{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for podman","title":"Title of the patch"},{"category":"description","text":"This update for podman fixes the following issues:\n\n- CVE-2025-6032: Fixed machine init command failing to verify TLS \n  certificate (bsc#1245320)\n- Fix conditional Requires (remove deprecated sle_version macro)\n- Update to version 5.4.2:\n  \n  * Add release notes for v5.4.2\n  * Fix a potential deadlock during `podman cp`\n  * Improve the file format documentation of podman-import.\n  * Revert \"podman-import only supports gz and tar\"\n  * Bump buildah to v1.39.4\n  * libpod: do not cover idmapped mountpoint\n  * test: Fix runc error message\n  * oci: report empty exec path as ENOENT\n  * test: adapt tests new crun error messages\n  * test: remove duplicate test\n  * cirrus: test only on f41/rawhide\n  * CI: use z1d instance for windows machine testing\n  * New images 2025-03-24\n  * test/e2e: use go net.Dial() ov nc\n  * test: use ncat over nc\n  * New images 2025-03-12\n  * RPM: Add riscv64 to ExclusiveArch-es\n  * Fix HealthCheck log destination, count, and size defaults\n  * Win installer test: hardcode latest GH release ID\n  * Packit: Fix action script for fetching upstream commit\n  * Bump to v5.4.2-dev\n  * Bump to v5.4.1\n  * update gvproxy version to 0.8.4\n  * Update Buildah to v1.39.2\n  * Update release notes for v5.4.1\n  * Fix reporting summed image size for compat endpoint\n  * podman-import only supports gz and tar\n  * quadlet kube: correctly mark unit as failed\n  * pkg/domain/infra/abi/play.go: fix two nilness issues\n  * kube play: don't print start errors twice\n  * libpod: race in WaitForConditionWithInterval()\n  * libpod: race in WaitForExit() with autoremove\n  * Don't try to resolve host path if copying to container from stdin.\n  * Use svg for pkginstaller banner\n  * Create quota before _data dir for volumes\n  * Packit: clarify secondary status in CI\n  * Packit/RPM: Display upstream commit SHA in all rpm builds\n  * podman run: fix --pids-limit -1 wrt runc\n  * vendor: update github.com/go-jose/go-jose/v3 to v3.0.4\n  * chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security]\n  * wire up --retry-delay for artifact pull\n  * Revert \"silence false positve from golangci-lint\"\n  * update golangci-lint to v1.64.4\n  * update golangci-lint to v1.64.2\n  * silence false positve from golangci-lint\n  * cmd/podman: refactor Context handling\n  * fix new usetesting lint issue\n  * Packit/Copr: Fix `podman version` in rpm\n  * Remove persist directory when cleaning up Conmon files\n  * Bump to v5.4.1-dev\n  * Bump to v5.4.0\n  * Update release notes for v5.4.0 final\n  * In SQLite state, use defaults for empty-string checks\n  * Bump FreeBSD version to 13.4\n  * docs: add v5.4 to API reference\n  * Update rpm/podman.spec\n  * RPM: set buildOrigin in LDFLAG\n  * RPM: cleanup macro defs\n  * Makefile: escape BUILD_ORIGIN properly\n  * rootless: fix hang on s390x\n  * Set Cirrus DEST_BRANCH appropriately to fix CI\n  * Bump to v5.4.0-dev\n  * Bump to v5.4.0-rc3\n  * Update release notes for v5.4.0-rc3\n  * Add BuildOrigin field to podman info\n  * artifact: only allow single manifest\n  * test/e2e: improve write/removeConf()\n  * Add --noheading to artifact ls\n  * Add --no-trunc to artifact ls\n  * Add type and annotations to artifact add\n  * pkg/api: honor cdi devices from the hostconfig\n  * util: replace Walk with WalkDir\n  * fix(pkg/rootless): avoid memleak during init() contructor.\n  * Add `machine init --playbook`\n  * RPM: include empty check to silence rpmlint\n  * RPM: adjust qemu dependencies\n  * Force use of iptables on Windows WSL\n  * rpm: add attr as dependency for podman-tests\n  * update gvproxy version\n  * [v5.4] Bump Buildah to v1.39.0\n  * podman exec: correctly support detaching\n  * libpod: remove unused ExecStartAndAttach()\n  * [v5.4] Bump c/storage to v1.57.1, c/image v5.34.0, c/common v0.62.0\n  * Move detection of libkrun and intel\n  * Prevent two podman machines running on darwin\n  * Remove unnecessary error handling\n  * Remove usused Kind() function\n  * Bump to v5.4.0-dev\n  * Bump to v5.4.0-rc2\n  * Update release notes for v5.4.0-rc2\n  * Safer use of `filepath.EvalSymlinks()` on Windows\n  * error with libkrun on intel-based machines\n  * chore(deps): update dependency pytest to v8.3.4\n  * test/buildah-bud: skip two new problematic tests on remote\n  * Fix podman-restart.service when there are no containers\n  * Avoid upgrading from v5.3.1 on Windows\n  * Clean up after unexpectedly terminated build\n  * system-tests: switch ls with getfattr for selinux tests\n  * vendor latest c/{buildah,common,image,storage}\n  * Makefile: Add validatepr description for 'make help' output\n  * docs: Enhance podman build --secret documentation and add examples\n  * docs: mount.md - idmapped mounts only work for root user\n  * Define, and use, PodmanExitCleanlyWithOptions\n  * Eliminate PodmanSystemdScope\n  * Fix image ID query\n  * Revert \"Use the config digest to compare images loaded/pulled using different methods\"\n  * Update c/image after https://github.com/containers/image/pull/2613\n  * Update expected errors when pulling encrypted images\n  * Eliminate PodmanExtraFiles\n  * Introduce PodmanTestIntegration.PodmanWithOptions\n  * Restructure use of options\n  * Inline PodmanBase into callers\n  * Pass all of PodmanExecOptions to various [mM]akeOptions functions\n  * Turn PodmanAsUserBase into PodmanExecBaseWithOptions\n  * Avoid indirect links through quadlet(5)\n  * do not set the CreateCommand for API users\n  * Add podman manifest rm --ignore\n  * Bump to v5.4.0-dev\n  * Bump to v5.4.0-rc1\n  * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.2\n  * podman artifact\n  * vendor latest c/{common,image,storage}\n  * fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.3.2\n  * cirrus: bump macos machine test timeout\n  * pkg/machine/e2e: improve podman.exe match\n  * pkg/machine/e2e: improve \"list machine from all providers\"\n  * Remove JSON tag from UseImageHosts in ContainerConfig\n  * Set network ID if available during container inspect\n  * Stop creating a patch for v5.3.1 upgrades on windows\n  * compose docs: fix typo\n  * Document kube-play CDI support\n  * docs: Add quadlet debug method systemd-analyze\n  * Replace instances of PodmanExitCleanly in play_kube_test.go\n  * docs: add 'initialized' state to status filters\n  * fix(deps): update module google.golang.org/protobuf to v1.36.3\n  * Switch