diff --git a/.buildah.metadata b/.buildah.metadata
index ca2a784..c1b361d 100644
--- a/.buildah.metadata
+++ b/.buildah.metadata
@@ -1 +1 @@
-da35ceecbee25d37313869956f602161fc282153 SOURCES/buildah-9513cb8.tar.gz
+c663721202c90de628f175a2c078eb5a9273bba0 SOURCES/v1.14.9.tar.gz
diff --git a/.gitignore b/.gitignore
index dc35543..888b1c6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/buildah-9513cb8.tar.gz
+SOURCES/v1.14.9.tar.gz
diff --git a/SOURCES/1996.patch b/SOURCES/1996.patch
deleted file mode 100644
index fd565dd..0000000
--- a/SOURCES/1996.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From f09346578021c12069b6deb9487a1462b8d28a83 Mon Sep 17 00:00:00 2001
-From: Nalin Dahyabhai <nalin@redhat.com>
-Date: Thu, 21 Nov 2019 15:32:41 -0500
-Subject: [PATCH 1/3] bind: don't complain about missing mountpoints
-
-When we go to unmount a tree of mounts, if one of the directories isn't
-there, instead of returning an error as before, log a debug message and
-keep going.
-
-Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
----
- bind/mount.go | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/bind/mount.go b/bind/mount.go
-index e1ae323b9..adde901fd 100644
---- a/bind/mount.go
-+++ b/bind/mount.go
-@@ -264,6 +264,10 @@ func UnmountMountpoints(mountpoint string, mountpointsToRemove []string) error {
- mount := getMountByID(id)
- // check if this mountpoint is mounted
- if err := unix.Lstat(mount.Mountpoint, &st); err != nil {
-+ if os.IsNotExist(err) {
-+ logrus.Debugf("mountpoint %q is not present(?), skipping", mount.Mountpoint)
-+ continue
-+ }
- return errors.Wrapf(err, "error checking if %q is mounted", mount.Mountpoint)
- }
- if mount.Major != int(unix.Major(st.Dev)) || mount.Minor != int(unix.Minor(st.Dev)) {
-
-From c5fb681a6082b78c422eb3531667dc6d607a9355 Mon Sep 17 00:00:00 2001
-From: Nalin Dahyabhai <nalin@redhat.com>
-Date: Fri, 22 Nov 2019 14:22:26 -0500
-Subject: [PATCH 2/3] chroot: Unmount with MNT_DETACH instead of
- UnmountMountpoints()
-
-Unmounting the rootfs with MNT_DETACH should unmount everything below
-it, so we don't need to use the more exhaustive method that our bind
-package uses for its bind mounts.
-
-Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
----
- chroot/run.go | 25 +++++++++++++++----------
- 1 file changed, 15 insertions(+), 10 deletions(-)
-
-diff --git a/chroot/run.go b/chroot/run.go
-index fbccbcdb0..76ac78d1f 100644
---- a/chroot/run.go
-+++ b/chroot/run.go
-@@ -15,6 +15,7 @@ import (
- "strings"
- "sync"
- "syscall"
-+ "time"
- "unsafe"
-
- "github.com/containers/buildah/bind"
-@@ -1002,12 +1003,19 @@ func isDevNull(dev os.FileInfo) bool {
- // callback that will clean up its work.
- func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func() error, err error) {
- var fs unix.Statfs_t
-- removes := []string{}
- undoBinds = func() error {
-- if err2 := bind.UnmountMountpoints(spec.Root.Path, removes); err2 != nil {
-- logrus.Warnf("pkg/chroot: error unmounting %q: %v", spec.Root.Path, err2)
-- if err == nil {
-- err = err2
-+ if err2 := unix.Unmount(spec.Root.Path, unix.MNT_DETACH); err2 != nil {
-+ retries := 0
-+ for (err2 == unix.EBUSY || err2 == unix.EAGAIN) && retries < 50 {
-+ time.Sleep(50 * time.Millisecond)
-+ err2 = unix.Unmount(spec.Root.Path, unix.MNT_DETACH)
-+ retries++
-+ }
-+ if err2 != nil {
-+ logrus.Warnf("pkg/chroot: error unmounting %q (retried %d times): %v", spec.Root.Path, retries, err2)
-+ if err == nil {
-+ err = err2
-+ }
- }
- }
- return err
-@@ -1096,6 +1104,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
- // Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes
- // attempting to interact with labeling, when they aren't allowed to do so.
- spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
-+
- // Bind mount in everything we've been asked to mount.
- for _, m := range spec.Mounts {
- // Skip anything that we just mounted.
-@@ -1141,13 +1150,11 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
- if !os.IsNotExist(err) {
- return undoBinds, errors.Wrapf(err, "error examining %q for mounting in mount namespace", target)
- }
-- // The target isn't there yet, so create it, and make a
-- // note to remove it later.
-+ // The target isn't there yet, so create it.
- if srcinfo.IsDir() {
- if err = os.MkdirAll(target, 0111); err != nil {
- return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
- }
-- removes = append(removes, target)
- } else {
- if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil {
- return undoBinds, errors.Wrapf(err, "error ensuring parent of mountpoint %q (%q) is present in mount namespace", target, filepath.Dir(target))
-@@ -1157,7 +1164,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
- return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
- }
- file.Close()
-- removes = append(removes, target)
- }
- }
- requestFlags := bindFlags
-@@ -1266,7 +1272,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
- if err := os.Mkdir(roEmptyDir, 0700); err != nil {
- return undoBinds, errors.Wrapf(err, "error creating empty directory %q", roEmptyDir)
- }
-- removes = append(removes, roEmptyDir)
- }
-
- // Set up any masked paths that we need to. If we're running inside of
-
-From ec1be6a51941e10b5316c911ef97c88940f7c095 Mon Sep 17 00:00:00 2001
-From: Nalin Dahyabhai <nalin@redhat.com>
-Date: Fri, 22 Nov 2019 14:52:25 -0500
-Subject: [PATCH 3/3] overlay.bats typo: fuse-overlays should be fuse-overlayfs
-
-Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
----
- tests/overlay.bats | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tests/overlay.bats b/tests/overlay.bats
-index 04056f680..7cc2d0c62 100644
---- a/tests/overlay.bats
-+++ b/tests/overlay.bats
-@@ -3,14 +3,14 @@
- load helpers
-
- @test "overlay specific level" {
-- if test \! -e /usr/bin/fuse-overlays -a "$BUILDAH_ISOLATION" = "rootless"; then
-+ if test \! -e /usr/bin/fuse-overlayfs -a "$BUILDAH_ISOLATION" = "rootless"; then
- skip "BUILDAH_ISOLATION = $BUILDAH_ISOLATION" and no /usr/bin/fuse-overlayfs present
- fi
- image=alpine
- mkdir ${TESTDIR}/lower
- touch ${TESTDIR}/lower/foo
-
--cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image)
-+ cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image)
-
- # This should succeed
- run_buildah --log-level=error run $cid ls /lower/foo
diff --git a/SOURCES/2031.patch b/SOURCES/2031.patch
deleted file mode 100644
index b674e80..0000000
--- a/SOURCES/2031.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
-From: Daniel J Walsh <dwalsh@redhat.com>
-Date: Tue, 17 Dec 2019 15:24:29 -0500
-Subject: [PATCH] Add support for FIPS-Mode backends
-
-If host is running in fips mode, then RHEL8.2 and beyond container images
-will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
-This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
-order to make all tools in the container follow the FIPS Mode rules.
-
-Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
----
- pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
- run_linux.go | 2 +-
- 2 files changed, 39 insertions(+), 11 deletions(-)
-
-diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
-index 80ca05016..ee2e9a7c8 100644
---- a/pkg/secrets/secrets.go
-+++ b/pkg/secrets/secrets.go
-@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, string, error) {
- }
-
- // SecretMounts copies, adds, and mounts the secrets to the container root filesystem
-+// Deprecated, Please use SecretMountWithUIDGID
- func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
- return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
- }
-
--// SecretMountsWithUIDGID specifies the uid/gid of the owner
--func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
-+// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
-+// mountLabel: MAC/SELinux label for container content
-+// containerWorkingDir: Private data for storing secrets on the host mounted in container.
-+// mountFile: Additional mount points required for the container.
-+// mountPoint: Container image mountpoint
-+// uid: to assign to content created for secrets
-+// gid: to assign to content created for secrets
-+// rootless: indicates whether container is running in rootless mode
-+// disableFips: indicates whether system should ignore fips mode
-+func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
- var (
- secretMounts []rspec.Mount
- mountFiles []string
-@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
- }
- for _, file := range mountFiles {
- if _, err := os.Stat(file); err == nil {
-- mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
-+ mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
- if err != nil {
- logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
- }
-@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
- // Add FIPS mode secret if /etc/system-fips exists on the host
- _, err := os.Stat("/etc/system-fips")
- if err == nil {
-- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
-+ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
- logrus.Errorf("error adding FIPS mode secret to container: %v", err)
- }
- } else if os.IsNotExist(err) {
-@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid int) error {
-
- // addSecretsFromMountsFile copies the contents of host directory to container directory
- // and returns a list of mounts
--func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
-+func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
- var mounts []rspec.Mount
- defaultMountsPaths := getMounts(filePath)
- for _, path := range defaultMountsPaths {
-@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
- }
-
- m := rspec.Mount{
-- Source: filepath.Join(mountPrefix, ctrDirOrFile),
-+ Source: ctrDirOrFileOnHost,
- Destination: ctrDirOrFile,
- Type: "bind",
- Options: []string{"bind", "rprivate"},
-@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
- // root filesystem if /etc/system-fips exists on hosts.
- // This enables the container to be FIPS compliant and run openssl in
- // FIPS mode as the host is also in FIPS mode.
--func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
-+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
- secretsDir := "/run/secrets"
- ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
- if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
- if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
-- return errors.Wrapf(err, "making container directory on host failed")
-+ return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
- }
- if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
-- return errors.Wrap(err, "error applying correct labels")
-+ return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
- }
- }
- fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
-@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
-
- if !mountExists(*mounts, secretsDir) {
- m := rspec.Mount{
-- Source: filepath.Join(mountPrefix, secretsDir),
-+ Source: ctrDirOnHost,
- Destination: secretsDir,
- Type: "bind",
- Options: []string{"bind", "rprivate"},
-@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
- *mounts = append(*mounts, m)
- }
-
-+ srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
-+ destDir := "/etc/crypto-policies/back-ends"
-+ srcOnHost := filepath.Join(mountPoint, srcBackendDir)
-+ if _, err := os.Stat(srcOnHost); err != nil {
-+ if os.IsNotExist(err) {
-+ return nil
-+ }
-+ return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
-+ }
-+
-+ if !mountExists(*mounts, destDir) {
-+ m := rspec.Mount{
-+ Source: srcOnHost,
-+ Destination: destDir,
-+ Type: "bind",
-+ Options: []string{"bind", "rprivate"},
-+ }
-+ *mounts = append(*mounts, m)
-+ }
- return nil
- }
-
-diff --git a/run_linux.go b/run_linux.go
-index 4c2d73edd..c8e75eada 100644
---- a/run_linux.go
-+++ b/run_linux.go
-@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
- }
-
- // Get the list of secrets mounts.
-- secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
-+ secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
-
- // Add temporary copies of the contents of volume locations at the
- // volume locations, unless we already have something there.
diff --git a/SOURCES/CVE-2020-1702-1801926.patch b/SOURCES/CVE-2020-1702-1801926.patch
deleted file mode 100644
index 00ea466..0000000
--- a/SOURCES/CVE-2020-1702-1801926.patch
+++ /dev/null
@@ -1,390 +0,0 @@
-From be1eb6f70fb40e45096b69aeb048d54c526a4a8f Mon Sep 17 00:00:00 2001
-From: Valentin Rothberg <rothberg@redhat.com>
-Date: Thu, 6 Feb 2020 09:49:15 +0100
-Subject: [PATCH] [1.11-rhel] update github.com/containers/image
-
-Note that this includes fixes for
-https://access.redhat.com/security/cve/CVE-2020-1702.
-
-Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
----
- go.mod | 2 +-
- go.sum | 2 +
- .../image/v5/docker/docker_client.go | 6 +-
- .../image/v5/docker/docker_image_dest.go | 3 +-
- .../image/v5/docker/docker_image_src.go | 10 ++--
- .../image/v5/docker/tarfile/dest.go | 3 +-
- .../containers/image/v5/docker/tarfile/src.go | 9 +--
- .../image/v5/image/docker_schema2.go | 4 +-
- .../containers/image/v5/image/oci.go | 4 +-
- .../image/v5/internal/iolimits/iolimits.go | 60 +++++++++++++++++++
- .../image/v5/openshift/openshift.go | 4 +-
- vendor/modules.txt | 3 +-
- 12 files changed, 89 insertions(+), 21 deletions(-)
- create mode 100644 vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
-
-diff --git a/go.mod b/go.mod
-index 684b00ff5..b94792238 100644
---- a/go.mod
-+++ b/go.mod
-@@ -5,7 +5,7 @@ go 1.12
- require (
- github.com/blang/semver v3.5.0+incompatible // indirect
- github.com/containernetworking/cni v0.7.1
-- github.com/containers/image/v5 v5.0.0
-+ github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
- github.com/containers/storage v1.14.0
- github.com/cyphar/filepath-securejoin v0.2.2
- github.com/docker/distribution v2.7.1+incompatible
-diff --git a/go.sum b/go.sum
-index 1cce3ff7e..ef8729952 100644
---- a/go.sum
-+++ b/go.sum
-@@ -54,6 +54,8 @@ github.com/containers/image/v4 v4.0.1 h1:idNGHChj0Pyv3vLrxul2oSVMZLeFqpoq3CjLeVg
- github.com/containers/image/v4 v4.0.1/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
- github.com/containers/image/v5 v5.0.0 h1:arnXgbt1ucsC/ndtSpiQY87rA0UjhF+/xQnPzqdBDn4=
- github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
-+github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0 h1:iV4aHKRoPcHp5BISsuiPMyaCjGJfLKp/FUMAG1NeqvE=
-+github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
- github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
- github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
- github.com/containers/storage v1.13.4 h1:j0bBaJDKbUHtAW1MXPFnwXJtqcH+foWeuXK1YaBV5GA=
-diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
-index 0b012c703..bff077a40 100644
---- a/vendor/github.com/containers/image/v5/docker/docker_client.go
-+++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
-@@ -6,7 +6,6 @@ import (
- "encoding/json"
- "fmt"
- "io"
-- "io/ioutil"
- "net/http"
- "net/url"
- "os"
-@@ -17,6 +16,7 @@ import (
- "time"
-
- "github.com/containers/image/v5/docker/reference"
-+ "github.com/containers/image/v5/internal/iolimits"
- "github.com/containers/image/v5/pkg/docker/config"
- "github.com/containers/image/v5/pkg/sysregistriesv2"
- "github.com/containers/image/v5/pkg/tlsclientconfig"
