This update for buildah fixes the following issues:
- CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
- CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
- CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812
Buildah was updated to version 1.27.1:
Update to version 1.27.0:
- Don't try to call runLabelStdioPipes if spec.Linux is not set
- build: support filtering cache by duration using --cache-ttl
- build: support building from commit when using git repo as build context
- build: clean up git repos correctly when using subdirs
- integration tests: quote '?' in shell scripts
- test: manifest inspect should have OCIv1 annotation
- vendor: bump to c/common@87fab4b7019a
- Failure to determine a file or directory should print an error
- refactor: remove unused CommitOptions from generateBuildOutput
- stage_executor: generate output for cases with no commit
- stage_executor, commit: output only if last stage in build
- Use errors.Is() instead of os.Is{Not,}Exist
- Minor test tweak for podman-remote compatibility
- Cirrus: Use the latest imgts container
- imagebuildah: complain about the right Dockerfile
- tests: don't try to wrap
nil
errors
- cmd/buildah.commitCmd: don't shadow 'err'
- cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
- Fix a copy/paste error message
- Fix a typo in an error message
- build,cache: support pulling/pushing cache layers to/from remote sources
- Update vendor of containers/(common, storage, image)
- Rename chroot/run.go to chroot/run_linux.go
- Don't bother telling codespell to skip files that don't exist
- Set user namespace defaults correctly for the library
- imagebuildah: optimize cache hits for COPY and ADD instructions
- Cirrus: Update VM images w/ updated bats
- docs, run: show SELinux label flag for cache and bind mounts
- imagebuildah, build: remove undefined concurrent writes
- bump github.com/opencontainers/runtime-tools
- Add FreeBSD support for 'buildah info'
- Vendor in latest containers/(storage, common, image)
- Add freebsd cross build targets
- Make the jail package build on 32bit platforms
- Cirrus: Ensure the build-push VM image is labeled
- GHA: Fix dynamic script filename
- Vendor in containers/(common, storage, image)
- Run codespell
- Remove import of github.com/pkg/errors
- Avoid using cgo in pkg/jail
- Rename footypes to fooTypes for naming consistency
- Move cleanupTempVolumes and cleanupRunMounts to run_common.go
- Make the various run mounts work for FreeBSD
- Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
- Move runSetupRunMounts to run_common.go
- Move cleanableDestinationListFromMounts to run_common.go
- Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
- Move setupMounts and runSetupBuiltinVolumes to run_common.go
- Tidy up - runMakeStdioPipe can't be shared with linux
- Move runAcceptTerminal to run_common.go
- Move stdio copying utilities to run_common.go
- Move runUsingRuntime and runCollectOutput to run_common.go
- Move fileCloser, waitForSync and contains to run_common.go
- Move checkAndOverrideIsolationOptions to run_common.go
- Move DefaultNamespaceOptions to run_common.go
- Move getNetworkInterface to run_common.go
- Move configureEnvironment to run_common.go
- Don't crash in configureUIDGID if Process.Capabilities is nil
- Move configureUIDGID to run_common.go
- Move runLookupPath to run_common.go
- Move setupTerminal to run_common.go
- Move etc file generation utilities to run_common.go
- Add run support for FreeBSD
- Add a simple FreeBSD jail library
- Add FreeBSD support to pkg/chrootuser
- Sync call signature for RunUsingChroot with chroot/run.go
- test: verify feature to resolve basename with args
- vendor: bump openshift/imagebuilder to master@4151e43
- GHA: Remove required reserved-name use
- buildah: set XDGRUNTIMEDIR before setting default runroot
- imagebuildah: honor build output even if build container is not commited
- chroot: honor DefaultErrnoRet
- [CI:DOCS] improve pull-policy documentation
- tests: retrofit test since --file does not supports dir
- Switch to golang native error wrapping
- BuildDockerfiles: error out if path to containerfile is a directory
- define.downloadToDirectory: fail early if bad HTTP response
- GHA: Allow re-use of Cirrus-Cron fail-mail workflow
- add: fail on bad http response instead of writing to container
- [CI:DOCS] Update buildahimage comment
- lint: inspectable is never nil
- vendor: c/common to common@7e1563b
- build: support OCI hooks for ephemeral build containers
- [CI:BUILD] Install latest buildah instead of compiling
- Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
- Make sure cpp is installed in buildah images
- demo: use unshare for rootless invocations
- buildah.spec.rpkg: initial addition
- build: fix test for subid 4
- build, userns: add support for --userns=auto
- Fix building upstream buildah image
- Remove redundant buildahimages-are-sane validation
- Docs: Update multi-arch buildah images readme
- Cirrus: Migrate multiarch build off github actions
- retrofit-tests: we skip unused stages so use stages
- stage_executor: dont rely on stage while looking for additional-context
- buildkit, multistage: skip computing unwanted stages
- More test cleanup
- copier: work around freebsd bug for 'mkdir /'
- Replace $BUILDAH_BINARY with buildah() function
- Fix up buildah images
- Make util and copier build on FreeBSD
- Vendor in latest github.com/sirupsen/logrus
- Makefile: allow building without .git
- run_unix: don't return an error from getNetworkInterface
- run_unix: return a valid DefaultNamespaceOptions
- Update vendor of containers/storage
- chroot: use ActKillThread instead of ActKill
- use resolvconf package from c/common/libnetwork
- update c/common to latest main
- copier: add
NoOverwriteNonDirDir
option
- Sort buildoptions and move cli/build functions to internal
- Fix TODO: de-spaghettify run mounts
- Move options parsing out of build.go and into pkg/cli
- [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
- build, multiarch: support splitting build logs for --platform
- [CI:BUILD] WIP Cleanup Image Dockerfiles
- cli remove stutter
- docker-parity: ignore sanity check if baseImage history is null
- build, commit: allow disabling image history with --omit-history
- Fix use generic/ambiguous DEBUG name
- Cirrus: use Ubuntu 22.04 LTS
- Fix codespell errors
- Remove util.StringInSlice because it is defined in containers/common
- buildah: add support for renaming a device in rootless setups
- squash: never use build cache when computing last step of last stage
- Update vendor of containers/(common, storage, image)
- buildkit: supports additionalBuildContext in builds via --build-context
- buildah source pull/push: show progress bar
- run: allow resuing secret twice in different RUN steps
- test helpers: default to being rootless-aware
- Add --cpp-flag flag to buildah build
- build: accept branch and subdirectory when context is git repo
- Vendor in latest containers/common
- vendor: update c/storage and c/image
- Fix gentoo install docs
- copier: move NSS load to new process
- Add test for prevention of reusing encrypted layers
- Make
buildah build --label foo
create an empty 'foo' label again
Update to version 1.26.4:
- build, multiarch: support splitting build logs for --platform
- copier: add
NoOverwriteNonDirDir
option
- docker-parity: ignore sanity check if baseImage history is null
- build, commit: allow disabling image history with --omit-history
- buildkit: supports additionalBuildContext in builds via --build-context
- Add --cpp-flag flag to buildah build
Update to version 1.26.3:
- define.downloadToDirectory: fail early if bad HTTP response
- add: fail on bad http response instead of writing to container
- squash: never use build cache when computing last step of last stage
- run: allow resuing secret twice in different RUN steps
- integration tests: update expected error messages
- integration tests: quote '?' in shell scripts
- Use errors.Is() to check for storage errors
- lint: inspectable is never nil
- chroot: use ActKillThread instead of ActKill
- chroot: honor DefaultErrnoRet
- Set user namespace defaults correctly for the library
- contrib/rpm/buildah.spec: fix
rpm
parser warnings
Drop requires on apparmor pattern, should be moved elsewhere
for systems which want AppArmor instead of SELinux.
- Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file
is required to build.
Update to version 1.26.2:
- buildah: add support for renaming a device in rootless setups
Update to version 1.26.1:
- Make
buildah build --label foo
create an empty 'foo' label again
- imagebuildah,build: move deepcopy of args before we spawn goroutine
- Vendor in containers/storage v1.40.2
- buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
- help output: get more consistent about option usage text
- Handle OS version and features flags
- buildah build: --annotation and --label should remove values
- buildah build: add a --env
- buildah: deep copy options.Args before performing concurrent build/stage
- test: inline platform and builtinargs behaviour
- vendor: bump imagebuilder to master/009dbc6
- build: automatically set correct TARGETPLATFORM where expected
- Vendor in containers/(common, storage, image)
- imagebuildah, executor: process arg variables while populating baseMap
- buildkit: add support for custom build output with --output
- Cirrus: Update CI VMs to F36
- fix staticcheck linter warning for deprecated function
- Fix docs build on FreeBSD
- copier.unwrapError(): update for Go 1.16
- copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
- copier.Put(): write to read-only directories
- Ed's periodic test cleanup
- using consistent lowercase 'invalid' word in returned err msg
- use etchosts package from c/common
- run: set actual hostname in /etc/hostname to match docker parity
- Update vendor of containers/(common,storage,image)
- manifest-create: allow creating manifest list from local image
- Update vendor of storage,common,image
- Initialize network backend before first pull
- oci spec: change special mount points for namespaces
- tests/helpers.bash: assert handle corner cases correctly
- buildah: actually use containers.conf settings
- integration tests: learn to start a dummy registry
- Fix error check to work on Podman
- buildah build should accept at most one arg
- tests: reduce concurrency for flaky bud-multiple-platform-no-run
- vendor in latest containers/common,image,storage
- manifest-add: allow override arch,variant while adding image
- Remove a stray
\
from .containerenv
- Vendor in latest opencontainers/selinux v1.10.1
- build, commit: allow removing default identity labels
- Create shorter names for containers based on image IDs
- test: skip rootless on cgroupv2 in root env
- fix hang when oci runtime fails
- Set permissions for GitHub actions
- copier test: use correct UID/GID in test archives
- run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM