Update module github.com/containers/podman/v5 to v5.6.1 [SECURITY] #111
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
|
Yeah none of these CVEs apply to us either... This whole thing is very much reinforcing my desire to use Rust for this project... |
bootc-bot
bot
force-pushed
the
bootc-renovate/go-github.com-containers-podman-v5-vulnerability
branch
2 times, most recently
from
8820ad6 to
07ca1ef
Compare
bootc-bot
bot
force-pushed
the
bootc-renovate/go-github.com-containers-podman-v5-vulnerability
branch
from
07ca1ef to
c30b8ad
Compare
bootc-bot
bot
force-pushed
the
bootc-renovate/go-github.com-containers-podman-v5-vulnerability
branch
2 times, most recently
from
cd37335 to
1c33b43
Compare
Signed-off-by: bootc-bot[bot] <225049296+bootc-bot[bot]@users.noreply.github.com>
bootc-bot
bot
force-pushed
the
bootc-renovate/go-github.com-containers-podman-v5-vulnerability
branch
from
1c33b43 to
019d861
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v5.0.1->v5.6.1GitHub Vulnerability Alerts
CVE-2024-9407
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
CVE-2025-6032
Impact
The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack.
Patches
containers/podman@726b506
Fixed in v5.5.2
Workarounds
Download the disk image manually via some other tool that verifies the TLS connection. Then pass the local image as file path (podman machine init --image ./somepath)
CVE-2025-9566
Impact
The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume already contains a symlink to a host file.
This allows a malicious container to write to arbitrary files on the host BUT the attacker only controls the target path not the contents that will be written to the file. The contents are defined in the yaml file by the end user.
Requirements to exploit:
podman kube play must be used with a ConfigMap or Secret volume mount AND must be run more than once on the same volume. All the attacker has to do is create the malicious symlink on the volume the first time it is started. After that all following starts would follow the symlink and write to the host location.
Patches
Fixed in podman v5.6.1
containers/podman@43fbde4
Workarounds
Don't use podman kube play with ConfigMap or Secret volume mounts.
PR with test for CI
Adding on 9/8/2025 by @TomSweeneyRedHat , this is the PR containing the test ihttps://github.com/containers/podman/pull/27001/27001
Release Notes
containers/podman (github.com/containers/podman/v5)
v5.6.1Compare Source
Security
podman play kubecontainingConfigMapandSecretvolumes can use crafted symlinks to overwrite content on the host.Bugfixes
journaldevents driver was in use.--security-opt seccomp=unconfinedoption was broken on Windows (#26855).container_name_as_hostnameoption incontainers.confset totruewould fail to start.Misc
/tmp, ensuring proper operation of Podman after a reboot if/tmpis not a tmpfs.v5.6.0Compare Source
Features
podman quadlet install(install a new Quadlet for the current user),podman quadlet list(list installed Quadlets),podman quadlet print(print the contents of a Quadlet file), andpodman quadlet rm(remove a Quadlet). These commands are presently not available with the remote Podman client - we expect support for this to arrive in a future release..containerunits can now specify environment variables without values in theEnvironment=key, retrieving the value from the host when the container is started (#26247)..podunits now support two new keys,Label=(to set labels on the created pod) andExitPolicy=(to set exit policy for the created pod) (#25961 and #25596)..imageunits now support a new key,Policy=, to set pull policy for the image (e.g. pull always, pull only if newer version available) (#26446)..networkunits now support a new key,InterfaceName=, to specify the name of the network interface created.podman machine initcommand now supports a new option,--swap, enabling swap in the created virtual machine and setting it to a given size (in megabytes) (#15980).--mountoption topodman createandpodman runnow supportsdest=as a valid alias fordestination=.podman kube playcommand can now restrict container execution to specific CPU cores and specific memory nodes using theio.podman.annotations.cpuset/$ctrnameandio.podman.annotations.memory-nodes/$ctrnameannotations (#26172).podman kube playcommand now supports thelifecycle.stopSignalfield in Pod YAML, allowing the signal used to stop containers to be specified (#25389).podman artifactsuite of commands for interacting with OCI artifacts is now available in the remote Podman client and the bindings for the REST API.podman volume importandpodman volume exportcommands are now available in the remote Podman client (#26049).--build-contextoption topodman buildis now supported by the remote Podman client (#23433).podman volume createcommand now accepts two new options,--uidand--gid, to set the UID and GID the volume will be created with.podman secret createcommand now has a new option,--ignore, causing the command to succeed even if a secret with the given name already exists.podman pullcommand now has a new option,--policy, to configure pull policy.--mount type=artifactoption topodman create,podman run, andpodman pod createnow allows the filename of the artifact in the container to be set using thename=option (e.g.podman run --mount type=artifact,name=$NAME,...).--tmpfsoption topodman createandpodman runnow allows a new option,noatime, to be passed (e.g.podman run --tmpfs /run:noatime ...) (#26102).podman updatecommand now has a new option,--latest, to update the latest container instead of specifying a specific container (#26380).podman buildx inspect, has been added to improve Docker compatibility (#13014).Breaking Changes
podman machineVMs has been disabled by default due to issues with newer Linux kernels. These issues have been addressed in the Tahoe beta, and we plan on re-enabling support for Rosetta in a future Podman release once the fix is in wider circulation. You can find more details here.Changes
podman artifactsuite of commands for interacting with OCI artifacts is now considered stable.podman machineVMs using thelibkrunprovider on an M3 or newer host running macOS 15+, nested virtualization is enabled by default.podman machineVMs on Windows using the WSL v2 provider, images are now pulled as artifacts fromquay.io/podman/machine-os, matching the behavior of other VM providers.--sig-proxyoption topodman runandpodman attachis now more robust to races and no longer forwards theSIGSTOPsignal.podman system check --quickcommand now skips checking layer digests.C:\Program Files\Windows Subsystem for Linux\wsl.exeover the one inWindowsApps, avoiding common “access denied” issues (#25787).--mount type=artifactoption topodman create,podman run, andpodman pod createnow mounts artifacts containing a only a single blob as a file at the given destination path if the path does not exist in the image.podman volume exportcommand now refuses to export toSTDOUTif it is a TTY (#26506).User=,Group=, andDynamicUser=in the[Service]section of a unit, Quadlet will now warn the user of the potential incompatibility (#26543).Bugfixes
--security-opt unmask=option topodman createandpodman rundid not allow comma-separated lists of paths to be passed, instead only allowing a single path.podman machine initcould fail if run in a Podman container (#25950).podman machineVMs would sometimes receive incorrect timezone information.podman machineVMs created with a custom username would not have lingering enabled.podman machine initcommand on Windows when using the WSL 2 provider did not reliably determine if WSL was installed (#25523)..podunits that did not specify thePodName=key was set incorrectly (#26062)..containerunits joining a pod specified in a.podunit would fail as the pod name was set incorrectly when creating the container (#26105).RequiresMountsForwhen mounting a.volumeunit withType=bindset into a container (#26125)..podfiles did not include the lastEnvironment=key in the[Service]section in the generated systemd service (#26521).--hooks-dirwould fail to run when containers were restarted (#17935).--mountoption topodman createandpodman runrequired thetype=option to be specified, instead of defaulting tovolumewhen it was not present (#26101).podman kube playcommand would fail on Windows when specifying an absolute path to YAML files (#26350).--security-opt seccomp=option topodman create,podman run, andpodman pod createcould error on Windows when given a path to a Seccomp profile (#26558).--blkio-weight-device,--device-read-bps,--device-write-bps,--device-read-iops, and--device-write-iopsoptions topodman createandpodman runincorrectly accepted non-block devices.podman buildcommand handled the--ignorefileoption differently from thebuildah budcommand (#25746).podman rm -fcommand could return an error when trying to remove a running container whoseconmonprocess had been killed (#26640).podman inspectcommand did not correctly display log size for containers whenlog_size_maxwas set in containers.conf.API
GET /libpod/artifacts/{name}/json), listing all artifacts (GET /libpod/artifacts/json), pulling an artifact (POST /libpod/artifacts/pull), removing an artifact (DELETE /libpod/artifacts/{name}), adding an artifact (or appending to an existing artifact) from a tar file in the request body (POST /libpod/artifacts/add), pushing an artifact to a registry (/libpod/artifacts/{name}/push), and retrieving the contents of an artifact (GET /libpod/artifacts/{name}/extract).HostConfig.CgroupnsMode, to specify the cgroup namespace mode of the created container.base_hosts_fileoption incontainers.conf.DefaultAddressPools.BuilderSizefield.Builder-Versionto1to match Docker installs that do not include BuildKit.shared-sizefield unconditionally, even if theshared-sizequery parameter was not set to true. If not requested through query parameter, it is set to-1. This improves Docker API compatibility.VirtualSizefield when Docker API version 1.44 and up is requested.FORCEparameter was set to true; Docker only removes stopped containers (#25871).application/jsonresponses would be HTML escaped, mutating some responses (e.g.<missing>becoming\u003cmissing\u003ein image history responses) (#17769).Misc
