SUSE Security Update: Security update for skopeo
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:0712-1
Rating:             moderate
References:         #1159530 #1165715 
Cross-References:   CVE-2019-10214
Affected Products:
                    SUSE Linux Enterprise Module for Server Applications 15-SP1
______________________________________________________________________________

   An update that solves one vulnerability and has one errata
   is now available.

Description:

   This update for skopeo fixes the following issues:

   Update to skopeo v0.1.41 (bsc#1165715):

   - Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1
   - Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8
   - Bump github.com/containers/common from 0.0.7 to 0.1.4
   - Remove the reference to openshift/api
   - vendor github.com/containers/image/v5@v5.2.0
   - Manually update buildah to v1.13.1
   - add specific authfile options to copy (and sync) command.
   - Bump github.com/containers/buildah from 1.11.6 to 1.12.0
   - Add context to --encryption-key / --decryption-key processing failures
   - Bump github.com/containers/storage from 1.15.2 to 1.15.3
   - Bump github.com/containers/buildah from 1.11.5 to 1.11.6
   - remove direct reference on c/image/storage
   - Makefile: set GOBIN
   - Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7
   - Bump github.com/containers/storage from 1.15.1 to 1.15.2
   - Introduce the sync command
   - openshift cluster: remove .docker directory on teardown
   - Bump github.com/containers/storage from 1.14.0 to 1.15.1
   - document installation via apk on alpine
   - Fix typos in doc for image encryption
   - Image encryption/decryption support in skopeo
   - make vendor-in-container
   - Bump github.com/containers/buildah from 1.11.4 to 1.11.5
   - Travis: use go v1.13
   - Use a Windows Nano Server image instead of Server Core for multi-arch
     testing
   - Increase test timeout to 15 minutes
   - Run the test-system container without --net=host
   - Mount /run/systemd/journal/socket into test-system containers   - Don't unnecessarily filter out vendor from (go list ./...)
     output
   - Use -mod=vendor in (go {list,test,vet})
   - Bump github.com/containers/buildah from 1.8.4 to 1.11.4
   - Bump github.com/urfave/cli from 1.20.0 to 1.22.1
   - skopeo: drop support for ostree
   - Don't critically fail on a 403 when listing tags
   - Revert "Temporarily work around auth.json location confusion"
   - Remove references to atomic
   - Remove references to storage.conf
   - Dockerfile: use golang-github-cpuguy83-go-md2man
   - bump version to v0.1.41-dev
   - systemtest: inspect container image different from current platform arch

   Changes in v0.1.40:

   - vendor containers/image v5.0.0
   - copy: add a --all/-a flag
   - System tests: various fixes
   - Temporarily work around auth.json location confusion
   - systemtest: copy: docker->storage->oci-archive
   - systemtest/010-inspect.bats: require only PATH
   - systemtest: add simple env test in inspect.bats
   - bash completion: add comments to keep scattered options in sync
   - bash completion: use read -r instead of disabling SC2207
   - bash completion: support --opt arg completion
   - bash-completion: use replacement instead of sed
   - bash completion: disable shellcheck SC2207
   - bash completion: double-quote to avoid re-splitting
   - bash completions: use bash replacement instead of sed
   - bash completion: remove unused variable
   - bash-completions: split decl and assignment to avoid masking retvals
   - bash completion: double-quote fixes
   - bash completion: hard-set PROG=skopeo
   - bash completion: remove unused variable
   - bash completion: use `||` instead of `-o`
   - bash completion: rm eval on assigned variable
   - copy: add --dest-compress-format and --dest-compress-level
   - flag: add optionalIntValue
   - Makefile: use go proxy
   - inspect --raw: skip the NewImage() step
   - update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f
   - inspect.go: inspect env variables
   - ostree: use both image and & storage buildtags


   Update to skopeo v0.1.39 (bsc#1159530):

   - inspect: add a --config flag
   - Add --no-creds flag to skopeo inspect
   - Add --quiet option to skopeo copy
   - New progress bars   - Parallel Pulls and Pushes for major speed improvements
   - containers/image moved to a new progress-bar library to fix various
     issues related to overlapping bars and redundant entries.
   - enforce blocking of registries
   - Allow storage-multiple-manifests
   - When copying images and the output is not a tty (e.g., when piping to a
     file) print single lines instead of using progress bars. This avoids
     long and hard to parse output
   - man pages: add --dest-oci-accept-uncompressed-layers   - completions:
     - Introduce transports completions
     - Fix bash completions when a option requires a argument
     - Use only spaces in indent
      - Fix completions with a global option
     - add --dest-oci-accept-uncompressed-layers

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Server Applications 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-712=1



Package List:

   - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64):

      skopeo-0.1.41-4.11.1
      skopeo-debuginfo-0.1.41-4.11.1


References:

   https://www.suse.com/security/cve/CVE-2019-10214.html
   https://bugzilla.suse.com/1159530
   https://bugzilla.suse.com/1165715

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates

SUSE: 2020:0712-1 moderate: skopeo

March 18, 2020
An update that solves one vulnerability and has one errata is now available

Summary

This update for skopeo fixes the following issues: Update to skopeo v0.1.41 (bsc#1165715): - Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1 - Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8 - Bump github.com/containers/common from 0.0.7 to 0.1.4 - Remove the reference to openshift/api - vendor github.com/containers/image/v5@v5.2.0 - Manually update buildah to v1.13.1 - add specific authfile options to copy (and sync) command. - Bump github.com/containers/buildah from 1.11.6 to 1.12.0 - Add context to --encryption-key / --decryption-key processing failures - Bump github.com/containers/storage from 1.15.2 to 1.15.3 - Bump github.com/containers/buildah from 1.11.5 to 1.11.6 - remove direct reference on c/image/storage - Makefile: set GOBIN - Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7 - Bump github.com/containers/storage from 1.15.1 to 1.15.2 - Introduce the sync command - openshift cluster: remove .docker directory on teardown - Bump github.com/containers/storage from 1.14.0 to 1.15.1 - document installation via apk on alpine - Fix typos in doc for image encryption - Image encryption/decryption support in skopeo - make vendor-in-container - Bump github.com/containers/buildah from 1.11.4 to 1.11.5 - Travis: use go v1.13 - Use a Windows Nano Server image instead of Server Core for multi-arch testing - Increase test timeout to 15 minutes - Run the test-system container without --net=host - Mount /run/systemd/journal/socket into test-system containers - Don't unnecessarily filter out vendor from (go list ./...) output - Use -mod=vendor in (go {list,test,vet}) - Bump github.com/containers/buildah from 1.8.4 to 1.11.4 - Bump github.com/urfave/cli from 1.20.0 to 1.22.1 - skopeo: drop support for ostree - Don't critically fail on a 403 when listing tags - Revert "Temporarily work around auth.json location confusion" - Remove references to atomic - Remove references to storage.conf - Dockerfile: use golang-github-cpuguy83-go-md2man - bump version to v0.1.41-dev - systemtest: inspect container image different from current platform arch Changes in v0.1.40: - vendor containers/image v5.0.0 - copy: add a --all/-a flag - System tests: various fixes - Temporarily work around auth.json location confusion - systemtest: copy: docker->storage->oci-archive - systemtest/010-inspect.bats: require only PATH - systemtest: add simple env test in inspect.bats - bash completion: add comments to keep scattered options in sync - bash completion: use read -r instead of disabling SC2207 - bash completion: support --opt arg completion - bash-completion: use replacement instead of sed - bash completion: disable shellcheck SC2207 - bash completion: double-quote to avoid re-splitting - bash completions: use bash replacement instead of sed - bash completion: remove unused variable - bash-completions: split decl and assignment to avoid masking retvals - bash completion: double-quote fixes - bash completion: hard-set PROG=skopeo - bash completion: remove unused variable - bash completion: use `||` instead of `-o` - bash completion: rm eval on assigned variable - copy: add --dest-compress-format and --dest-compress-level - flag: add optionalIntValue - Makefile: use go proxy - inspect --raw: skip the NewImage() step - update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f - inspect.go: inspect env variables - ostree: use both image and & storage buildtags Update to skopeo v0.1.39 (bsc#1159530): - inspect: add a --config flag - Add --no-creds flag to skopeo inspect - Add --quiet option to skopeo copy - New progress bars - Parallel Pulls and Pushes for major speed improvements - containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries. - enforce blocking of registries - Allow storage-multiple-manifests - When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output - man pages: add --dest-oci-accept-uncompressed-layers - completions: - Introduce transports completions - Fix bash completions when a option requires a argument - Use only spaces in indent - Fix completions with a global option - add --dest-oci-accept-uncompressed-layers Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-712=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): skopeo-0.1.41-4.11.1 skopeo-debuginfo-0.1.41-4.11.1

References

#1159530 #1165715

Cross- CVE-2019-10214

Affected Products:

SUSE Linux Enterprise Module for Server Applications 15-SP1

https://www.suse.com/security/cve/CVE-2019-10214.html

https://bugzilla.suse.com/1159530

https://bugzilla.suse.com/1165715

Severity
Announcement ID: SUSE-SU-2020:0712-1
Rating: moderate

Related News

28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
1.Penguin Landscape Esm H320
1 - 2 min read
There are compelling arguments in favor of Linux over Windows for desktop usage. Let's explore some advantages of choosing Linux over Windows for
4.Lock AbstractDigital Esm H320
2 - 3 min read
Canonical , the company behind Ubuntu , has introduced Netplan 1.0 , a network configuration tool that simplifies networking configuration on Linux

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved