediate stages if we have to\n* Use errors.Cause() when checking for IsNotExist errors\n* auto pass http_proxy to container\n* imagebuildah: don't leak image structs\n* Add Dockerfiles for buildahimages\n* Bump to Replace golang 1.10 with 1.12\n* add --dns* flags to buildah bud\n* Add hack/build_speed.sh test speeds on building container images\n* Create buildahimage Dockerfile for Quay\n* rename 'is' to 'expect_output'\n* squash.bats: test squashing in multi-layered builds\n* bud.bats: test COPY --from in a Dockerfile while using the cache\n* commit: make target image names optional\n* Fix bud-args to allow comma separation\n* oops, missed some tests in commit.bats\n* new helper: expect_line_count\n* New tests for #1467 (string slices in cmdline opts)\n* Workarounds for dealing with travis; review feedback\n* BATS tests - extensive but minor cleanup\n* imagebuildah: defer pulling images for COPY --from\n* imagebuildah: centralize COMMIT and image ID output\n* Travis: do not use traviswait\n* imagebuildah: only initialize imagebuilder configuration once per stage\n* Make cleaner error on Dockerfile build errors\n* unshare: move to pkg/\n* unshare: move some code from cmd/buildah/unshare\n* Fix handling of Slices versus Arrays\n* imagebuildah: reorganize stage and per-stage logic\n* imagebuildah: add empty layers for instructions\n* Add missing step in installing into Ubuntu\n* fix bug in .dockerignore support\n* imagebuildah: deduplicate prepended 'FROM' instructions\n* Touch up intro\n* commit: set created-by to the shell if it isn't set\n* commit: check that we always set a 'created-by'\n* docs/buildah.md: add 'containers-' prefixes under 'SEE ALSO'\n\nUpdate to v1.7.2\n\n* Updates vendored containers/storage to latest version\n* rootless: by default use the host network namespace\n\n- Full changelog: https://github.com/containers/buildah/releases/tag/v1.6\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.","title":"Description of the patch"},{"category":"details","text":"openSUSE-2020-2106","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_2106-1.json"},{"category":"self","summary":"URL for openSUSE-SU-2020:2106-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q7YYGMTZ4T4RLHDVCMQD3K6CDIAXO3O3/"},{"category":"self","summary":"E-Mail link for openSUSE-SU-2020:2106-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q7YYGMTZ4T4RLHDVCMQD3K6CDIAXO3O3/"},{"category":"self","summary":"SUSE Bug 1165184","url":"https://bugzilla.suse.com/1165184"},{"category":"self","summary":"SUSE Bug 1167864","url":"https://bugzilla.suse.com/1167864"},{"category":"self","summary":"SUSE CVE CVE-2019-10214 page","url":"https://www.suse.com/security/cve/CVE-2019-10214/"},{"category":"self","summary":"SUSE CVE CVE-2020-10696 page","url":"https://www.suse.com/security/cve/CVE-2020-10696/"}],"title":"Security update for buildah","tracking":{"current_release_date":"2020-11-29T11:30:14Z","generator":{"date":"2020-11-29T11:30:14Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"openSUSE-SU-2020:2106-1","initial_release_date":"2020-11-29T11:30:14Z","revision_history":[{"date":"2020-11-29T11:30:14Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"buildah-1.17.0-lp151.2.6.1.x86_64","product":{"name":"buildah-1.17.0-lp151.2.6.1.x86_64","product_id":"buildah-1.17.0-lp151.2.6.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"openSUSE Leap 15.1","product":{"name":"openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"buildah-1.17.0-lp151.2.6.1.x86_64 as component of openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1:buildah-1.17.0-lp151.2.6.1.x86_64"},"product_reference":"buildah-1.17.0-lp151.2.6.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.1"}]},"vulnerabilities":[{"cve":"CVE-2019-10214","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2019-10214"}],"notes":[{"category":"general","text":"The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.1:buildah-1.17.0-lp151.2.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2019-10214","url":"https://www.suse.com/security/cve/CVE-2019-10214"},{"category":"external","summary":"SUSE Bug 1144065 for CVE-2019-10214","url":"https://bugzilla.suse.com/1144065"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.1:buildah-1.17.0-lp151.2.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":9,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.0"},"products":["openSUSE Leap 15.1:buildah-1.17.0-lp151.2.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-11-29T11:30:14Z","details":"moderate"}],"title":"CVE-2019-10214"},{"cve":"CVE-2020-10696","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-10696"}],"notes":[{"category":"general","text":"A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.1:buildah-1.17.0-lp151.2.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-10696","url":"https://www.suse.com/security/cve/CVE-2020-10696"},{"category":"external","summary":"SUSE Bug 1167864 for CVE-2020-10696","url":"https://bugzilla.suse.com/1167864"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.1:buildah-1.17.0-lp151.2.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["openSUSE Leap 15.1:buildah-1.17.0-lp151.2.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-11-29T11:30:14Z","details":"important"}],"title":"CVE-2020-10696"}]}