podman stop/podman pod stop.libsqlite3build tag to force this behavior when not using the Makefile to build.v5.5.2Compare Source
Security
podman machinewas, by default, not validated, allowing connections to servers with invalid certificates by default and potentially allowing a Man in the Middle attack.Bugfixes
v5.5.1Compare Source
Bugfixes
/could overmount important directories such as/proccausing start and/or runtime failures due to an issue with mount ordering (#26161)..podunits could fail to start due to their storage not being mounted (#26190).resolv.conf(#24713).--dns-optoption topodman create,podman run, andpodman pod createwould append options to the container'sresolv.conf, instead of replacing them (#22399).podman kube playcommand would add an empty network alias for containers created with no name specified, causing Netavark to emit extraneous warnings.podman system dfcommand would panic when one or more containers were created using a root filesystem (the--rootfsoption topodman createandpodman run) instead of from an image (#26224).log_tagfield incontainers.confwould override the--log-opt tag=valueoption topodman createandpodman run(#26236).podman volume rmandpodman volume inspectcommands would incorrectly handle volume names containing the_character when the SQLite database backend was in use (#26168).-v source:destination:O) (#25988).API
-1were causing errors, instead of being interpreted as the maximum possible value (#24886).[](an empty array) was ignored, instead of setting an empty entrypoint (#26078).Misc
v5.5.0Compare Source
Features
podman machine cp, to copy files into a runningpodman machineVM.podman artifact extract, to copy some or all of the contents of an OCI artifact to a location on disk.--mountoption topodman create,podman run, andpodman pod createnow supports a new mount type,--mount type=artifact, to mount OCI artifacts into containers.podman artifact addcommand now features two new options,--append(to add new files to an existing artifact) and--file-type(to specify the MIME type of the file added to the artifact) (#25884).podman artifact rmcommand now features a new option,--all, to remove all artifacts in the local store.--filteroption topodman pause,podman ps,podman restart,podman rm,podman start,podman stop, andpodman unpausenow accepts a new filter,command, which filters on the first element (argv[0]) of the command run in the container.podman execcommand now supports a new option,--cidfile, to specify the ID of the container to exec into via a file (#21256).podman kube generateandpodman kube playcommands now supports a new annotation,io.podman.annotation.pids-limit/$containername, preserving the PID limit for containers acrosskube generateandkube play(#24418)..containerunits now support three new keys,Memory=(set maximum memory for the created container),ReloadCmd(execute a command via systemdExecReload), andReloadSignal(kill the container with the given signal via systemdExecReload) (#22036)..container,.image, and.buildunits now support two new keys,Retry(number of times to retry pulling image on failure) andRetryDelay(delay between retries) (#25109)..podunits now support a new key,HostName=, to set the pod's hostname (#25639).UpheldBy, in theInstallsection, corresponding to the systemdUpholdsoption.Wants=my.containeris now valid.--cdi-spec-dir, to specify additional search paths for CDI specs to the CDI loader (#18292 and #25691).podman buildcommand now supports a new option,--inherit-labels(defaults to true), which controls whether labels are inherited from the base image or base stages.podman updatecommand now supports two new options,--envand--unsetenv, to alter the environment variables of existing containers (#24875).Breaking Changes
containers.Commit()function now returns a new struct (types.IDResponse) with identical contents, and thecontainers.ExecCreatefunction'shandlers.ExecCreateConfigparameter now contains a different embedded struct, potentially requiring changes to how it is assigned to.Changes