-@@ -597,7 +597,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
- default:
- return nil, errors.Errorf("unexpected http code: %d (%s), URL: %s", res.StatusCode, http.StatusText(res.StatusCode), authReq.URL)
- }
-- tokenBlob, err := ioutil.ReadAll(res.Body)
-+ tokenBlob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize)
- if err != nil {
- return nil, err
- }
-@@ -690,7 +690,7 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe
- return nil, errors.Wrapf(clientLib.HandleErrorResponse(res), "Error downloading signatures for %s in %s", manifestDigest, ref.ref.Name())
- }
-
-- body, err := ioutil.ReadAll(res.Body)
-+ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureListBodySize)
- if err != nil {
- return nil, err
- }
-diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
-index 417d97aec..ce8a1f357 100644
---- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
-+++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
-@@ -15,6 +15,7 @@ import (
- "strings"
-
- "github.com/containers/image/v5/docker/reference"
-+ "github.com/containers/image/v5/internal/iolimits"
- "github.com/containers/image/v5/manifest"
- "github.com/containers/image/v5/pkg/blobinfocache/none"
- "github.com/containers/image/v5/types"
-@@ -620,7 +621,7 @@ sigExists:
- }
- defer res.Body.Close()
- if res.StatusCode != http.StatusCreated {
-- body, err := ioutil.ReadAll(res.Body)
-+ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxErrorBodySize)
- if err == nil {
- logrus.Debugf("Error body %s", string(body))
- }
-diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
-index 35beb30e5..5436d9b7d 100644
---- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
-+++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
-@@ -12,6 +12,7 @@ import (
- "strconv"
-
- "github.com/containers/image/v5/docker/reference"
-+ "github.com/containers/image/v5/internal/iolimits"
- "github.com/containers/image/v5/manifest"
- "github.com/containers/image/v5/pkg/sysregistriesv2"
- "github.com/containers/image/v5/types"
-@@ -156,7 +157,8 @@ func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest strin
- if res.StatusCode != http.StatusOK {
- return nil, "", errors.Wrapf(client.HandleErrorResponse(res), "Error reading manifest %s in %s", tagOrDigest, s.ref.ref.Name())
- }
-- manblob, err := ioutil.ReadAll(res.Body)
-+
-+ manblob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxManifestBodySize)
- if err != nil {
- return nil, "", err
- }
-@@ -342,7 +344,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
- } else if res.StatusCode != http.StatusOK {
- return nil, false, errors.Errorf("Error reading signature from %s: status %d (%s)", url.String(), res.StatusCode, http.StatusText(res.StatusCode))
- }
-- sig, err := ioutil.ReadAll(res.Body)
-+ sig, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureBodySize)
- if err != nil {
- return nil, false, err
- }
-@@ -401,7 +403,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
- return err
- }
- defer get.Body.Close()
-- manifestBody, err := ioutil.ReadAll(get.Body)
-+ manifestBody, err := iolimits.ReadAtMost(get.Body, iolimits.MaxManifestBodySize)
- if err != nil {
- return err
- }
-@@ -424,7 +426,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
- }
- defer delete.Body.Close()
-
-- body, err := ioutil.ReadAll(delete.Body)
-+ body, err := iolimits.ReadAtMost(delete.Body, iolimits.MaxErrorBodySize)
- if err != nil {
- return err
- }
-diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
-index b02c60bb3..9748ca112 100644
---- a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
-+++ b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
-@@ -13,6 +13,7 @@ import (
- "time"
-
- "github.com/containers/image/v5/docker/reference"
-+ "github.com/containers/image/v5/internal/iolimits"
- "github.com/containers/image/v5/internal/tmpdir"
- "github.com/containers/image/v5/manifest"
- "github.com/containers/image/v5/types"
-@@ -135,7 +136,7 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t
- }
-
- if isConfig {
-- buf, err := ioutil.ReadAll(stream)
-+ buf, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
- if err != nil {
- return types.BlobInfo{}, errors.Wrap(err, "Error reading Config file stream")
- }
-diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/src.go b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
-index ad0a3d2cb..bbf604da6 100644
---- a/vendor/github.com/containers/image/v5/docker/tarfile/src.go
-+++ b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
-@@ -11,6 +11,7 @@ import (
- "path"
- "sync"
-
-+ "github.com/containers/image/v5/internal/iolimits"
- "github.com/containers/image/v5/internal/tmpdir"
- "github.com/containers/image/v5/manifest"
- "github.com/containers/image/v5/pkg/compression"
-@@ -187,13 +188,13 @@ func findTarComponent(inputFile io.Reader, path string) (*tar.Reader, *tar.Heade
- }
-
- // readTarComponent returns full contents of componentPath.
--func (s *Source) readTarComponent(path string) ([]byte, error) {
-+func (s *Source) readTarComponent(path string, limit int) ([]byte, error) {
- file, err := s.openTarComponent(path)
- if err != nil {
- return nil, errors.Wrapf(err, "Error loading tar component %s", path)
- }
- defer file.Close()
-- bytes, err := ioutil.ReadAll(file)
-+ bytes, err := iolimits.ReadAtMost(file, limit)
- if err != nil {
- return nil, err
- }
-@@ -224,7 +225,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
- }
-
- // Read and parse config.
-- configBytes, err := s.readTarComponent(tarManifest[0].Config)
-+ configBytes, err := s.readTarComponent(tarManifest[0].Config, iolimits.MaxConfigBodySize)
- if err != nil {
- return err
- }
-@@ -250,7 +251,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
- // loadTarManifest loads and decodes the manifest.json.
- func (s *Source) loadTarManifest() ([]ManifestItem, error) {
- // FIXME? Do we need to deal with the legacy format?
-- bytes, err := s.readTarComponent(manifestFileName)
-+ bytes, err := s.readTarComponent(manifestFileName, iolimits.MaxTarFileManifestSize)
- if err != nil {
- return nil, err
- }
-diff --git a/vendor/github.com/containers/image/v5/image/docker_schema2.go b/vendor/github.com/containers/image/v5/image/docker_schema2.go
-index 254c13f78..29c5047d7 100644
---- a/vendor/github.com/containers/image/v5/image/docker_schema2.go
-+++ b/vendor/github.com/containers/image/v5/image/docker_schema2.go
-@@ -7,10 +7,10 @@ import (
- "encoding/hex"
- "encoding/json"
- "fmt"
-- "io/ioutil"
- "strings"
-
- "github.com/containers/image/v5/docker/reference"
-+ "github.com/containers/image/v5/internal/iolimits"
- "github.com/containers/image/v5/manifest"
- "github.com/containers/image/v5/pkg/blobinfocache/none"
- "github.com/containers/image/v5/types"
-@@ -102,7 +102,7 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
- return nil, err
- }
- defer stream.Close()
-- blob, err := ioutil.ReadAll(stream)
-+ blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
- if err != nil {
- return nil, err
- }
-diff --git a/vendor/github.com/containers/image/v5/image/oci.go b/vendor/github.com/containers/image/v5/image/oci.go
-index 18a38d463..406da262f 100644
---- a/vendor/github.com/containers/image/v5/image/oci.go
-+++ b/vendor/github.com/containers/image/v5/image/oci.go
-@@ -4,9 +4,9 @@ import (
- "context"
- "encoding/json"
- "fmt"
-- "io/ioutil"
-
- "github.com/containers/image/v5/docker/reference"
-+ "github.com/containers/image/v5/internal/iolimits"
- "github.com/containers/image/v5/manifest"
- "github.com/containers/image/v5/pkg/blobinfocache/none"
- "github.com/containers/image/v5/types"
-@@ -67,7 +67,7 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
- return nil, err
- }
- defer stream.Close()
-- blob, err := ioutil.ReadAll(stream)
-+ blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
- if err != nil {
- return nil, err
- }
-diff --git a/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
-new file mode 100644
-index 000000000..3fed1995c
---- /dev/null
-+++ b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
-@@ -0,0 +1,60 @@
-+package iolimits
-+
-+import (
-+ "io"
-+ "io/ioutil"
-+
-+ "github.com/pkg/errors"
-+)
-+
-+// All constants below are intended to be used as limits for `ReadAtMost`. The
-+// immediate use-case for limiting the size of in-memory copied data is to
-+// protect against OOM DOS attacks as described inCVE-2020-1702. Instead of
-+// copying data until running out of memory, we error out after hitting the
-+// specified limit.
-+const (
-+ // megaByte denotes one megabyte and is intended to be used as a limit in
-+ // `ReadAtMost`.
-+ megaByte = 1 << 20
-+ // MaxManifestBodySize is the maximum allowed size of a manifest. The limit
-+ // of 4 MB aligns with the one of a Docker registry:
-+ // https://github.com/docker/distribution/blob/a8371794149d1d95f1e846744b05c87f2f825e5a/registry/handlers/manifests.go#L30
-+ MaxManifestBodySize = 4 * megaByte
-+ // MaxAuthTokenBodySize is the maximum allowed size of an auth token.
-+ // The limit of 1 MB is considered to be greatly sufficient.
-+ MaxAuthTokenBodySize = megaByte
-+ // MaxSignatureListBodySize is the maximum allowed size of a signature list.
-+ // The limit of 4 MB is considered to be greatly sufficient.
-+ MaxSignatureListBodySize = 4 * megaByte
-+ // MaxSignatureBodySize is the maximum allowed size of a signature.
-+ // The limit of 4 MB is considered to be greatly sufficient.
-+ MaxSignatureBodySize = 4 * megaByte
-+ // MaxErrorBodySize is the maximum allowed size of an error-response body.
-+ // The limit of 1 MB is considered to be greatly sufficient.
-+ MaxErrorBodySize = megaByte
-+ // MaxConfigBodySize is the maximum allowed size of a config blob.
-+ // The limit of 4 MB is considered to be greatly sufficient.
-+ MaxConfigBodySize = 4 * megaByte
-+ // MaxOpenShiftStatusBody is the maximum allowed size of an OpenShift status body.
-+ // The limit of 4 MB is considered to be greatly sufficient.
-+ MaxOpenShiftStatusBody = 4 * megaByte
-+ // MaxTarFileManifestSize is the maximum allowed size of a (docker save)-like manifest (which may contain multiple images)
-+ // The limit of 1 MB is considered to be greatly sufficient.
-+ MaxTarFileManifestSize = megaByte
-+)
-+
-+// ReadAtMost reads from reader and errors out if the specified limit (in bytes) is exceeded.
-+func ReadAtMost(reader io.Reader, limit int) ([]byte, error) {
-+ limitedReader := io.LimitReader(reader, int64(limit+1))
-+
-+ res, err := ioutil.ReadAll(limitedReader)
-+ if err != nil {
-+ return nil, err
-+ }
-+
-+ if len(res) > limit {
-+ return nil, errors.Errorf("exceeded maximum allowed size of %d bytes", limit)
-+ }
-+
-+ return res, nil
-+}
-diff --git a/vendor/github.com/containers/image/v5/openshift/openshift.go b/vendor/github.com/containers/image/v5/openshift/openshift.go
-index 016de4803..c37e1b751 100644
---- a/vendor/github.com/containers/image/v5/openshift/openshift.go
-+++ b/vendor/github.com/containers/image/v5/openshift/openshift.go
-@@ -7,13 +7,13 @@ import (
- "encoding/json"
- "fmt"
- "io"
-- "io/ioutil"
- "net/http"
- "net/url"
- "strings"
-
- "github.com/containers/image/v5/docker"
- "github.com/containers/image/v5/docker/reference"
-+ "github.com/containers/image/v5/internal/iolimits"
- "github.com/containers/image/v5/manifest"
- "github.com/containers/image/v5/types"
- "github.com/containers/image/v5/version"
-@@ -102,7 +102,7 @@ func (c *openshiftClient) doRequest(ctx context.Context, method, path string, re
- return nil, err
- }
- defer res.Body.Close()
-- body, err := ioutil.ReadAll(res.Body)
-+ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxOpenShiftStatusBody)
- if err != nil {
- return nil, err
- }
-diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 840dae067..3f72f3f34 100644
---- a/vendor/modules.txt
-+++ b/vendor/modules.txt
-@@ -48,7 +48,7 @@ github.com/containernetworking/cni/pkg/types
- github.com/containernetworking/cni/pkg/types/020
- github.com/containernetworking/cni/pkg/types/current
- github.com/containernetworking/cni/pkg/version
--# github.com/containers/image/v5 v5.0.0
-+# github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
- github.com/containers/image/v5/copy
- github.com/containers/image/v5/directory
- github.com/containers/image/v5/directory/explicitfilepath
-@@ -59,6 +59,7 @@ github.com/containers/image/v5/docker/policyconfiguration
- github.com/containers/image/v5/docker/reference
- github.com/containers/image/v5/docker/tarfile
- github.com/containers/image/v5/image
-+github.com/containers/image/v5/internal/iolimits
- github.com/containers/image/v5/internal/pkg/keyctl
- github.com/containers/image/v5/internal/tmpdir
- github.com/containers/image/v5/manifest
diff --git a/SOURCES/buildah-1756986.patch b/SOURCES/buildah-1756986.patch
deleted file mode 100644
index e70ea76..0000000
--- a/SOURCES/buildah-1756986.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 6d7ab38f33edb9ab87a290a0c68cfd27b55b061f Mon Sep 17 00:00:00 2001
-From: Nalin Dahyabhai <nalin@redhat.com>
-Date: Wed, 8 Jan 2020 11:02:05 -0500
-Subject: [PATCH 1/2] Check for .dockerignore specifically
-
-When generating the list of exclusions to process .dockerignore
-contents, don't include .dockerignore if we don't have a .dockerignore
-file in the context directory. That way, if the file doesn't exist, and
-the caller didn't pass in any patterns, we get no patterns instead of
-just one ".dockerignore" pattern, and we can hit the faster copy path.
-
-Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
-
-Closes: #2072
-Approved by: giuseppe
----
- add.go | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/add.go b/add.go
-index b5119e369..e82a5ef9a 100644
---- a/add.go
-+++ b/add.go
-@@ -215,7 +215,12 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
- if contextDir == "" {
- return nil, nil
- }
-- patterns := []string{".dockerignore"}
-+ // If there's no .dockerignore file, then we don't have to add a
-+ // pattern to tell copy logic to ignore it later.
-+ var patterns []string
-+ if _, err := os.Stat(filepath.Join(contextDir, ".dockerignore")); err == nil || !os.IsNotExist(err) {
-+ patterns = []string{".dockerignore"}
-+ }
- for _, ignoreSpec := range lines {
- ignoreSpec = strings.TrimSpace(ignoreSpec)
- // ignore comments passed back from .dockerignore
-@@ -224,7 +229,8 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
- }
- // if the spec starts with '!' it means the pattern
- // should be included. make a note so that we can move
-- // it to the front of the updated pattern
-+ // it to the front of the updated pattern, and insert
-+ // the context dir's path in between
- includeFlag := ""
- if strings.HasPrefix(ignoreSpec, "!") {
- includeFlag = "!"
-
-From f999964084ce75c833b0cffd17fb09b947dad506 Mon Sep 17 00:00:00 2001
-From: Nalin Dahyabhai <nalin@redhat.com>
-Date: Wed, 8 Jan 2020 11:04:57 -0500
-Subject: [PATCH 2/2] copyFileWithTar: close source files at the right time
-
-Close source files after we've finished reading from them, rather than
-leaving it for later.
