Several security issues in libpod 3.4.x

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

@mdeslaur the issue is not addressed with a simple debdiff, several packages need to be updated in the right order. I've done all this work in debian testing, and all those packages could be synced over.

I'm asking for help with coordinating these uploads.

I wonder if it really makes sense to keep podman in the Ubuntu repositories, at least if it's going to stay in universe? It's the sort of software that people who use it are going rely on being secure and up-to-date, and so far at least it has been quite a fast-moving target.

I'm not normally a big fan of static binaries, but in this instance an 'installer' package which just grabs the latest binaries from github and keeps them up-to-date might make more sense.

Alternatively, I wonder whether a snap could be generated? I'm not a fan of the format myself, but I manage to use podman nested with a systemd-nspawn container here, so it seems conceivable that it might also be made to work in a privileged snap (with the assumption that podman itself will protect the host system from the containers it runs.)

Which "latest binaries from github" ? Upstream only releases source code.

Hi,

This is not the scope of this bug, but will podman be upgraded and follow upstream releases regularly in Ubuntu 22.04, or it will stay at version 3.4.x during the whole lifetime of jammy ? Indeed this kind of package is still in fast pace mode, and even Red Hat is upgrading it its stable RHEL distos (RHEL 8/9 just moved to 4.0.2 in the last few weeks, and 4.1.x exists already upstream).

Cheers,
Romain

Is it possible to know if we will have a 4.x version available anytime soon??

Status changed to 'Confirmed' because the bug affects multiple users.

The usual approach in Ubuntu is to fix specific bugs in packages rather than perform wholesale version updates: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions

You can see that a 4.x version is currently in Debian experimental: https://packages.qa.debian.org/libp/libpod.html

When the maintainers are happy with it, it'll be moved to Debian unstable, at which point it will be ingested to Ubuntu's development release. I can't give you a precise date.

Thanks