Security update for podman SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20013-1 Final 1 1 2025-02-03T08:47:47Z current 2025-02-03T08:47:47Z 2025-02-03T08:47:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for podman This update for podman fixes the following issues: - CVE-2024-6104: Fixed dependency issue with go-retryablehttp: url might write sensitive information to log file (bsc#1227052). - Update to version 4.9.5: * Bump to v4.9.5 * Update release notes for v4.9.5 * fix "concurrent map writes" in network ls compat endpoint * [v4.9] Fix for CVE-2024-3727 * Disable failing bud test * CI Maintenance: Disable machine tests * [CI:DOCS] Allow downgrade of WiX * [CI:DOCS] Force WiX 3.11 * [CI:DOCS] Fix windows installer action * Bump to v4.9.5-dev * Bump to v4.9.4 * Update release notes for v4.9.4 * [v4.9] Bump Buildah to v1.33.7, CVE-2024-1753, CVE-2024-24786 * Add farm command to commands list * Bump to FreeBSD 13.3 (13.2 vanished) * Update health-start-periods docs * Don't update health check status during initialDelaySeconds * image scp: don't require port for ssh URL * Ignore docker's end point config when the final network mode isn't bridge. * Fix running container from docker client with rootful in rootless podman. * [skip-ci] Packit: remove koji and bodhi tasks for v4.9 * Bump to v4.9.4-dev * Remove gitleaks scanning The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-46 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520013-1/ Link for SUSE-SU-2025:20013-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021364.html E-Mail link for SUSE-SU-2025:20013-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227052 SUSE Bug 1227052 https://www.suse.com/security/cve/CVE-2024-1753/ SUSE CVE CVE-2024-1753 page https://www.suse.com/security/cve/CVE-2024-24786/ SUSE CVE CVE-2024-24786 page https://www.suse.com/security/cve/CVE-2024-3727/ SUSE CVE CVE-2024-3727 page https://www.suse.com/security/cve/CVE-2024-6104/ SUSE CVE CVE-2024-6104 page SUSE Linux Micro 6.0 podman-4.9.5-1.1 podman-docker-4.9.5-1.1 podman-remote-4.9.5-1.1 podmansh-4.9.5-1.1 podman-4.9.5-1.1 as a component of SUSE Linux Micro 6.0 podman-docker-4.9.5-1.1 as a component of SUSE Linux Micro 6.0 podman-remote-4.9.5-1.1 as a component of SUSE Linux Micro 6.0 podmansh-4.9.5-1.1 as a component of SUSE Linux Micro 6.0 A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time. CVE-2024-1753 SUSE Linux Micro 6.0:podman-4.9.5-1.1 SUSE Linux Micro 6.0:podman-docker-4.9.5-1.1 SUSE Linux Micro 6.0:podman-remote-4.9.5-1.1 SUSE Linux Micro 6.0:podmansh-4.9.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520013-1/ https://www.suse.com/security/cve/CVE-2024-1753.html CVE-2024-1753 https://bugzilla.suse.com/1221677 SUSE Bug 1221677 The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. CVE-2024-24786 SUSE Linux Micro 6.0:podman-4.9.5-1.1 SUSE Linux Micro 6.0:podman-docker-4.9.5-1.1 SUSE Linux Micro 6.0:podman-remote-4.9.5-1.1 SUSE Linux Micro 6.0:podmansh-4.9.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520013-1/ https://www.suse.com/security/cve/CVE-2024-24786.html CVE-2024-24786 https://bugzilla.suse.com/1226136 SUSE Bug 1226136 A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. CVE-2024-3727 SUSE Linux Micro 6.0:podman-4.9.5-1.1 SUSE Linux Micro 6.0:podman-docker-4.9.5-1.1 SUSE Linux Micro 6.0:podman-remote-4.9.5-1.1 SUSE Linux Micro 6.0:podmansh-4.9.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520013-1/ https://www.suse.com/security/cve/CVE-2024-3727.html CVE-2024-3727 https://bugzilla.suse.com/1224112 SUSE Bug 1224112 go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. CVE-2024-6104 SUSE Linux Micro 6.0:podman-4.9.5-1.1 SUSE Linux Micro 6.0:podman-docker-4.9.5-1.1 SUSE Linux Micro 6.0:podman-remote-4.9.5-1.1 SUSE Linux Micro 6.0:podmansh-4.9.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520013-1/ https://www.suse.com/security/cve/CVE-2024-6104.html CVE-2024-6104 https://bugzilla.suse.com/1227024 SUSE Bug 1227024