-
-Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
-
-Closes: #2072
-Approved by: giuseppe
----
- util.go | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/util.go b/util.go
-index b4670e41c..2f923357c 100644
---- a/util.go
-+++ b/util.go
-@@ -165,11 +165,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
- if err != nil {
- return errors.Wrapf(err, "error opening %q to copy its contents", src)
- }
-- defer func() {
-- if err := f.Close(); err != nil {
-- logrus.Debugf("error closing %s: %v", fi.Name(), err)
-- }
-- }()
- }
- }
-
-@@ -200,6 +195,9 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
- logrus.Debugf("error copying contents of %s: %v", fi.Name(), err)
- copyErr = err
- }
-+ if err = srcFile.Close(); err != nil {
-+ logrus.Debugf("error closing %s: %v", fi.Name(), err)
-+ }
- }
- if err = writer.Close(); err != nil {
- logrus.Debugf("error closing write pipe for %s: %v", hdr.Name, err)
-@@ -213,7 +211,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
- if err == nil {
- err = copyErr
- }
-- f = nil
- if pipeWriter != nil {
- pipeWriter.Close()
- }
diff --git a/SOURCES/buildah-CVE-2020-10696.patch b/SOURCES/buildah-CVE-2020-10696.patch
deleted file mode 100644
index b0c58fd..0000000
--- a/SOURCES/buildah-CVE-2020-10696.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
-From: TomSweeneyRedHat <tsweeney@redhat.com>
-Date: Tue, 24 Mar 2020 20:10:22 -0400
-Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
-
-Stealing @nalind 's workaround to avoid refetching
-content after a file read failure. Under the right
-circumstances that could be a symlink to a file meant
-to overwrite a good file with bad data.
-
-Testing:
-```
-goodstuff
-
-[1] 14901
-
-127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
-127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
-no FROM statement found
-
-goodstuff
-```
-
-Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
----
- imagebuildah/util.go | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/imagebuildah/util.go b/imagebuildah/util.go
-index 29ea60970..5f14c9883 100644
---- a/imagebuildah/util.go
-+++ b/imagebuildah/util.go
-@@ -14,6 +14,7 @@ import (
-
- "github.com/containers/buildah"
- "github.com/containers/storage/pkg/chrootarchive"
-+ "github.com/containers/storage/pkg/ioutils"
- "github.com/opencontainers/runtime-spec/specs-go"
- "github.com/pkg/errors"
- "github.com/sirupsen/logrus"
-@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error {
- }
- dockerfile := filepath.Join(dir, "Dockerfile")
- // Assume this is a Dockerfile
-- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
-+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
- return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
- }
- }
-@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error {
- if err := chrootarchive.Untar(reader, dir, nil); err != nil {
- dockerfile := filepath.Join(dir, "Dockerfile")
- // Assume this is a Dockerfile
-- if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil {
-+ if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil {
- return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile)
- }
- }
diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec
index 8ef6f36..c6ea3d8 100644
--- a/SPECS/buildah.spec
+++ b/SPECS/buildah.spec
@@ -20,28 +20,14 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
# https://github.com/containers/buildah
%global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
%global git0 https://%{import_path}
-%global commit0 9513cb8c7bec0f7789c696aee4d252ebf85194cc
-%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
Name: %{repo}
-Version: 1.11.6
-Release: 8%{?dist}
+Version: 1.14.9
+Release: 1%{?dist}
Summary: A command line tool used for creating OCI Images
License: ASL 2.0
URL: https://%{name}.io
-Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
-Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1784952
-Patch1: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1702
-# https://github.com/containers/buildah/commit/be1eb6f70fb40e45096b69aeb048d54c526a4a8f.patch
-Patch2: CVE-2020-1702-1801926.patch
-# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1756986
-# backported: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2181.patch
-Patch3: buildah-1756986.patch
-# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
-# patch: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
-Patch4: buildah-CVE-2020-10696.patch
+Source0: %{git0}/archive/v%{version}.tar.gz
BuildRequires: golang >= 1.12.12-4
BuildRequires: git
BuildRequires: glib2-devel
@@ -55,7 +41,7 @@ BuildRequires: libassuan-devel
BuildRequires: make
Requires: runc >= 1.0.0-26
Requires: containers-common
-Requires: container-selinux
+Recommends: container-selinux
Requires: slirp4netns >= 0.3-0
%description
@@ -80,7 +66,7 @@ Requires: golang
This package contains system tests for %{name}
%prep
-%autosetup -Sgit -n %{name}-%{commit0}
+%autosetup -Sgit
sed -i 's/GOMD2MAN =/GOMD2MAN ?=/' docs/Makefile
sed -i '/docs install/d' Makefile
@@ -127,611 +113,19 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
%{_datadir}/%{name}/test
%changelog
-* Tue Mar 31 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-8
-- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
-- Resolves: #1817742
-
-* Mon Feb 24 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-7
-- fix "COPY command takes long time with buildah"
-- Resolves: #1806120
-
-* Mon Feb 17 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-6
-- fix CVE-2020-1702
-- Resolves: #1801926
-
-* Thu Feb 13 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-5
-- adding the first phase of FIPS fix
-- Related: #1784952
-
-* Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-4
-- compile in FIPS mode
-- Related: RHELPLAN-25139
-
-* Mon Dec 09 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-3
-- be sure to use golang >= 1.12.12-4
-- Related: RHELPLAN-25139
-
-* Fri Dec 06 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-2
-- fix chroot: unmount with MNT_DETACH instead of UnmountMountpoints()
-- bug reference 1772179
-- Related: RHELPLAN-25139
-
-* Thu Dec 05 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-1
-- update to buildah 1.11.6
-- Related: RHELPLAN-25139
-
-* Thu Nov 21 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.5-1
-- update to buildah 1.11.5
-- Related: RHELPLAN-25139
-
-* Thu Nov 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.4-2
-- fix %%gobuild macro to not to ignore BUILDTAGS
-- Related: RHELPLAN-25139
-
-* Thu Nov 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.4-1
-- update to 1.11.4
-- Related: RHELPLAN-25139
-
-* Tue Sep 17 2019 Jindrich Novy <jnovy@redhat.com> - 1.9.0-5
-- Use autosetup macro again.
-
-* Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.9.0-4
-- Fix CVE-2019-10214 (#1734653).