stopped, which is reported if the container the healthcheck was run on stopped before the check could be completed (#25276).podman machineVMs with a host mount over the VM's/tmpdirectory is no longer allowed (#18230).podman logscommand now allows options to be specified after the container name (e.g.podman logs $containername --follow) (#25653).catatonitbinary will be used (#23292).podman system resetcommand no longer removes the user'spodman.sockAPI socket.dns.podmanadded. Queries resolving such names will still work..networkunit will now delete the network (if no containers are actively using it) (#23678)./proc/interruptsand/sys/devices/system/cpu/$CPU/thermal_throttlepaths are now masked by default in containers (#25634).Bugfixes
CAP_SYS_ADMIN(#25241).podman execcommand would not add the additional groups of the user the exec session was run as unless the user was explicitly added with the--useroption (#25610).podman network connectandpodman network disconnectcommands could create errors in the database which would causepodman inspecton the container to fail.podman kube generatecommand did not correctly generate YAML for volume mounts using a subpath.podman system dfcommand could show a negative reclaimable size.podman machineVM that was notpodman-machine-default(the default VM) with thepodman machine sshcommand would put the user into the rootless shell (#25332).podman machine initwould report nonsensical memory values in error messages when trying to create a machine with more memory than the system.podman start --attachcommand would incorrectly print an error when run on a container created with the--rmoption (#25965).podman pullcommand could hang and leak memory if the server was unexpectedly stopped or encountered an error during a pull.podman cpcommand would, on Windows, often fail to copy files into the container due to improper handling of Windows paths (#14862).podman container clonecommand did not correctly copy healthcheck settings to the new container (#21630).podman kube playcommand would fail to start empty pods (#25786).podman volume lscommand did not output headers when no volumes were present (#25911).--health-cmdoption was specified when creating the container (#20212).--useroption topodman createandpodman runcould not be used with users added to the container by the--hostuseroption (#25805).podman system resetcommand on FreeBSD would incorrectly print an error.podman machine startcommand with SIGINT could result in machine state being incorrectly set to "Starting" (#24416).podman machine startcommand would fail when starting a VM with volume mounts containing spaces using the HyperV machine provider (#25500).API
Misc
ExecStartAndAttach()function in the Go bindings for the REST API have been silenced, where the function would incorrectly report errors when stdin was consumed after the exec session was stopped (#25344).v5.4.2Compare Source
Bugfixes
podman importcommand could not import images compressed with algorithms other than gzip (#25593).podman cpcommand could deadlock when copying into a non-empty volume on a container that is not running (#25585).API
Misc
v5.4.1Compare Source
Bugfixes
--pid-limit=-1option did not function properly with containers using theruncOCI runtime.podman artifact pullcommand did not respect the--retry-delayoption.podman waitcommand would sometimes error when waiting for a container set to auto-remove..kubeunits would not report an error (and stay running) even when a pod failed to start (#20667).API
Misc
v5.4.0Compare Source
Features
podman artifactsuite of commands, includingadd,inspect,ls,pull,push, andrm. This support is very early and not fully complete, and the command line interface for these tools has not been finalized. We welcome feedback on the new artifact experience through our issue tracker!podman updatecommand now supports a wide variety of options related to healthchecks (including--health-cmdto define a new healthcheck and--no-healthcheckto disable an existing healthcheck), allowing healthchecks to be added to, removed from, and otherwise updated on existing containers. You can find full details on the 15 added options in the manpage.--mount type=volumeoption for thepodman run,podman create, andpodman volume createcommands now supports a new option,subpath=, to make only a subset of the volume visible in the container (#20661).--userns=keep-idoption for thepodman run,podman create, andpodman pod createcommands now supports a new option,--userns=keep-id:size=, to configure the size of the user namespace (#24387).podman kube playcommand now supports Container Device Interface (CDI) devices (#17833).podman machine initcommand now supports a new option,--playbook, to run an Ansible playbook in the created VM on first boot for initial configuration..podfiles now support a new field,ShmSize, to specify the size of the pod's shared SHM (#22915).podman run,podman create, andpodman pod createcommands now support a new option,--hosts-file, to define the base file used for/etc/hostsin the container.podman run,podman create, andpodman pod createcommands now support a new option,--no-hostname, which disables the creation of/etc/hostnamein the container (#25002).podman network createcommand now supports a new option forbridgenetworks,--opt mode=unmanaged, which allows Podman to use an existing network bridge on the system without changes.--networkoption topodman run,podman create, andpodman pod createnow accepts a new option forbridgenetworks,host_interface_name, which specifies a name for the network interface created outside the container.podman manifest rmcommand now supports a new option,--ignore, to not error when removing manifests that do not exist.podman system prunecommand now supports a new option,--build, to remove build containers leftover from prematurely terminated builds.podman eventscommand now generates events for the creation and removal of networks (#24032).Breaking Changes
:as a character to define comments. This was a mistake; developer intent and documentation was that#and;were to be used as comment characters instead, matching systemd. This has been corrected, and semicolons now define comments instead of colons.Changes
zstd:chunkedimages now only happen for images that have aRootFS.DiffIDentry in the image's OCI config JSON, and require the layer contents to match. This resolves issues with image ID ambiguity when partial pulls were enabled.BUILD_ORIGINenvironment variable when building podman from theMakefile. This provides information on who built the Podman binary, and is displayed inpodman versionandpodman info. This will help upstream bug reports, allowing maintainers to trace how and where the binary was built and installed from.Bugfixes
podman machineVMs on WSL could fail to start when using usermode networking could fail to start due to a port conflict (#20327).podman buildcommand did not honor theno_pivot_rootsetting fromcontainers.conf(#24546).podman cpwas used to copy into a fresh volume in a container that had never been started.podman cpto copy into a named volume requiring a mount (image volumes, volumes backed by a volume plugin, or other volumes with options) would fail when the container being copied into was stopped.CAP_SYS_RESOURCE(#24692).podman stats --allcommand would fail if a container started with--cgroups=nonewas present (#24632).podman infocommand would only return details on one image store even if additional image stores were configured instorage.conf.podman updatecommand could reset resource limits that were not being modified to default (#24610).podman updatecommand could not update resource limits on devices mounted into the container (#24734).podman manifest annotatecommand could panic when the--indexoption was used (#24750)./etc/containers/systemd/users/(#24783).podman generate kubecould generate persistent volumes with mixed-case names or names containing an underscore, which are not supported by Kubernetes (#16542).ptmxmodeoption to--mount type=devptsdid not function..exein the executable name, breaking completion on some shells.podman inspecton containers did not include the ID of the network the container was joined to, improving Docker compatibility (#24910).libkrunbackend for VMs on Intel Macs (libkrunonly supports Arm systems).libkrunandapplehvVMs frompodman machinecould be started at the same time on Macs (#25112).podman execcommands could not detach from the exec session using the detach keys (#24895).API
nohosts, which (when set to true) does not create/etc/hostsin the image when building.docker compose(#19338).Misc
podman-restart.servicefunctioned incorrectly when no containers were present.v5.3.2Compare Source
Security
Bugfixes
.buildfiles could create an invalid podman command line whenPull=was used (#24599).Misc
v5.3.1Compare Source
--ignition-pathoption topodman machine initwould prevent creation of necessary files for the VM, rendering it unusable (#23544).bridgenetworking mode would be unable to start due to a panic caused by a nil pointer dereference (#24566).v5.3.0Compare Source
Features
podman kube generateandpodman kube playcommands can now create and run Kubernetes Job YAML (#17011).podman kube generatecommand now includes information on the user namespaces for pods and containers in generated YAML. Thepodman kube playcommand uses this information to duplicate the user namespace configuration when creating new pods based on the YAML.podman kube playcommand now supports Kubernetes volumes of type image (#23775).ServiceNamekey in all supported Quadlet files (#23414).network-online.targetvia a new key,DefaultDependencies, supported by all Quadlet files (#24193)..containerand.podfiles now support a new key,AddHost, to add hosts to the container or pod.PublishPortkey in Quadlet.containerand.podfiles can now accept variables in its value (#24081)..containerfiles now support two new keys,CgroupsModeandStartWithPod, to configure cgroups for the container and whether the container will be started with the pod it is part of (#23664 and #24401)..containerfiles can now use the network of another container by specifying the.containerfile of the container to share with in theNetworkkey..containerfiles can now mount images managed by.imagefiles into the container by using theMount=type=imagekey with a.imagetarget..podfiles now support six new keys,DNS,DNSOption,DNSSearch,IP,IP6, andUserNS, to configure DNS, static IPs, and user namespace settings for the pod (#23692)..imagefiles can now give an image multiple times by specifying theImageTagkey multiple times (#23781)./run/containers/systemddirectory as well as existing directories like$HOME/containers/systemdand/etc/containers/systemd/users.podman manifest inspectcommand now includes the manifest's annotations in its output.podman inspectcommand for containers now includes a new field,HostConfig.AutoRemoveImage, which shows whether a container was created with the--rmioption set.podman inspectcommand for containers now includes a new field,Config.ExposedPorts, which includes all exposed ports from the container, improving Docker compatibility.podman inspectcommand for containers now includes a new field,Config.StartupHealthCheck, which shows the container's startup healthcheck configuration.podman inspectcommand for containers now includes a new field inMounts,SubPath, which contains any subpath set for image or named volumes.podman machine listcommand now supports a new option,--all-providers, which lists machines from all supported VM providers, not just the one currently in use.podman machineon Windows will now provide API access by exposing a Unix socket on the host filesystem which forwards into the VM (#23408).podman buildx pruneandpodman image prunecommands now support a new option,--build-cache, which will also clean the build cache.--add-hostoption topodman create,podman run, andpodman pod createnow supports specifying multiple hostnames, semicolon-separated (e.g.podman run --add-host test1;test2:192.168.1.1) (#23770).podman runandpodman createcommands now support three new options for configuring healthcheck logging:--health-log-destination(specify where logs are stored),--health-max-log-count(specify how many healthchecks worth of logs are stored), and--health-max-log-size(specify the maximum size of the healthcheck log).Changes
--map-guest-addroption by default which is used for thehost.containers.internalentry in/etc/hoststo allow containers to reach the host by default (#19213).-infra(#23665).podman system connection addcommand now respects HTTP path prefixes specified withtcp://URLs.https_proxy) declared incontainers.confno longer escape special characters in their values when used withpodman machineVMs (#23277).podman images --sort=repositorycommand now also sorts by image tag as well, guaranteeing deterministic output ordering (#23803).podman machineVM running and second rootfulpodman machineVM initialized, and the rootless VM is removed, the connection to the second, rootful machine now becomes the default as expected (#22577).podman inspecton a container the secret is used in (#23788).podman-user-wait-network-online.service, instead of the user session's nonfunctionalnetwork-online.target.podman psare now correctly grouped and deduplicated when they are also published (#23317).RemainAfterExit=yesby default.Bugfixes
--build-contextoption topodman builddid not function properly on Windows, breaking compatibility with Visual Studio Dev Containers (#17313).SecurityLabelDisableorSecurityLabelNestedkeys were used (#23432).PODMAN_COMPOSE_WARNING_LOGSenvironment variable did not suppress warnings printed bypodman composethat it was redirecting to an external provider.podman container cleanupcommand was run on a container in the process of being removed, an error could be printed./etc/containers/systemd/users/would be loaded for root as well when/etc/containers/systemdwas a symlink (#23483).podman stopcommand would, if called with--cidfilepointing to a non-existent file and the--ignoreoption set, stop all containers (#23554).podman waitwould only exit only after 20 second when run on a container which rapidly exits and is then restarted by theon-failurerestart policy.podman volume rmandpodman run -vcould deadlock when run simultaneously on the same volume (#23613).podman mounton a container in the process of being created could cause a nonsensical error indicating the container already existed (#23637).podman stopcommand could deadlock when run on containers with very large annotations ([#22246](https://redirect.github.com/containers/podman/issues/22246Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.