Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package podman for openSUSE:Factory checked
in at 2025-06-26 11:34:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/podman (Old)
and /work/SRC/openSUSE:Factory/.podman.new.7067 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "podman"
Thu Jun 26 11:34:29 2025 rev:161 rq:1288469 version:5.5.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/podman/podman.changes 2025-06-10
08:57:09.539259439 +0200
+++ /work/SRC/openSUSE:Factory/.podman.new.7067/podman.changes 2025-06-26
11:34:40.070200754 +0200
@@ -1,0 +2,14 @@
+Wed Jun 25 04:50:07 UTC 2025 - Johannes Kastl
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 5.5.2:
+ * Security
+ - This release addresses CVE-2025-6032, in which the TLS
+ connection used to pull VM images for podman machine was, by
+ default, not validated, allowing connections to servers with
+ invalid certificates by default and potentially allowing a
+ Man in the Middle attack.
+ * Bugfixes
+ - Fixed a bug where Podman could panic after a reboot on
+ systems with pods containing containers (#26469).
+
+-------------------------------------------------------------------
Old:
----
podman-5.5.1.obscpio
New:
----
podman-5.5.2.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ podman.spec ++++++
--- /var/tmp/diff_new_pack.k9RA9V/_old 2025-06-26 11:34:41.782271778 +0200
+++ /var/tmp/diff_new_pack.k9RA9V/_new 2025-06-26 11:34:41.782271778 +0200
@@ -22,7 +22,7 @@
%bcond_without apparmor
Name: podman
-Version: 5.5.1
+Version: 5.5.2
Release: 0
Summary: Daemon-less container engine for managing containers, pods and
images
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.k9RA9V/_old 2025-06-26 11:34:41.822273438 +0200
+++ /var/tmp/diff_new_pack.k9RA9V/_new 2025-06-26 11:34:41.826273604 +0200
@@ -2,7 +2,7 @@
<service name="obs_scm" mode="manual">
<param name="url">https://github.com/containers/podman.git</param>
<param name="scm">git</param>
- <param name="revision">v5.5.1</param>
+ <param name="revision">v5.5.2</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.k9RA9V/_old 2025-06-26 11:34:41.850274599 +0200
+++ /var/tmp/diff_new_pack.k9RA9V/_new 2025-06-26 11:34:41.854274765 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/containers/podman.git</param>
- <param
name="changesrevision">850db76dd78a0641eddb9ee19ee6f60d2c59bcfa</param></service></servicedata>
+ <param
name="changesrevision">e7d8226745ba07a64b7176a7f128e4ef53225a0e</param></service></servicedata>
(No newline at EOF)
++++++ podman-5.5.1.obscpio -> podman-5.5.2.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/podman-5.5.1/.github/workflows/update-podmanio.yml
new/podman-5.5.2/.github/workflows/update-podmanio.yml
--- old/podman-5.5.1/.github/workflows/update-podmanio.yml 2025-06-05
20:25:35.000000000 +0200
+++ new/podman-5.5.2/.github/workflows/update-podmanio.yml 2025-06-24
16:41:45.000000000 +0200
@@ -6,7 +6,16 @@
workflow_dispatch:
inputs:
version:
- description: 'Release version to build and upload (e.g. "v9.8.7")'
+ description: 'Release version to bump on podman.io'
+ required: true
+ workflow_call:
+ inputs:
+ version:
+ description: 'Release version to bump on podman.io'
+ type: string
+ required: true
+ secrets:
+ PODMANBOT_TOKEN:
required: true
jobs:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/podman-5.5.1/RELEASE_NOTES.md
new/podman-5.5.2/RELEASE_NOTES.md
--- old/podman-5.5.1/RELEASE_NOTES.md 2025-06-05 20:25:35.000000000 +0200
+++ new/podman-5.5.2/RELEASE_NOTES.md 2025-06-24 16:41:45.000000000 +0200
@@ -1,5 +1,12 @@
# Release Notes
+## 5.5.2
+### Security
+- This release addresses CVE-2025-6032, in which the TLS connection used to
pull VM images for `podman machine` was, by default, not validated, allowing
connections to servers with invalid certificates by default and potentially
allowing a Man in the Middle attack.
+
+### Bugfixes
+- Fixed a bug where Podman could panic after a reboot on systems with pods
containing containers
([#26469](https://github.com/containers/podman/issues/26469)).
+
## 5.5.1
### Bugfixes
- Fixed a bug where containers mounting a volume to `/` could overmount
important directories such as `/proc` causing start and/or runtime failures due
to an issue with mount ordering
([#26161](https://github.com/containers/podman/issues/26161)).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/podman-5.5.1/cmd/podman/root.go
new/podman-5.5.2/cmd/podman/root.go
--- old/podman-5.5.1/cmd/podman/root.go 2025-06-05 20:25:35.000000000 +0200
+++ new/podman-5.5.2/cmd/podman/root.go 2025-06-24 16:41:45.000000000 +0200
@@ -293,6 +293,34 @@
}
}
}
+
+ if cmd.Flag("cpu-profile").Changed {
+ f, err := os.Create(podmanConfig.CPUProfile)
+ if err != nil {
+ return err
+ }
+ if err := pprof.StartCPUProfile(f); err != nil {
+ return err
+ }
+ }
+ if cmd.Flag("memory-profile").Changed {
+ // Same value as the default in github.com/pkg/profile.