-
-* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-3
-- Resolves: #1721247 - enable fips mode
-
-* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-2
-- Resolves: #1720654 - tests subpackage depends on golang explicitly
-
-* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-1
-- Resolves: #1720654 - rebase to v1.9.0
-
-* Fri Jun 14 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.8.3-1
-- Resolves: #1720654 - rebase to v1.8.3
-
-* Tue Apr 9 2019 Eduardo Santiago <santiago@redhat.com> - 1.8-0.git021d607
-- package system tests
-
-* Tue Dec 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-3.gite94b4f9
-- re-enable debuginfo
-
-* Mon Dec 17 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-2.gite94b4f9
-- go toolset not in scl anymore
-
-* Fri Nov 23 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-1.gite94b4f9
-- rebase
-
-* Mon Nov 19 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.4-3.git608fa84
-- fedora-like go compiler macro in buildrequires is enough
-
-* Wed Oct 10 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.4-2.git608fa84
-- rebase
-
-* Mon Aug 13 2018 Lokesh Mandvekar <lsm5@redhat.com> - 1.3-3.git4888163
-- Resolves: #1615611 - rebuild with gobuild tag 'no_openssl'
-
-* Wed Aug 08 2018 Lokesh Mandvekar <lsm5@redhat.com> - 1.3-2.git4888163
-- Resolves: #1614009 - built with updated scl-ized go-toolset dep
-- build with %%gobuild
-
-* Sun Aug 5 2018 Dan Walsh <dwalsh@redhat.com> - 1.3-1
-- Bump to v1.3
-- Vendor in lates containers/image
-- build-using-dockerfile: let -t include transports again
-- Block use of /proc/acpi and /proc/keys from inside containers
-- Fix handling of --registries-conf
-- Fix becoming a maintainer link
-- add optional CI test fo darwin
-- Don't pass a nil error to errors.Wrapf()
-- image filter test: use kubernetes/pause as a "since"
-- Add --cidfile option to from
-- vendor: update containers/storage
-- Contributors need to find the CONTRIBUTOR.md file easier
-- Add a --loglevel option to build-with-dockerfile
-- Create Development plan
-- cmd: Code improvement
-- allow buildah cross compile for a darwin target
-- Add unused function param lint check
-- docs: Follow man-pages(7) suggestions for SYNOPSIS
-- Start using github.com/seccomp/containers-golang
-- umount: add all option to umount all mounted containers
-- runConfigureNetwork(): remove an unused parameter
-- Update github.com/opencontainers/selinux
-- Fix buildah bud --layers
-- Force ownership of /etc/hosts and /etc/resolv.conf to 0:0
-- main: if unprivileged, reexec in a user namespace
-- Vendor in latest imagebuilder
-- Reduce the complexity of the buildah.Run function
-- mount: output it before replacing lastError
-- Vendor in latest selinux-go code
-- Implement basic recognition of the "--isolation" option
-- Run(): try to resolve non-absolute paths using $PATH
-- Run(): don't include any default environment variables
-- build without seccomp
-- vendor in latest runtime-tools
-- bind/mount_unsupported.go: remove import errors
-- Update github.com/opencontainers/runc
-- Add Capabilities lists to BuilderInfo
-- Tweaks for commit tests
-- commit: recognize committing to second storage locations
-- Fix ARGS parsing for run commands
-- Add info on registries.conf to from manpage
-- Switch from using docker to podman for testing in .papr
-- buildah: set the HTTP User-Agent
-- ONBUILD tutorial
-- Add information about the configuration files to the install docs
-- Makefile: add uninstall
-- Add tilde info for push to troubleshooting
-- mount: support multiple inputs
-- Use the right formatting when adding entries to /etc/hosts
-- Vendor in latest go-selinux bindings
-- Allow --userns-uid-map/--userns-gid-map to be global options
-- bind: factor out UnmountMountpoints
-- Run(): simplify runCopyStdio()
-- Run(): handle POLLNVAL results
-- Run(): tweak terminal mode handling
-- Run(): rename 'copyStdio' to 'copyPipes'
-- Run(): don't set a Pdeathsig for the runtime
-- Run(): add options for adding and removing capabilities
-- Run(): don't use a callback when a slice will do
-- setupSeccomp(): refactor
-- Change RunOptions.Stdin/Stdout/Stderr to just be Reader/Writers
-- Escape use of '_' in .md docs
-- Break out getProcIDMappings()
-- Break out SetupIntermediateMountNamespace()
-- Add Multi From Demo
-- Use the c/image conversion code instead of converting configs manually
-- Don't throw away the manifest MIME type and guess again
-- Consolidate loading manifest and config in initConfig
-- Pass a types.Image to Builder.initConfig
-- Require an image ID in importBuilderDataFromImage
-- Use c/image/manifest.GuessMIMEType instead of a custom heuristic
-- Do not ignore any parsing errors in initConfig
-- Explicitly handle "from scratch" images in Builder.initConfig
-- Fix parsing of OCI images
-- Simplify dead but dangerous-looking error handling
-- Don't ignore v2s1 history if docker_version is not set
-- Add --rm and --force-rm to buildah bud
-- Add --all,-a flag to buildah images
-- Separate stdio buffering from writing
-- Remove tty check from images --format
-- Add environment variable BUILDAH_RUNTIME
-- Add --layers and --no-cache to buildah bud
-- Touch up images man
-- version.md: fix DESCRIPTION
-- tests: add containers test
-- tests: add images test
-- images: fix usage
-- fix make clean error
-- Change 'registries' to 'container registries' in man
-- add commit test
-- Add(): learn to record hashes of what we add
-- Minor update to buildah config documentation for entrypoint
-- Bump to v1.2-dev
-- Add registries.conf link to a few man pages
-
-* Tue Jul 24 2018 Lokesh Mandvekar <lsm5@redhat.com> - 1.2-3
-- do not depend on btrfs-progs for rhel8
-
-* Thu Jul 19 2018 Dan Walsh <dwalsh@redhat.com> - 1.2-2
-- buildah does not require ostree
-
-* Sun Jul 15 2018 Dan Walsh <dwalsh@redhat.com> 1.2-1
-- Vendor in latest containers/image
-- build-using-dockerfile: let -t include transports again
-- Block use of /proc/acpi and /proc/keys from inside containers
-- Fix handling of --registries-conf
-- Fix becoming a maintainer link
-- add optional CI test fo darwin
-- Don't pass a nil error to errors.Wrapf()
-- image filter test: use kubernetes/pause as a "since"
-- Add --cidfile option to from
-- vendor: update containers/storage
-- Contributors need to find the CONTRIBUTOR.md file easier
-- Add a --loglevel option to build-with-dockerfile
-- Create Development plan
-- cmd: Code improvement
-- allow buildah cross compile for a darwin target
-- Add unused function param lint check
-- docs: Follow man-pages(7) suggestions for SYNOPSIS
-- Start using github.com/seccomp/containers-golang
-- umount: add all option to umount all mounted containers
-- runConfigureNetwork(): remove an unused parameter
-- Update github.com/opencontainers/selinux
-- Fix buildah bud --layers
-- Force ownership of /etc/hosts and /etc/resolv.conf to 0:0
-- main: if unprivileged, reexec in a user namespace
-- Vendor in latest imagebuilder
-- Reduce the complexity of the buildah.Run function
-- mount: output it before replacing lastError
-- Vendor in latest selinux-go code
-- Implement basic recognition of the "--isolation" option
-- Run(): try to resolve non-absolute paths using $PATH
-- Run(): don't include any default environment variables
-- build without seccomp
-- vendor in latest runtime-tools
-- bind/mount_unsupported.go: remove import errors
-- Update github.com/opencontainers/runc
-- Add Capabilities lists to BuilderInfo
-- Tweaks for commit tests
-- commit: recognize committing to second storage locations
-- Fix ARGS parsing for run commands
-- Add info on registries.conf to from manpage
-- Switch from using docker to podman for testing in .papr
-- buildah: set the HTTP User-Agent
-- ONBUILD tutorial
-- Add information about the configuration files to the install docs
-- Makefile: add uninstall
-- Add tilde info for push to troubleshooting
-- mount: support multiple inputs
-- Use the right formatting when adding entries to /etc/hosts
-- Vendor in latest go-selinux bindings
-- Allow --userns-uid-map/--userns-gid-map to be global options
-- bind: factor out UnmountMountpoints
-- Run(): simplify runCopyStdio()
-- Run(): handle POLLNVAL results
-- Run(): tweak terminal mode handling
-- Run(): rename 'copyStdio' to 'copyPipes'
-- Run(): don't set a Pdeathsig for the runtime
-- Run(): add options for adding and removing capabilities
-- Run(): don't use a callback when a slice will do
-- setupSeccomp(): refactor
-- Change RunOptions.Stdin/Stdout/Stderr to just be Reader/Writers
-- Escape use of '_' in .md docs
-- Break out getProcIDMappings()
-- Break out SetupIntermediateMountNamespace()
-- Add Multi From Demo
-- Use the c/image conversion code instead of converting configs manually
-- Don't throw away the manifest MIME type and guess again
-- Consolidate loading manifest and config in initConfig
-- Pass a types.Image to Builder.initConfig
-- Require an image ID in importBuilderDataFromImage
-- Use c/image/manifest.GuessMIMEType instead of a custom heuristic
-- Do not ignore any parsing errors in initConfig
-- Explicitly handle "from scratch" images in Builder.initConfig