all calls of assert.Nil to assert.NoError\n  * Add --no-hostname option\n  * Fix unescaping octal escape sequence in values of Quadlet unit files\n  * Remove `.exe` suffix if any\n  * Add kube play support for CDI resource allocation\n  * add support to `;` for comments in unit files as per systemd documentation\n  * Use PodmanExitCleanly in attach_test.go\n  * Introduce PodmanTestIntegration.PodmanExitCleanly\n  * chore(deps): update dependency setuptools to ~=75.8.0\n  * Add newer c/i to support artifacts\n  * fix(deps): update module golang.org/x/tools to v0.29.0\n  * fix(deps): update module golang.org/x/net to v0.34.0\n  * specgenutil: Fix parsing of mount option ptmxmode\n  * namespaces: allow configuring keep-id userns size\n  * Update description for completion\n  * Quadlet - make sure the /etc/containers/systemd/users is traversed in rootless\n  * Document .build for Image .container option\n  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.9.1\n  * New VM Images\n  * update golangci/golangci-lint to v1.63.4\n  * fix(deps): update module google.golang.org/protobuf to v1.36.2\n  * chore(deps): update dependency setuptools to ~=75.7.0\n  * Fixing ~/.ssh/identity handling\n  * vendor latest c/common from main\n  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.12\n  * fix(deps): update module github.com/opencontainers/runc to v1.2.4\n  * specgen: fix comment\n  * Add hint to restart Podman machine to really accept new certificates\n  * fix(deps): update module github.com/onsi/gomega to v1.36.2\n  * fix(deps): update module github.com/moby/term to v0.5.2\n  * Pass container hostname to netavark\n  * Fix slirp4netns typo in podman-network.1.md\n  * Add support to ShmSize in Pods with Quadlet\n  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.22.1\n  * chore(deps): update module golang.org/x/crypto to v0.31.0 [security]\n  * fix(deps): update module golang.org/x/net to v0.33.0 [security]\n  * Kube volumes can not container _\n  * fix(deps): update module github.com/docker/docker to v27.4.1+incompatible\n  * test/system: fix \"podman play --build private registry\" error\n  * test/system: CopyDirectory() do not chown files\n  * test/system: remove system dial-stdio test\n  * shell completion: respect CONTAINERS_REGISTRIES_CONF\n  * fix(deps): update module github.com/cpuguy83/go-md2man/v2 to v2.0.6\n  * When generating host volumes for k8s, force to lowercase\n  * test: enable newly added test\n  * vfkit: Use 0.6.0 binary\n  * gvproxy: Use 0.8.1 binary\n  * systemd: simplify parser and fix infinite loop\n  * Revert \"win-installer test: revert to v5.3.0\"\n  * Avoid rebooting twice when installing WSL\n  * Avoid rebooting on Windows when upgrading and WSL isn't installed\n  * Add win installer patch\n  * Bump WiX toolset version to 5.0.2\n  * test/e2e: SkipOnOSVersion() add reason field\n  * test/e2e: remove outdated SkipOnOSVersion() calls\n  * Update VM images\n  * fix(deps): update module golang.org/x/crypto to v0.31.0 [security]\n  * fix(deps): update module github.com/crc-org/crc/v2 to v2.45.0\n  * fix(deps): update module github.com/opencontainers/runc to v1.2.3\n  * quadlet: fix inter-dependency of containers in `Network=`\n  * Add man pages to Mac installer\n  * fix(deps): update module github.com/onsi/gomega to v1.36.1\n  * fix(deps): update module github.com/docker/docker to v27.4.0+incompatible\n  * Fix device limitations in podman-remote update on remote systems\n  * Use latest version of VS BuildTools\n  * bin/docker: fix broken escaping and variable substitution\n  * manifest annotate: connect IndexAnnotations\n  * Fix panic in `manifest annotate --index`\n  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.5\n  * fix(deps): update module golang.org/x/net to v0.32.0\n  * fix(deps): update module golang.org/x/tools to v0.28.0\n  * fix(deps): update module golang.org/x/crypto to v0.30.0\n  * fix(deps): update module golang.org/x/sys to v0.28.0\n  * Fix overwriting of LinuxResources structure in the database\n  * api: replace inspectID with name\n  * fix(deps): update github.com/opencontainers/runtime-tools digest to f7e3563\n  * Replace ExclusiveArch with ifarch\n  * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.1\n  * Improve platform specific URL handling in `podman compose` for machines\n  * Fix `podman info` with multiple imagestores\n  * Switch to fixed common\n  * refact: use uptime.minutes instead of uptime.seconds\n  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.11\n  * fix(deps): update golang.org/x/exp digest to 2d47ceb\n  * fix(deps): update github.com/godbus/dbus/v5 digest to c266b19\n  * Cover Unix socket in inpect test on Windows platform\n  * Add a test for forcing compression and v2s2 format\n  * fix(deps): update module github.com/crc-org/vfkit to v0.6.0\n  * Package podman-machine on supported architectures only.\n  * Fixes missing binary in systemd.\n  * stats: ignore errors from containers without cgroups\n  * api: Error checking before NULL dereference\n  * [skip-ci] Packit/copr: switch to fedora-all\n  * make remotesystem: fail early if serial tests fail\n  * spec: clamp rlimits without CAP_SYS_RESOURCE\n  * Clarify the reason for skip_if_remote\n  * Sanity-check that the test is really using partial pulls\n  * Fix apparent typos in zstd:chunked tests\n  * Fix compilation issues in QEMU machine files (Windows platform)\n  * Mount volumes before copying into a container\n  * Revert \"libpod: remove shutdown.Unregister()\"\n  * docs: improve documentation for internal networks\n  * docs: document bridge mode option\n  * [skip-ci] Packit: remove epel and re-enable c9s\n  * chore(deps): update dependency golangci/golangci-lint to v1.62.2\n  * vendor: update containers/common\n  * OWNERS: remove edsantiago\n  * fix(deps): update module github.com/onsi/gomega to v1.36.0\n  * fix(deps): update github.com/containers/common digest to ceceb40\n  * refact: EventerType and improve consistency\n  * Add --hosts-file flag to container and pod commands\n  * Add nohosts option to /build and /libpod/build\n  * fix(deps): update module github.com/stretchr/testify to v1.10.0\n  * Quadlet - Use = sign when setting the pull arg for build\n  * win-installer test: revert to v5.3.0\n  * fix(deps): update module github.com/crc-org/crc/v2 to v2.44.0\n  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.22.0\n  * chore(deps): update dependency setuptools to ~=75.6.0\n  * Update windows installer tests\n  * Windows: don't install WSL/HyperV on update\n  * Switch to non-installing WSL by default\n  * fix(deps): update github.com/containers/buildah digest to 52437ef\n  * Configure HealthCheck with `podman update`\n  * CI: --image-volume test: robustify\n  * docs: add 5.3 as Reference version\n  * Bump CI VMs\n  * libpod: pass down NoPivotRoot to Buildah\n  * vendor: bump containers/buildah\n  * fix(deps): update module github.com/opencontainers/runc to v1.2.2\n  * Overlay mounts supersede image volumes & volumes-from\n  * libpod: addHosts() prevent nil deref\n  * only read ssh_config for non machine connections\n  * ssh_config: allow IdentityFile file with tilde\n  * ssh_config: do not overwrite values from config file\n  * connection: ignore errors when parsing ssh_config\n  * Bump bundled krunkit to 0.1.4\n  * fix(deps): update module google.golang.org/protobuf to v1.35.2\n  * add support for driver-specific options during container creation\n  * doc: fix words repetitions\n  * Update release notes on main for v5.3.0\n  * chore(deps): update dependency setuptools to ~=75.5.0\n  * CI: system tests: parallelize 010\n  * fix podman machine init --ignition-path\n  * vendor: update containers/common\n  * spec: clamp rlimits in a userns\n  * Add subpath support to volumes in `--mount` option\n  * refactor: simplify LinuxNS type definition and String method\n  * test/e2e: remove FIPS test\n  * vendor containers projects to tagged versions\n  * fix(deps): update module github.com/moby/sys/capability to v0.4.0\n  * chore(deps): update dependency setuptools to ~=75.4.0\n  * system tests: safer install_kube_template()\n  * Buildah treadmill tweaks\n  * update golangci-lint to v1.62.0\n  * fix(deps): update module golang.org/x/net to v0.31.0\n  * fix(deps): update module golang.org/x/tools to v0.27.0\n  * Revert \"Reapply \"CI: test nftables driver on fedora\"\"\n  * Yet another bump, f41 with fixed kernel\n  * test: add zstd:chunked system tests\n  * pkg/machine/e2e: remove dead code\n  * fix(deps): update module golang.org/x/crypto to v0.29.0\n  * kube SIGINT system test: fix race in timeout handling\n  * New `system connection add` tests\n  * Update codespell to v2.3.0\n  * Avoid printing PR text to stdout in system test\n  * Exclude symlink from pre-commit end-of-file-fixer\n  * api: Add error check\n  * [CI:ALL] Bump main to v5.4.0-dev\n  * test/buildah-bud: build new inet helper\n  * test/system: add regression test for TZDIR local issue\n  * vendor latest c/{buildah,common,image,storage}\n  * Reapply \"CI: test nftables driver on fedora\"\n  * Revert \"cirrus: test only on f40/rawhide\"\n  * test f41 VMs\n  * AdditionalSupport for SubPath volume mounts\n  * wsl-e2e: Add a test to ensure port 2222 is free with usermode networking\n  * winmake.ps1: Fix the syntax of the function call Win-SSHProxy\n  * volume ls: fix race that caused it to fail\n  * gvproxy: Disable port-forwarding on WSL\n  * build: update gvisor-tap-vsock to 0.8.0\n  * podman: update roadmap\n  * Log network creation and removal events in Podman\n  * libpod: journald do not lock thread\n  * Add key to control if a container can get started by its pod\n  * Honor users requests in quadlet files\n  * CI: systests: workaround for parallel podman-stop flake\n  * Fix inconsistent line ending in win-installer project\n  * fix(deps): update module github.com/opencontainers/runc to v1.2.1\n  * Quadlet - support image file based mount in container file\n  * API: container logs flush status code\n  * rework event code to improve API errors\n  * events: remove memory eventer\n  * libpod: log file use Wait() over event API\n  * Makefile: vendor target should always remove toolchain\n  * cirrus: check consitent vendoring in test/tools\n  * test/tools/go.mod: remove toolchain\n  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.10\n  * fix(deps): update module github.com/onsi/gomega to v1.35.1\n  * doc: explain --interactive in more detail\n  * fix(deps): update golang.org/x/exp digest to f66d83c\n  * fix(deps): update github.com/opencontainers/runtime-tools digest to 6c9570a\n  * fix(deps): update github.com/linuxkit/virtsock digest to cb6a20c\n  * add default polling interval to Container.Wait\n  * Instrument cleanup tracer to log weird volume removal flake\n  * make podman-clean-transient.service work as user\n  * Add default remote socket path if empty\n  * Use current user if no user specified\n  * Add support for ssh_config for connection\n  * libpod: use pasta Setup() over Setup2()\n  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.21.0\n  * fix(deps): update module github.com/onsi/gomega to v1.35.0\n  * logformatter: add cleanup tracer log link\n  * docs: fix broken example\n  * docs: add missing swagger links for the stable branches\n  * readthedocs: build extra formats\n  * pkg/machine/e2e: remove debug\n  * fix(docs): Integrate pasta in rootless tutorial\n  * chore(deps): update dependency setuptools to ~=75.3.0\n  * libpod: report cgroups deleted during Stat() call\n  * chore: fix some function names in comment\n  * CI: parallelize 450-interactive system tests\n  * CI: parallelize 520-checkpoint tests\n  * CI: make 070-build.bats use safe image names\n  * test/system: add podman network reload test to distro gating\n  * System tests: clean up unit file leaks\n  * healthcheck: do not leak service on failed stop\n  * healthcheck: do not leak statup service\n  * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.8.0\n  * Add Startup HealthCheck configuration to the podman inspect\n  * buildah version display: use progress()\n  * new showrun() for displaying and running shell commands\n  * Buildah treadmill: redo the .cirrus.yml tweaks\n  * Buildah treadmill: more allow-empty options\n  * Buildah treadmill: improve test-failure instructions\n  * Buildah treadmill: improve wording in test-fail instructions\n  * doc: Remove whitespace before comma\n  * fix(deps): update module github.com/checkpoint-restore/checkpointctl to v1.3.0\n  * ps: fix display of exposed ports\n  * ps: do not loop over port protocol\n  * readme: Add reference to pasta in the readme\n  * test/system: Fix spurious \"duplicate tests\" failures in pasta tests\n  * Improve \"podman load - from URL\"\n  * Try to repair c/storage after removing an additional image store\n  * Use the config digest to compare images loaded/pulled using different methods\n  * Simplify the additional store test\n  * Fix the store choice in \"podman pull image with additional store\"\n  * Bump to v5.3.0-dev\n  * Bump to v5.3.0-rc1\n  * Set quota on volume root directory, not _data\n  * fix(deps): update module github.com/opencontainers/runc to v1.2.0\n  * test: set soft ulimit\n  * Vagrantfile: Delete\n  * Enable pod restore with crun\n  * vendor: update c/{buildah,common,image,storage}\n  * Fix 330-corrupt-images.bats in composefs test runs\n  * quadlet: add default network dependencies to all units\n  * quadlet: ensure user units wait for the network\n  * add new podman-user-wait-network-online.service\n  * contrib/systemd: switch user symlink for file symlinks\n  * Makefile: remove some duplication from install.systemd\n  * contrib/systemd: move podman-auto-update units\n  * quadlet: do not reject RemapUsers=keep-id as root\n  * test/e2e: test quadlet with and without --user\n  * CI: e2e: fix checkpoint flake\n  * APIv2 test fix: image history\n  * pasta udp tests: new bytecheck helper\n  * Document packaging process\n  * [skip-ci] RPM: remove dup Provides\n  * Update dependency setuptools to ~=75.2.0\n  * System tests: safer pause-image creation\n  * Update module github.com/opencontainers/selinux to v1.11.1\n  * Added escaping to invoked powershell command for hyperv stubber.\n  * use slices.Clone instead of assignment\n  * libpod API: only return exit code without conditions\n  * Housekeeping: remove duplicates from success_task\n  * Thorough overhaul of CONTRIBUTING doc.\n  * api: Replace close function in condition body\n  * test/e2e: fix default signal exit code test\n  * Test new VM build\n  * CI: fix changing-rootFsSize flake\n  * scp: add option types\n  * Unlock mutex before returning from function\n  * Note in the README that we are moving to timed releases\n  * cirrus: let tar extract figure out the compression\n  * Make error messages more descriptive\n  * Mention containers.conf settings for podman machine commands\n  * [skip-ci] Packit: re-enable CentOS Stream 10/Fedora ELN teasks\"\n  * cmd: use logrus to print error\n  * podman: do not set rlimits to the default value\n  * spec: always specify default rlimits\n  * vendor: update containers/common\n  * Note in the README that we are moving to timed releases\n  * Revert \"CI: test nftables driver on fedora\"\n  * cirrus: use zstd over bzip2 for repo archive\n  * cirrus: use shared repo_prep/repo_artifacts scripts\n  * cirrus: speed up postbuild\n  * cirrus: change alt arch task to only compile binaries\n  * cirrus: run make with parallel jobs where useful\n  * Makefile: allow man-page-check to be run in parallel\n  * cirrus: use fastvm for builds\n  * test/e2e: skip some Containerized checkpoint tests\n  * test: update timezone checks\n  * cirrus: update CI images\n  * test/e2e: try debug potential pasta issue\n  * CI: quadlet system tests: use airgapped testimage\n  * Allow removing implicit quadlet systemd dependencies\n  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4\n  * libpod API: make wait endpoint better against rm races\n  * podman-remote run: improve how we get the exit code\n  * [skip-ci] Packit: constrain koji and bodhi jobs to fedora package to avoid dupes\n  * 055-rm test: clean up a test, and document\n  * CI: remove skips for libkrun\n  * Bump bundled krunkit to 0.1.3\n  * fix(deps): update module google.golang.org/protobuf to v1.35.0\n  * fix(deps): update module golang.org/x/net to v0.30.0\n  * server: fix url parsing in info\n  * fix(deps): update module golang.org/x/tools to v0.26.0\n  * Makefile: fix ginkgo FOCUS option\n  * fix(deps): update module golang.org/x/crypto to v0.28.0\n  * podman-systemd.unit.5: adjust example options\n  * docs: prefer --network to --net\n  * fix(deps): update module golang.org/x/term to v0.25.0\n  * fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.24\n  * fix(deps): update module golang.org/x/sys to v0.26.0\n  * OWNERS file audit and update\n  * Exposed ports are only included when not --net=host\n  * libpod: hasCurrentUserMapped checks for gid too\n  * [CI:DOCS] Document TESTFLAGS in test README file\n  * Validate the bind-propagation option to `--mount`\n  * Fix typo in secret inspect examples\n  * Mention `no_hosts` and `base_hosts_file` configs in CLI option docs\n  * Fixes for vendoring Buildah\n  * vendor: update buildah to latest\n  * Makefile - silence skipped tests when focusing on a file\n  * vendor: update to latest c/common\n  * Quadlet - prefer \"param val\" over \"param=val\" to allow env expansion\n  * System tests: sdnotify: wait for socket file creation\n  * Switch to moby/sys/capability\n  * platformInspectContainerHostConfig: rm dead code\n  * CI: require and test CI_DESIRED_NETWORK on RHEL\n  * Add ExposedPorts to Inspect's ContainerConfig\n  * fix(deps): update golang.org/x/exp digest to 701f63a\n  * quadlet: allow variables in PublishPort\n  * fix(deps): update module github.com/shirou/gopsutil/v4 to v4.24.9\n  * fix(deps): update github.com/godbus/dbus/v5 digest to a817f3c\n  * Document that zstd:chunked is downgraded to zstd when encrypting\n  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3\n  * chore(deps): update dependency ubuntu to v24\n  * rpm: do not load iptables modules on f41+\n  * adding docs for network-cmd-path\n  * Include exposed ports in inspect output when net=host\n  * feat(libpod): support kube play tar content-type (#24015)\n  * podman mount: some better error wrapping\n  * podman mount: ignore ErrLayerUnknown\n  * Quadlet - make sure the order of the UnitsDir is deterministic\n  * packit: disable Centos Stream/fedora ELN teasks\n  * libpod: remove shutdown.Unregister()\n  * libpod: rework shutdown handler flow\n  * libpod: ensure we are not killed during netns creation\n  * Update module github.com/moby/sys/capability to v0.3.0\n  * Update documentation of `--no-hosts`, `--hostname`, and `--name` CLI options\n  * Update documentation of `--add-host` CLI option\n  * System tests: set a default XDG_RUNTIME_DIR\n  * Modify machine \"Remove machine\" test\n  * CORS system test: clean up\n  * Add --health-max-log-count, --health-max-log-size, --health-log-destination flags\n  * troubleshooting: adjust home path in tip 44\n  * test/system: For pasta port forwarding tests don't bind socat server\n  * Update connection on removal\n  * Simplify `RemoveConnections`\n  * Move `DefaultMachineName` to `pkg/machine/define`\n  * vendor: update containers/image\n  * vendor: update containers/storage\n  * CI: skip the flaking quadlet test\n  * CI: make systemd tests parallel-safe (*)\n  * CI: run and collect cleanup tracer logs\n  * add epbf program to trace podman cleanup errors\n  * CI: parallelize logs test as much as possible\n  * CI: format test: use local registry if available\n  * CI: make 700-play parallel-safe\n  * docs: Fix missing negation\n  * bin/docker support warning message suppression from user config dir\n  * Update module github.com/docker/docker to v27.3.1+incompatible\n  * Quadlet - add full support for Symlinks\n  * libpod: setupNetNS() correctly mount netns\n  * vendor latest c/common\n  * docs: remove usage of deprecated `--storage`\n  * Update module github.com/docker/docker to v27.3.0+incompatible\n  * CI: Quadlet rootfs test: use container image as rootfs\n  * CI: system test registry: use --net=host\n  * CI: rm system test: bump grace period\n  * CI: system tests: minor documentation on parallel\n  * fix typo in error message Fixes: containers/podman#24001\n  * CI: system tests: always create pause image\n  * CI: quadlet system test: be more forgiving\n  * vendor latest c/common\n  * CI: make 200-pod parallel-safe\n  * allow exposed sctp ports\n  * test/e2e: add netns leak check\n  * test/system: netns leak check for rootless as well\n  * test/system: Improve TODO comments on IPv6 pasta custom DNS forward test\n  * test/system: Clarify \"Local forwarder\" pasta tests\n  * test/system: Simplify testing for nameserver connectivity\n  * test/system: Consolidate \"External resolver\" pasta tests\n  * test/system: Move test for default forwarder into its own case\n  * CI: make 090-events parallel-safe\n  * Misc minor test fixes\n  * Add network namespace leak check\n  * Add workaround for buildah parallel bug\n  * registry: lock start attempts\n  * Update system test template and README\n  * bats log: differentiate parallel tests from sequential\n  * ci: bump system tests to fastvm\n  * clean_setup: create pause image\n  * CI: make 012-manifest parallel-safe\n  * podman-manifest-remove: update docs and help output\n  * test/system: remove wait workaround\n  * wait: fix handling of multiple conditions with exited\n  * Match output of Compat Top API to Docker\n  * system test parallelization: enable two-pass approach\n  * New VMs: test crun 1.17\n  * libpod: hides env secrets from container inspect\n  * CI: e2e: workaround for events out-of-sequence flake\n  * update golangci-lint to 1.61.0\n  * libpod: convert owner IDs only with :idmap\n  * Podman CLI --add-host with multiple host for a single IP\n  * Quadlet - Split getUnitDirs to small functions\n  * fix(deps): update module github.com/cpuguy83/go-md2man/v2 to v2.0.5\n  * chore(deps): update dependency setuptools to ~=75.1.0\n  * Fxi typo in cache-ttl.md\n  * Get WSL disk as an OCI artifact\n  * CI: make 260-sdnotify parallel-safe\n  * quadlet: do not log ENOENT errors\n  * pkg/specgen: allow pasta when running inside userns\n  * troubleshooting: add tip about the user containers\n  * chore(deps): update dependency setuptools to v75\n  * Convert windows paths in volume arg of the build command\n  * Improve error when starting multiple machines\n  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2\n  * Minor typo noticed when reading podman man page\n  * Remove `RemoveFilesAndConnections`\n  * Add `GetAllMachinesAndRootfulness`\n  * rewrite typo osascript\n  * typo\n  * fix(deps): update module github.com/docker/docker to v27.2.1+incompatible\n  * Add radio buttons to select WSL or Hyper-V in windows setup.exe\n  * [skip-ci] Packit: split out ELN jobs and reuse fedora downstream targets\n  * [skip-ci] Packit: Enable sidetags for bodhi updates\n  * vendor: update c/common\n  * CI: make 710-kube parallel-safe\n  * CI: mark 320-system-df *NOT* parallel safe\n  * Add kube play support for image volume source\n  * refactor: add sshClient function\n  * fix(deps): update module golang.org/x/tools to v0.25.0\n  * CI: make 505-pasta parallel safe\n  * CI: make 020-tag parallel-safe\n  * CI: make 410-selinux parallel-safe\n  * Bump VMs. ShellCheck is now built-in\n  * troubleshooting: add tip about auto, keep-id, nomap\n  * libpod: make use of new pasta option from c/common\n  * vendor latest c/common\n  * podman images: sort repository with tags\n  * Remove containers/common/pkg/config from pkg/util\n  * fix(deps): update module golang.org/x/net to v0.29.0\n  * fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.23\n  * fix(deps): update module golang.org/x/crypto to v0.27.0\n  * Fix CI\n  * Detect and fix typos using codespell\n  * Fix typo: replace buildin with built-in\n  * Add codespell config, pre-commit definition, and move options from Makefile\n  * prune: support clearing build cache using CleanCacheMount\n  * test/e2e: fix network prune flake\n  * Add support for Job to kube generate & play\n  * Add podman-rootless.7 man page\n  * Add DNS, DNSOption and DNSSearch to quadlet pod\n  * podman.1.md: improve policy.json section\n  * e2e: flake fix: SIGPIPE in hook test\n  * libpod: fix rootless cgroup path with --cgroup-parent\n  * vendor: update c/storage\n  * CI: make 055-rm parallel-safe\n  * CI: make 130-kill parallel-safe\n  * CI: make 125-import parallel-safe\n  * CI: make 110-history parallel-safe\n  * CI: system tests: parallelize low-hanging fruit\n  * Add disclaimer to `podman machine info` manpage.\n  * man pages: refactor two more options\n  * update github.com/opencontainers/runc to v1.2.0-rc.3\n  * update go.etcd.io/bbolt to v1.3.11\n  * update github.com/onsi/{ginkgo,gomega}\n  * Update module github.com/shirou/gopsutil to v4\n  * packit: update fedora and epel targets\n  * bump go to 1.22\n  * cirrus: test only on f40/rawhide\n  * cirrus: remove CI_DESIRED_NETWORK reference\n  * cirrus: prebuild use f40 for extra tests\n  * chore(deps): update dependency setuptools to ~=74.1.0\n  * libpod: fix HostConfig.Devices output from 'podman inspect' on FreeBSD\n  * fix(deps): update golang.org/x/exp digest to 9b4947d\n  * Implement publishing API UNIX socket on Windows platforms\n  * Vendor c/common:8483ef6022b4\n  * quadlet: support container network reusing\n  * docs: update read the docs changes\n  * CI: parallel-safe network system test\n  * Quadlet - Support multiple image tags in .build files\n  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.8.3\n  * cirrus: remove _bail_if_test_can_be_skipped\n  * cirrus: move renovate check into validate\n  * cirrus: remove 3rd party connectivity check\n  * cirrus: remove cross jobs for aarch64 and x86_64\n  * cirrus: do not upload alt arch cross artifacts\n  * cirrus: remove ginkgo-e2e.json artifact\n  * cirrus: fix default timeouts\n  * github: remove