+ runtime.MemProfileRate = 4096
+ if rate := os.Getenv("MemProfileRate"); rate != "" {
+ r, err := strconv.Atoi(rate)
+ if err != nil {
+ return err
+ }
+ runtime.MemProfileRate = r
+ }
+ }
+
+ if podmanConfig.MaxWorks <= 0 {
+ return fmt.Errorf("maximum workers must be set to a
positive number (got %d)", podmanConfig.MaxWorks)
+ }
+ if err := parallel.SetMaxThreads(uint(podmanConfig.MaxWorks));
err != nil {
+ return err
+ }
}
if err := readRemoteCliFlags(cmd, podmanConfig); err != nil {
@@ -346,35 +374,6 @@
}
}
- if !registry.IsRemote() {
- if cmd.Flag("cpu-profile").Changed {
- f, err := os.Create(podmanConfig.CPUProfile)
- if err != nil {
- return err
- }
- if err := pprof.StartCPUProfile(f); err != nil {
- return err
- }
- }
- if cmd.Flag("memory-profile").Changed {
- // Same value as the default in github.com/pkg/profile.
- runtime.MemProfileRate = 4096
- if rate := os.Getenv("MemProfileRate"); rate != "" {
- r, err := strconv.Atoi(rate)
- if err != nil {
- return err
- }
- runtime.MemProfileRate = r
- }
- }
-
- if podmanConfig.MaxWorks <= 0 {
- return fmt.Errorf("maximum workers must be set to a
positive number (got %d)", podmanConfig.MaxWorks)
- }
- if err := parallel.SetMaxThreads(uint(podmanConfig.MaxWorks));
err != nil {
- return err
- }
- }
// Setup Rootless environment, IFF:
// 1) in ABI mode
// 2) running as non-root
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/podman-5.5.1/pkg/machine/ocipull/ociartifact.go
new/podman-5.5.2/pkg/machine/ocipull/ociartifact.go
--- old/podman-5.5.1/pkg/machine/ocipull/ociartifact.go 2025-06-05
20:25:35.000000000 +0200
+++ new/podman-5.5.2/pkg/machine/ocipull/ociartifact.go 2025-06-24
16:41:45.000000000 +0200
@@ -224,7 +224,7 @@
}
fmt.Printf("Looking up Podman Machine image at %s to create VM\n",
imgRef.DockerReference())
sysCtx := &types.SystemContext{
- DockerInsecureSkipTLSVerify:
types.NewOptionalBool(!o.pullOptions.TLSVerify),
+ DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify,
}
imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx)
if err != nil {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/podman-5.5.1/pkg/machine/ocipull/pull.go
new/podman-5.5.2/pkg/machine/ocipull/pull.go
--- old/podman-5.5.1/pkg/machine/ocipull/pull.go 2025-06-05
20:25:35.000000000 +0200
+++ new/podman-5.5.2/pkg/machine/ocipull/pull.go 2025-06-24
16:41:45.000000000 +0200
@@ -21,8 +21,8 @@
// PullOptions includes data to alter certain knobs when pulling a source
// image.
type PullOptions struct {
- // Require HTTPS and verify certificates when accessing the registry.
- TLSVerify bool
+ // Skip TLS verification when accessing the registry.
+ SkipTLSVerify types.OptionalBool
// [username[:password] to use when connecting to the registry.
Credentials string
// Quiet the progress bars when pushing.
@@ -46,7 +46,7 @@
}
sysCtx := &types.SystemContext{
- DockerInsecureSkipTLSVerify:
types.NewOptionalBool(!options.TLSVerify),
+ DockerInsecureSkipTLSVerify: options.SkipTLSVerify,
}
if options.Credentials != "" {
authConf, err := parse.AuthConfig(options.Credentials)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/podman-5.5.1/rpm/podman.spec
new/podman-5.5.2/rpm/podman.spec
--- old/podman-5.5.1/rpm/podman.spec 2025-06-05 20:25:35.000000000 +0200
+++ new/podman-5.5.2/rpm/podman.spec 2025-06-24 16:41:45.000000000 +0200
@@ -17,6 +17,9 @@
%if %{defined copr_username}
%define copr_build 1
+%if "%{copr_username}" == "rhcontainerbot" && "%{copr_projectname}" ==
"podman-next"
+%define next_build 1
+%endif
%endif
# Only RHEL and CentOS Stream rpms are built with fips-enabled go compiler
@@ -44,7 +47,7 @@
%endif
Name: podman
-%if %{defined copr_build}
+%if %{defined next_build}
Epoch: 102
%else
Epoch: 5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/podman-5.5.1/version/rawversion/version.go
new/podman-5.5.2/version/rawversion/version.go
--- old/podman-5.5.1/version/rawversion/version.go 2025-06-05
20:25:35.000000000 +0200
+++ new/podman-5.5.2/version/rawversion/version.go 2025-06-24
16:41:45.000000000 +0200
@@ -7,4 +7,4 @@
//
// NOTE: remember to bump the version at the top of the top-level README.md
// file when this is bumped.
-const RawVersion = "5.5.1"
+const RawVersion = "5.5.2"
++++++ podman.obsinfo ++++++
--- /var/tmp/diff_new_pack.k9RA9V/_old 2025-06-26 11:34:46.118451662 +0200
+++ /var/tmp/diff_new_pack.k9RA9V/_new 2025-06-26 11:34:46.122451828 +0200
@@ -1,5 +1,5 @@
name: podman
-version: 5.5.1
-mtime: 1749147935
-commit: 850db76dd78a0641eddb9ee19ee6f60d2c59bcfa
+version: 5.5.2
+mtime: 1750776105
+commit: e7d8226745ba07a64b7176a7f128e4ef53225a0e