-- Fix parsing of OCI images
-- Simplify dead but dangerous-looking error handling
-- Don't ignore v2s1 history if docker_version is not set
-- Add --rm and --force-rm to buildah bud
-- Add --all,-a flag to buildah images
-- Separate stdio buffering from writing
-- Remove tty check from images --format
-- Add environment variable BUILDAH_RUNTIME
-- Add --layers and --no-cache to buildah bud
-- Touch up images man
-- version.md: fix DESCRIPTION
-- tests: add containers test
-- tests: add images test
-- images: fix usage
-- fix make clean error
-- Change 'registries' to 'container registries' in man
-- add commit test
-- Add(): learn to record hashes of what we add
-- Minor update to buildah config documentation for entrypoint
-- Add registries.conf link to a few man pages
-
-* Sun Jun 10 2018 Dan Walsh <dwalsh@redhat.com> 1.1-1
-- Drop capabilities if running container processes as non root
-- Print Warning message if cmd will not be used based on entrypoint
-- Update 01-intro.md
-- Shouldn't add insecure registries to list of search registries
-- Report errors on bad transports specification when pushing images
-- Move parsing code out of common for namespaces and into pkg/parse.go
-- Add disable-content-trust noop flag to bud
-- Change freenode chan to buildah
-- runCopyStdio(): don't close stdin unless we saw POLLHUP
-- Add registry errors for pull
-- runCollectOutput(): just read until the pipes are closed on us
-- Run(): provide redirection for stdio
-- rmi, rm: add test
-- add mount test
-- Add parameter judgment for commands that do not require parameters
-- Add context dir to bud command in baseline test
-- run.bats: check that we can run with symlinks in the bundle path
-- Give better messages to users when image can not be found
-- use absolute path for bundlePath
-- Add environment variable to buildah --format
-- rm: add validation to args and all option
-- Accept json array input for config entrypoint
-- Run(): process RunOptions.Mounts, and its flags
-- Run(): only collect error output from stdio pipes if we created some
-- Add OnBuild support for Dockerfiles
-- Quick fix on demo readme
-- run: fix validate flags
-- buildah bud should require a context directory or URL
-- Touchup tutorial for run changes
-- Validate common bud and from flags
-- images: Error if the specified imagename does not exist
-- inspect: Increase err judgments to avoid panic
-- add test to inspect
-- buildah bud picks up ENV from base image
-- Extend the amount of time travis_wait should wait
-- Add a make target for Installing CNI plugins
-- Add tests for namespace control flags
-- copy.bats: check ownerships in the container
-- Fix SELinux test errors when SELinux is enabled
-- Add example CNI configurations
-- Run: set supplemental group IDs
-- Run: use a temporary mount namespace
-- Use CNI to configure container networks
-- add/secrets/commit: Use mappings when setting permissions on added content
-- Add CLI options for specifying namespace and cgroup setup
-- Always set mappings when using user namespaces
-- Run(): break out creation of stdio pipe descriptors
-- Read UID/GID mapping information from containers and images
-- Additional bud CI tests
-- Run integration tests under travis_wait in Travis
-- build-using-dockerfile: add --annotation
-- Implement --squash for build-using-dockerfile and commit
-- Vendor in latest container/storage for devicemapper support
-- add test to inspect
-- Vendor github.com/onsi/ginkgo and github.com/onsi/gomega
-- Test with Go 1.10, too
-- Add console syntax highlighting to troubleshooting page
-- bud.bats: print "$output" before checking its contents
-- Manage "Run" containers more closely
-- Break Builder.Run()'s "run runc" bits out
-- util.ResolveName(): handle completion for tagged/digested image names
-- Handle /etc/hosts and /etc/resolv.conf properly in container
-- Documentation fixes
-- Make it easier to parse our temporary directory as an image name
-- Makefile: list new pkg/ subdirectoris as dependencies for buildah
-- containerImageSource: return more-correct errors
-- API cleanup: PullPolicy and TerminalPolicy should be types
-- Make "run --terminal" and "run -t" aliases for "run --tty"
-- Vendor github.com/containernetworking/cni v0.6.0
-- Update github.com/containers/storage
-- Update github.com/projectatomic/libpod
-- Add support for buildah bud --label
-- buildah push/from can push and pull images with no reference
-- Vendor in latest containers/image
-- Update gometalinter to fix install.tools error
-- Update troubleshooting with new run workaround
-- Added a bud demo and tidied up
-- Attempt to download file from url, if fails assume Dockerfile
-- Add buildah bud CI tests for ENV variables
-- Re-enable rpm .spec version check and new commit test
-- Update buildah scratch demo to support el7
-- Added Docker compatibility demo
-- Update to F28 and new run format in baseline test
-- Touchup man page short options across man pages
-- Added demo dir and a demo. chged distrorlease
-- builder-inspect: fix format option
-- Add cpu-shares short flag (-c) and cpu-shares CI tests
-- Minor fixes to formatting in rpm spec changelog
-- Fix rpm .spec changelog formatting
-- CI tests and minor fix for cache related noop flags
-- buildah-from: add effective value to mount propagation
-
-* Mon May 7 2018 Dan Walsh <dwalsh@redhat.com> 1.0-1
-- Remove buildah run cmd and entrypoint execution
-- Add Files section with registries.conf to pertinent man pages
-- Force "localhost" as a default registry
-- Add --compress, --rm, --squash flags as a noop for bud
-- Add FIPS mode secret to buildah run and bud
-- Add config --comment/--domainname/--history-comment/--hostname
-- Add support for --iidfile to bud and commit
-- Add /bin/sh -c to entrypoint in config
-- buildah images and podman images are listing different sizes
-- Remove tarball as an option from buildah push --help
-- Update entrypoint behaviour to match docker
-- Display imageId after commit
-- config: add support for StopSignal
-- Allow referencing stages as index and names
-- Add multi-stage builds support
-- Vendor in latest imagebuilder, to get mixed case AS support
-- Allow umount to have multi-containers
-- Update buildah push doc
-- buildah bud walks symlinks
-- Imagename is required for commit atm, update manpage
-
-* Thu May 03 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.16-3.git532e267
-- Resolves: #1573681
-- built commit 532e267
-
-* Tue Apr 10 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.16.0-2.git6f7d05b
-- built commit 6f7d05b
-
-* Wed Apr 4 2018 Dan Walsh <dwalsh@redhat.com> 0.16-1
-- Add support for shell
-- Vendor in latest containers/image
-- docker-archive generates docker legacy compatible images
-- Do not create $DiffID subdirectories for layers with no configs
-- Ensure the layer IDs in legacy docker/tarfile metadata are unique
-- docker-archive: repeated layers are symlinked in the tar file
-- sysregistries: remove all trailing slashes
-- Improve docker/* error messages
-- Fix failure to make auth directory
-- Create a new slice in Schema1.UpdateLayerInfos
-- Drop unused storageImageDestination.{image,systemContext}
-- Load a *storage.Image only once in storageImageSource
-- Support gzip for docker-archive files
-- Remove .tar extension from blob and config file names
-- ostree, src: support copy of compressed layers
-- ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size
-- image: fix docker schema v1 -> OCI conversion
-- Add /etc/containers/certs.d as default certs directory
-- Change image time to locale, add troubleshooting.md, add logo to other mds
-- Allow --cmd parameter to have commands as values
-- Document the mounts.conf file
-- Fix man pages to format correctly
-- buildah from now supports pulling images using the following transports:
-- docker-archive, oci-archive, and dir.
-- If the user overrides the storage driver, the options should be dropped
-- Show Config/Manifest as JSON string in inspect when format is not set
-- Adds feature to pull compressed docker-archive files
-
-* Tue Feb 27 2018 Dan Walsh <dwalsh@redhat.com> 0.15-1
-- Fix handling of buildah run command options
-
-* Mon Feb 26 2018 Dan Walsh <dwalsh@redhat.com> 0.14-1
-- If commonOpts do not exist, we should return rather then segfault
-- Display full error string instead of just status
-- Implement --volume and --shm-size for bud and from
-- Fix secrets patch for buildah bud
-- Fixes the naming issue of blobs and config for the dir transport by removing the .tar extension
-
-* Mon Feb 26 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.13-1.git99066e0
-- use correct version
-
-* Mon Feb 26 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.12-4.git99066e0
-- enable debuginfo
-
-* Mon Feb 26 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.12-3.git99066e0
-- BR: libseccomp-devel
-
-* Mon Feb 26 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.12-2.git99066e0
-- Resolves: #1548535
-- built commit 99066e0
-
-* Mon Feb 12 2018 Dan Walsh <dwalsh@redhat.com> 0.12-1
-- Added handing for simpler error message for Unknown Dockerfile instructions.