fcos-podman-next-build-prepush\n  * Clarify podman machine volume mounting behavior under WSL\n  * machine: Add -all-providers flag to machine list\n  * Create a podman-troubleshooting man page\n  * chore(deps): update dependency setuptools to v74\n  * fix(deps): update module github.com/docker/docker to v27.2.0+incompatible\n  * Fix an improperly ignored error in SQLite\n  * CI: flake workaround: ignore socat waitpid warnings\n  * fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.3.1\n  * Stop skipping machine volume test on Hyper-V\n  * cleanup: add new --stopped-only option\n  * fix races in the HTTP attach API\n  * cirrus: skip windows/macos machine task on RHEL branches\n  * Update module github.com/containers/gvisor-tap-vsock to v0.7.5\n  * run: fix detach passthrough and --rmi\n  * podman run: ignore image rm error\n  * Add support for AddHost in quadlet .pod and .container\n  * [CI:DOCS] Update dependency golangci/golangci-lint to v1.60.3\n  * update github.com/vishvananda/netlink to v1.3.0\n  * build: Update gvisor-tap-vsock to 0.7.5\n  * Quote systemd DefaultEnvironment Proxy values, as documented in systemd.conf man page:\n  * fix typo in podman-network-create.1.md\n  * Use HTTP path prefix of TCP connections to match Docker context behavior\n  * Makefile: remotesystem: use real podman server, no --url\n  * Update module github.com/openshift/imagebuilder to v1.2.15\n  * CI: parallel-safe userns test\n  * Update module github.com/onsi/ginkgo/v2 to v2.20.1\n  * Add support for IP in quadlet .pod files\n  * Specify format to use for referencing fixed bugs.\n  * CI: parallel-safe run system test\n  * Revert \"test/e2e: work around for pasta issue\"\n  * CI: On vX.Y-rhel branches, ensure that some downstream Jira issue is linked\n  * quadlet: support user mapping in pod unit\n  * Update Release Process\n  * Test new VM build\n  * command is not optional to podman exec\n  * CI: parallel-safe namespaces system test\n  * [CI:DOCS] Update dependency golangci/golangci-lint to v1.60.2\n  * quadlet: add key CgroupsMode\n  * Fix `podman stop` and `podman run --rmi`\n  * quadlet: set infra name to %s-infra\n  * chore(deps): update dependency setuptools to v73\n  * [skip-ci] Packit: update targets for propose-downstream\n  * Do not segfault on hard stop\n  * Fix description of :Z to talk about pods\n  * CI: disable ginkgo flake retries\n  * vendor: update go-criu to latest\n  * golangci-lint: make darwin linting happy\n  * golangci-lint: make windows linting happy\n  * test/e2e: remove kernel version check\n  * golangci-lint: remove most skip dirs\n  * set !remote build tags where needed\n  * update golangci-lint to 1.60.1\n  * test/e2e: rm systemd start test\n  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.8.1\n  * podman wait: allow waiting for removal of containers\n  * libpod: remove UpdateContainerStatus()\n  * podman mount: fix storage/libpod ctr race\n  * CI: quadlet tests: make parallel-safe\n  * CI: system tests: make random_free_port() parallel-safe\n  * remove trailing comma in example\n  * CI: format test: make parallel-safe\n  * Fix podman-docker.sh under -eu shells (fixes #23628)\n  * docs: update podman-wait man page\n  * libpod: remove duplicated HasVolume() check\n  * podman volume rm --force: fix ABBA deadlock\n  * test/system: fix network cleanup restart test\n  * libpod: do not stop pod on init ctr exit\n  * libpod: simplify WaitForExit()\n  * CI: remove build-time quay check\n  * Fix known_hosts file clogging and remote host id\n  * Update docker.io/library/golang Docker tag to v1.23\n  * Update dependency setuptools to ~=72.2.0\n  * Update module github.com/docker/docker to v27.1.2+incompatible\n  * healthcheck system check: reduce raciness\n  * CI: healthcheck system test: make parallel-safe\n  * Validate renovate config in every PR\n  * pkg/machine: Read stderr from ssh-keygen correctly\n  * Fix renovate config syntax error\n  * CI: 080-pause.bats: make parallel-safe\n  * CI: 050-stop.bats: make parallel-safe\n  * Additional potential race condition on os.Readdir\n  * pkg/bindings/containers: handle ignore for stop\n  * remote: fix invalid --cidfile + --ignore\n  * Update/simplify renovate config header comment\n  * Migrate renovate config to latest schema\n  * Fix race condition when listing /dev\n  * docs/podman-systemd: Try to clarify `Exec=` more\n  * libpod: reset state error on init\n  * test/system: pasta_test_do add explicit port check\n  * test/e2e: work around new push warning\n  * vendor: update c/common to latest\n  * stopIfOnlyInfraRemains: log all errors\n  * libpod: do not save expected stop errors in ctr state\n  * libpod: fix broken saveContainerError()\n  * Quadlet: fix filters failure when the search paths are symlinks\n  * readme: replace GPG with PGP\n  * Drop APIv2 CNI configuration\n  * De-duplicate docker-py testing\n  * chore(podmansnoop): explain why crun comm is 3\n  * libpod: cleanupNetwork() return error\n  * fix(deps): update module golang.org/x/sys to v0.24.0\n  * Reduce python APIv2 test net dependency\n  * Fix not testing registry.conf updates\n  * test/e2e: improve command timeout handling\n  * Update module github.com/onsi/ginkgo/v2 to v2.20.0\n  * Update module github.com/moby/sys/user to v0.3.0\n  * Add passwd validate and generate steps\n  * podman container cleanup: ignore common errors\n  * Quadlet - Allow the user to override the default service name\n  * CI: e2e: serialize root containerPort tests\n  * Should not force conversion of manifest type to DockerV2ListMediaType\n  * fix(deps): update module golang.org/x/tools to v0.24.0\n  * fix(deps): update github.com/containers/common digest to 05b2e1f\n  * CI: mount system test: parallelize\n  * Update module golang.org/x/net to v0.28.0\n  * Ignore ERROR_SHARING_VIOLATION error on windows\n  * CI: manifest system tests: make parallel-safe\n  * Create volume path before state initialization\n  * vendor: update c/storage\n  * CI: fix broken libkrun test\n  * test/e2e: work around for pasta issue\n  * test/e2e: fix missing exit code checks\n  * Test new CI images\n  * Remove another race condition when mounting containers or images\n  * fix(deps): update github.com/containers/common digest to c0cc6b7\n  * Change Windows installer MajorUpgrade Schedule\n  * Ignore missing containers when calling GetExternalContainerLists\n  * Remove runc edit to lock to specific version\n  * fix(deps): update module golang.org/x/sys to v0.23.0\n  * CI: podman-machine: do not use cache registry\n  * CI: completion system test: use safename\n  * Temporarly disable failing Windows Installer CI test\n  * libpod: fix volume copyup with idmap\n  * libpod: avoid hang on errors\n  * Temp. disable PM basic Volume ops test\n  * Add libkrun Mac task\n  * Never skip checkout step in release workflow\n  * System tests: leak_test: readable output\n  * fix(deps): update github.com/docker/go-plugins-helpers digest to 45e2431\n  * vendor: bump c/common\n  * Version: bump to v5.3.0-dev\n  * libpod: inhibit SIGTERM during cleanup()\n  * Tweak versions in register_images.go\n  * fix network cleanup flake in play kube\n  * WIP: Fixes for vendoring Buildah\n  * Add --compat-volumes option to build and farm build\n  * Bump to Buildah v1.37.0\n  * Quadlet test - Split between success, warning and error cases\n  * libpod: bind ports before network setup\n  * Disable compose-warning-logs if PODMAN_COMPOSE_WARNING_LOGS=false\n  * Use new syntax for selinux options in quadlet\n  * fix(deps): update module github.com/onsi/gomega to v1.34.1\n  * CI: kube test: fix broken external-storage test\n  * Update dependency setuptools to v72\n  * Convert additional build context paths on Windows\n  * pkg/api: do not leak config pointers into specgen\n  * Quadlet - Allow the user to set the service name for .pod files\n  * Quadlet tests - allow overriding the expected service name\n  * fix(deps): update module github.com/moby/sys/user to v0.2.0\n  * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.7.5\n  * CI: enable root user namespaces\n  * libpod: force rootfs for OCI path with idmap\n  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1\n  * Add test steps for automount with multi images\n  * CI: cp tests: use safename\n  * [skip-ci] RPM: podman-iptables.conf only on Fedora\n  * CI: 700-play: fix a leaked non-safename\n  * test: check that kube generate/play restores the userns\n  * test: disable artifacts cache with composefs\n  * test: fix podman pull tests\n  * vendor: bump c/storage\n  * Update module github.com/cyphar/filepath-securejoin to v0.3.1\n  * Add /run/containers/systemd, ${XDG_RUNTIME_DIR}/containers/systemd quadlet dirs\n  * build: Update gvisor-tap-vsock to 0.7.4\n  * test/system: fix borken pasta interface name checks\n  * test/system: fix bridge host.containers.internal test\n  * api: honor the userns for the infra container\n  * play: handle 'private' as 'auto'\n  * kube: record infra user namespace\n  * infra: user ns annotation higher precedence\n  * specgenutil: record the pod userns in the annotations\n  * kube: invert branches\n  * CI: system log test: use safe names\n  * Update encryption tests to avoid a warning if zstd:chunked is the default\n  * Fix \"podman pull and decrypt\"/\"from local registry\"\n  * Use unique image names for the encrypted test images\n  * CI: system tests: instrument to allow failure analysis\n  * Fix outdated comment for the build step win-gvproxy\n  * Add utility to convert VMFile to URL for UNIX sockets\n  * Run codespell on source\n  * fix(deps): update module github.com/docker/docker to v27.1.0+incompatible\n  * chore(deps): update dependency setuptools to ~=71.1.0\n  * logformatter: tweaks to pass html tidy\n  * More information for podman --remote build and running out of space.\n  * Fix windows installer deleting machine provider config file\n  * Use uploaded .zip for Windows action\n  * pr-should-include-tests: no more CI:DOCS override\n\n- Depend on runc unconditionally, not only on SLE 15 (bsc#1239088)\n","title":"Description of the patch"},{"category":"details","text":"SUSE-SLE-Micro-6.1-292","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20805-1.json"},{"category":"self","summary":"URL for SUSE-SU-2025:20805-1","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202520805-1/"},{"category":"self","summary":"E-Mail link for SUSE-SU-2025:20805-1","url":"https://lists.suse.com/pipermail/sle-updates/2025-October/042136.html"},{"category":"self","summary":"SUSE Bug 1239088","url":"https://bugzilla.suse.com/1239088"},{"category":"self","summary":"SUSE Bug 1242132","url":"https://bugzilla.suse.com/1242132"},{"category":"self","summary":"SUSE Bug 1245320","url":"https://bugzilla.suse.com/1245320"},{"category":"self","summary":"SUSE CVE CVE-2025-6032 page","url":"https://www.suse.com/security/cve/CVE-2025-6032/"}],"title":"Security update for podman","tracking":{"current_release_date":"2025-10-01T13:49:25Z","generator":{"date":"2025-10-01T13:49:25Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"SUSE-SU-2025:20805-1","initial_release_date":"2025-10-01T13:49:25Z","revision_history":[{"date":"2025-10-01T13:49:25Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"podman-5.4.2-slfo.1.1_1.1.aarch64","product":{"name":"podman-5.4.2-slfo.1.1_1.1.aarch64","product_id":"podman-5.4.2-slfo.1.1_1.1.aarch64"}},{"category":"product_version","name":"podman-remote-5.4.2-slfo.1.1_1.1.aarch64","product":{"name":"podman-remote-5.4.2-slfo.1.1_1.1.aarch64","product_id":"podman-remote-5.4.2-slfo.1.1_1.1.aarch64"}},{"category":"product_version","name":"podmansh-5.4.2-slfo.1.1_1.1.aarch64","product":{"name":"podmansh-5.4.2-slfo.1.1_1.1.aarch64","product_id":"podmansh-5.4.2-slfo.1.1_1.1.aarch64"}}],"category":"architecture","name":"aarch64"},{"branches":[{"category":"product_version","name":"podman-docker-5.4.2-slfo.1.1_1.1.noarch","product":{"name":"podman-docker-5.4.2-slfo.1.1_1.1.noarch","product_id":"podman-docker-5.4.2-slfo.1.1_1.1.noarch"}}],"category":"architecture","name":"noarch"},{"branches":[{"category":"product_version","name":"podman-5.4.2-slfo.1.1_1.1.ppc64le","product":{"name":"podman-5.4.2-slfo.1.1_1.1.ppc64le","product_id":"podman-5.4.2-slfo.1.1_1.1.ppc64le"}},{"category":"product_version","name":"podman-remote-5.4.2-slfo.1.1_1.1.ppc64le","product":{"name":"podman-remote-5.4.2-slfo.1.1_1.1.ppc64le","product_id":"podman-remote-5.4.2-slfo.1.1_1.1.ppc64le"}},{"category":"product_version","name":"podmansh-5.4.2-slfo.1.1_1.1.ppc64le","product":{"name":"podmansh-5.4.2-slfo.1.1_1.1.ppc64le","product_id":"podmansh-5.4.2-slfo.1.1_1.1.ppc64le"}}],"category":"architecture","name":"ppc64le"},{"branches":[{"category":"product_version","name":"podman-5.4.2-slfo.1.1_1.1.s390x","product":{"name":"podman-5.4.2-slfo.1.1_1.1.s390x","product_id":"podman-5.4.2-slfo.1.1_1.1.s390x"}},{"category":"product_version","name":"podman-remote-5.4.2-slfo.1.1_1.1.s390x","product":{"name":"podman-remote-5.4.2-slfo.1.1_1.1.s390x","product_id":"podman-remote-5.4.2-slfo.1.1_1.1.s390x"}},{"category":"product_version","name":"podmansh-5.4.2-slfo.1.1_1.1.s390x","product":{"name":"podmansh-5.4.2-slfo.1.1_1.1.s390x","product_id":"podmansh-5.4.2-slfo.1.1_1.1.s390x"}}],"category":"architecture","name":"s390x"},{"branches":[{"category":"product_version","name":"podman-5.4.2-slfo.1.1_1.1.x86_64","product":{"name":"podman-5.4.2-slfo.1.1_1.1.x86_64","product_id":"podman-5.4.2-slfo.1.1_1.1.x86_64"}},{"category":"product_version","name":"podman-remote-5.4.2-slfo.1.1_1.1.x86_64","product":{"name":"podman-remote-5.4.2-slfo.1.1_1.1.x86_64","product_id":"podman-remote-5.4.2-slfo.1.1_1.1.x86_64"}},{"category":"product_version","name":"podmansh-5.4.2-slfo.1.1_1.1.x86_64","product":{"name":"podmansh-5.4.2-slfo.1.1_1.1.x86_64","product_id":"podmansh-5.4.2-slfo.1.1_1.