-- Change default certs directory to /etc/containers/certs.dir
-- Vendor in latest containers/image
-- Vendor in latest containers/storage
-- build-using-dockerfile: set the 'author' field for MAINTAINER
-- Return exit code 1 when buildah-rmi fails
-- Trim the image reference to just its name before calling getImageName
-- Touch up rmi -f usage statement
-- Add --format and --filter to buildah containers
-- Add --prune,-p option to rmi command
-- Add authfile param to commit
-- Fix --runtime-flag for buildah run and bud
-- format should override quiet for images
-- Allow all auth params to work with bud
-- Do not overwrite directory permissions on --chown
-- Unescape HTML characters output into the terminal
-- Fix: setting the container name to the image
-- Prompt for un/pwd if not supplied with --creds
-- Make bud be really quiet
-- Return a better error message when failed to resolve an image
-- Update auth tests and fix bud man page
-
-* Mon Feb 05 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.11-3.git49095a8
-- Resolves: #1542236 - add ostree and bump runc dep
-
-* Thu Feb 01 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.11-2.git49095a8
-- rebased to 49095a83f8622cf69532352d183337635562e261
-
-* Tue Jan 16 2018 Dan Walsh <dwalsh@redhat.com> 0.11-1
-- Add --all to remove containers
-- Add --all functionality to rmi
-- Show ctrid when doing rm -all
-- Ignore sequential duplicate layers when reading v2s1
-- Lots of minor bug fixes
-- Vendor in latest containers/image and containers/storage
-
-* Sat Dec 23 2017 Dan Walsh <dwalsh@redhat.com> 0.10-2
-- Fix checkin
-
-* Sat Dec 23 2017 Dan Walsh <dwalsh@redhat.com> 0.10-1
-- Display Config and Manifest as strings
-- Bump containers/image
-- Use configured registries to resolve image names
-- Update to work with newer image library
-- Add --chown option to add/copy commands
-
-* Tue Dec 12 2017 Lokesh Mandvekar <lsm5@redhat.com> - 0.9-2.git04ea079
-- build for all arches
-
-* Sat Dec 2 2017 Dan Walsh <dwalsh@redhat.com> 0.9-1
-- Allow push to use the image id
-- Make sure builtin volumes have the correct label
-
-* Wed Nov 22 2017 Dan Walsh <dwalsh@redhat.com> 0.8-1
-- Buildah bud was failing on SELinux machines, this fixes this
-- Block access to certain kernel file systems inside of the container
-
-* Thu Nov 16 2017 Dan Walsh <dwalsh@redhat.com> 0.7-1
-- Ignore errors when trying to read containers buildah.json for loading SELinux reservations
-- Use credentials from kpod login for buildah
-- Adds support for converting manifest types when using the dir transport
-- Rework how we do UID resolution in images
-- Bump github.com/vbatts/tar-split
-- Set option.terminal appropriately in run
-
-* Thu Nov 16 2017 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.5-5.gitf7dc659
-- revert building for s390x, it is intended for rhel 7.5
-
-* Wed Nov 15 2017 Dan Walsh <dwalsh@redhat.com> 0.5-4
-- Add requires for container-selinux
-
-* Mon Nov 13 2017 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.5-3.gitf7dc659
-- build for s390x, https://bugzilla.redhat.com/show_bug.cgi?id=1482234
-
-* Wed Nov 08 2017 Dan Walsh <dwalsh@redhat.com> 0.5-2
-- Bump github.com/vbatts/tar-split
-- Fixes CVE That could allow a container image to cause a DOS
-
-* Tue Nov 07 2017 Dan Walsh <dwalsh@redhat.com> 0.5-1
-- Add secrets patch to buildah
-- Add proper SELinux labeling to buildah run
-- Add tls-verify to bud command
-- Make filtering by date use the image's date
-- images: don't list unnamed images twice
-- Fix timeout issue
-- Add further tty verbiage to buildah run
-- Make inspect try an image on failure if type not specified
-- Add support for `buildah run --hostname`
-- Tons of bug fixes and code cleanup
-
-* Tue Nov 7 2017 Nalin Dahyabhai <nalin@redhat.com> - 0.4-2.git01db066
-- bump to latest version
-- set GIT_COMMIT at build-time
-
-* Fri Sep 22 2017 Dan Walsh <dwalsh@redhat.com> 0.4-1.git9cbccf88c
-- Add default transport to push if not provided
-- Avoid trying to print a nil ImageReference
-- Add authentication to commit and push
-- Add information on buildah from man page on transports
-- Remove --transport flag
-- Run: do not complain about missing volume locations
-- Add credentials to buildah from
-- Remove export command
-- Run(): create the right working directory
-- Improve "from" behavior with unnamed references
-- Avoid parsing image metadata for dates and layers
-- Read the image's creation date from public API
-- Bump containers/storage and containers/image
-- Don't panic if an image's ID can't be parsed
-- Turn on --enable-gc when running gometalinter
-- rmi: handle truncated image IDs
-
-* Fri Sep 22 2017 Lokesh Mandvekar <lsm5@redhat.com> - 0.4-1.git9cbccf8
-- bump to v0.4
-
-* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.3-4.gitb9b2a8a
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.3-3.gitb9b2a8a
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Thu Jul 20 2017 Dan Walsh <dwalsh@redhat.com> 0.3-2.gitb9b2a8a7e
-- Bump for inclusion of OCI 1.0 Runtime and Image Spec
-
-* Tue Jul 18 2017 Dan Walsh <dwalsh@redhat.com> 0.2.0-1.gitac2aad6
-- buildah run: Add support for -- ending options parsing
-- buildah Add/Copy support for glob syntax
-- buildah commit: Add flag to remove containers on commit
-- buildah push: Improve man page and help information
-- buildah run: add a way to disable PTY allocation
-- Buildah docs: clarify --runtime-flag of run command
-- Update to match newer storage and image-spec APIs
-- Update containers/storage and containers/image versions
-- buildah export: add support
-- buildah images: update commands
-- buildah images: Add JSON output option
-- buildah rmi: update commands
-- buildah containers: Add JSON output option
-- buildah version: add command
-- buildah run: Handle run without an explicit command correctly
-- Ensure volume points get created, and with perms
-- buildah containers: Add a -a/--all option
-
-* Wed Jun 14 2017 Dan Walsh <dwalsh@redhat.com> 0.1.0-2.git597d2ab9
-- Release Candidate 1
-- All features have now been implemented.
-
-* Fri Apr 14 2017 Dan Walsh <dwalsh@redhat.com> 0.0.1-1.git7a0a5333
-- First package for Fedora
+* Tue May 19 2020 Jindrich Novy <jnovy@redhat.com> - 1.14.9-1
+- update to https://github.com/containers/buildah/releases/tag/v1.14.9
+- Related: RHELPLAN-39206
+
+* Fri May 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.14.8-2
+- make container-selinux a soft dependency
+- Related: #1806044
+
+* Fri Apr 10 2020 Jindrich Novy <jnovy@redhat.com> - 1.14.8-1
+- update to https://github.com/containers/buildah/releases/tag/v1.14.8
+- Related: RHELPLAN-39206
+
+* Thu Apr 09 2020 Jindrich Novy <jnovy@redhat.com> - 1.14.7-1
+- initial rhel8-8.2.1 build
+- update to https://github.com/containers/buildah/releases/tag/v1.14.7
+- Related: RHELPLAN-39206