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"SUSE Linux Micro 6.1","product":{"name":"SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1","product_identification_helper":{"cpe":"cpe:/o:suse:sl-micro:6.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"podman-5.4.2-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.aarch64"},"product_reference":"podman-5.4.2-slfo.1.1_1.1.aarch64","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podman-5.4.2-slfo.1.1_1.1.ppc64le as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.ppc64le"},"product_reference":"podman-5.4.2-slfo.1.1_1.1.ppc64le","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podman-5.4.2-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.s390x"},"product_reference":"podman-5.4.2-slfo.1.1_1.1.s390x","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podman-5.4.2-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.x86_64"},"product_reference":"podman-5.4.2-slfo.1.1_1.1.x86_64","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podman-docker-5.4.2-slfo.1.1_1.1.noarch as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podman-docker-5.4.2-slfo.1.1_1.1.noarch"},"product_reference":"podman-docker-5.4.2-slfo.1.1_1.1.noarch","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podman-remote-5.4.2-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.aarch64"},"product_reference":"podman-remote-5.4.2-slfo.1.1_1.1.aarch64","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podman-remote-5.4.2-slfo.1.1_1.1.ppc64le as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.ppc64le"},"product_reference":"podman-remote-5.4.2-slfo.1.1_1.1.ppc64le","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podman-remote-5.4.2-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.s390x"},"product_reference":"podman-remote-5.4.2-slfo.1.1_1.1.s390x","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podman-remote-5.4.2-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.x86_64"},"product_reference":"podman-remote-5.4.2-slfo.1.1_1.1.x86_64","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podmansh-5.4.2-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.aarch64"},"product_reference":"podmansh-5.4.2-slfo.1.1_1.1.aarch64","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podmansh-5.4.2-slfo.1.1_1.1.ppc64le as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.ppc64le"},"product_reference":"podmansh-5.4.2-slfo.1.1_1.1.ppc64le","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podmansh-5.4.2-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.s390x"},"product_reference":"podmansh-5.4.2-slfo.1.1_1.1.s390x","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"podmansh-5.4.2-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.x86_64"},"product_reference":"podmansh-5.4.2-slfo.1.1_1.1.x86_64","relates_to_product_reference":"SUSE Linux Micro 6.1"}]},"vulnerabilities":[{"cve":"CVE-2025-6032","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-6032"}],"notes":[{"category":"general","text":"A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.aarch64","SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.ppc64le","SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.s390x","SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.x86_64","SUSE Linux Micro 6.1:podman-docker-5.4.2-slfo.1.1_1.1.noarch","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.aarch64","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.ppc64le","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.s390x","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.x86_64","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.aarch64","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.ppc64le","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.s390x","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2025-6032","url":"https://www.suse.com/security/cve/CVE-2025-6032"},{"category":"external","summary":"SUSE Bug 1245320 for CVE-2025-6032","url":"https://bugzilla.suse.com/1245320"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.aarch64","SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.ppc64le","SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.s390x","SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.x86_64","SUSE Linux Micro 6.1:podman-docker-5.4.2-slfo.1.1_1.1.noarch","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.aarch64","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.ppc64le","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.s390x","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.x86_64","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.aarch64","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.ppc64le","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.s390x","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":8.3,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.aarch64","SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.ppc64le","SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.s390x","SUSE Linux Micro 6.1:podman-5.4.2-slfo.1.1_1.1.x86_64","SUSE Linux Micro 6.1:podman-docker-5.4.2-slfo.1.1_1.1.noarch","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.aarch64","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.ppc64le","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.s390x","SUSE Linux Micro 6.1:podman-remote-5.4.2-slfo.1.1_1.1.x86_64","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.aarch64","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.ppc64le","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.s390x","SUSE Linux Micro 6.1:podmansh-5.4.2-slfo.1.1_1.1.x86_64"]}],"threats":[{"category":"impact","date":"2025-10-01T13:49:25Z","details":"important"}],"title":"CVE-2025-6032"}]}