SUSE: 2022:2743-1 bci/python Security Update | LinuxSecurity.com
SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:2743-1
Container Tags        : bci/python:3 , bci/python:3.9 , bci/python:3.9-20.4
Container Release     : 20.4
Severity              : critical
Type                  : security
References            : 1167864 1181961 1202812 1203911 1204137 1204383 1204690 CVE-2020-10696
                        CVE-2021-20206 CVE-2021-46848 CVE-2022-2990 CVE-2022-32221 
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3766-1
Released:    Wed Oct 26 11:38:01 2022
Summary:     Security update for buildah
Type:        security
Severity:    important
References:  1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990
This update for buildah fixes the following issues:

- CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
- CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
- CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

Buildah was updated to version 1.27.1:

* run: add container gid to additional groups

- Add fix for CVE-2022-2990 / bsc#1202812


Update to version 1.27.0:

* Don't try to call runLabelStdioPipes if spec.Linux is not set
* build: support filtering cache by duration using --cache-ttl
* build: support building from commit when using git repo as build context
* build: clean up git repos correctly when using subdirs
* integration tests: quote '?' in shell scripts
* test: manifest inspect should have OCIv1 annotation
* vendor: bump to c/[email protected]
* Failure to determine a file or directory should print an error
* refactor: remove unused CommitOptions from generateBuildOutput
* stage_executor: generate output for cases with no commit
* stage_executor, commit: output only if last stage in build
* Use errors.Is() instead of os.Is{Not,}Exist
* Minor test tweak for podman-remote compatibility
* Cirrus: Use the latest imgts container
* imagebuildah: complain about the right Dockerfile
* tests: don't try to wrap `nil` errors
* cmd/buildah.commitCmd: don't shadow 'err'
* cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
* Fix a copy/paste error message
* Fix a typo in an error message
* build,cache: support pulling/pushing cache layers to/from remote sources
* Update vendor of containers/(common, storage, image)
* Rename chroot/run.go to chroot/run_linux.go
* Don't bother telling codespell to skip files that don't exist
* Set user namespace defaults correctly for the library
* imagebuildah: optimize cache hits for COPY and ADD instructions
* Cirrus: Update VM images w/ updated bats
* docs, run: show SELinux label flag for cache and bind mounts
* imagebuildah, build: remove undefined concurrent writes
* bump github.com/opencontainers/runtime-tools
* Add FreeBSD support for 'buildah info'
* Vendor in latest containers/(storage, common, image)
* Add freebsd cross build targets
* Make the jail package build on 32bit platforms
* Cirrus: Ensure the build-push VM image is labeled
* GHA: Fix dynamic script filename
* Vendor in containers/(common, storage, image)
* Run codespell
* Remove import of github.com/pkg/errors
* Avoid using cgo in pkg/jail
* Rename footypes to fooTypes for naming consistency
* Move cleanupTempVolumes and cleanupRunMounts to run_common.go
* Make the various run mounts work for FreeBSD
* Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
* Move runSetupRunMounts to run_common.go
* Move cleanableDestinationListFromMounts to run_common.go
* Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
* Move setupMounts and runSetupBuiltinVolumes to run_common.go
* Tidy up - runMakeStdioPipe can't be shared with linux
* Move runAcceptTerminal to run_common.go
* Move stdio copying utilities to run_common.go
* Move runUsingRuntime and runCollectOutput to run_common.go
* Move fileCloser, waitForSync and contains to run_common.go
* Move checkAndOverrideIsolationOptions to run_common.go
* Move DefaultNamespaceOptions to run_common.go
* Move getNetworkInterface to run_common.go
* Move configureEnvironment to run_common.go
* Don't crash in configureUIDGID if Process.Capabilities is nil
* Move configureUIDGID to run_common.go
* Move runLookupPath to run_common.go
* Move setupTerminal to run_common.go
* Move etc file generation utilities to run_common.go
* Add run support for FreeBSD
* Add a simple FreeBSD jail library
* Add FreeBSD support to pkg/chrootuser
* Sync call signature for RunUsingChroot with chroot/run.go
* test: verify feature to resolve basename with args
* vendor: bump openshift/imagebuilder to [email protected]
* GHA: Remove required reserved-name use
* buildah: set XDG_RUNTIME_DIR before setting default runroot
* imagebuildah: honor build output even if build container is not commited
* chroot: honor DefaultErrnoRet
* [CI:DOCS] improve pull-policy documentation
* tests: retrofit test since --file does not supports dir
* Switch to golang native error wrapping
* BuildDockerfiles: error out if path to containerfile is a directory
* define.downloadToDirectory: fail early if bad HTTP response
* GHA: Allow re-use of Cirrus-Cron fail-mail workflow
* add: fail on bad http response instead of writing to container
* [CI:DOCS] Update buildahimage comment
* lint: inspectable is never nil
* vendor: c/common to [email protected]
* build: support OCI hooks for ephemeral build containers
* [CI:BUILD] Install latest buildah instead of compiling
* Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
* Make sure cpp is installed in buildah images
* demo: use unshare for rootless invocations
* buildah.spec.rpkg: initial addition
* build: fix test for subid 4
* build, userns: add support for --userns=auto
* Fix building upstream buildah image
* Remove redundant buildahimages-are-sane validation
* Docs: Update multi-arch buildah images readme
* Cirrus: Migrate multiarch build off github actions
* retrofit-tests: we skip unused stages so use stages
* stage_executor: dont rely on stage while looking for additional-context
* buildkit, multistage: skip computing unwanted stages
* More test cleanup
* copier: work around freebsd bug for 'mkdir /'
* Replace $BUILDAH_BINARY with buildah() function
* Fix up buildah images
* Make util and copier build on FreeBSD
* Vendor in latest github.com/sirupsen/logrus
* Makefile: allow building without .git
* run_unix: don't return an error from getNetworkInterface
* run_unix: return a valid DefaultNamespaceOptions
* Update vendor of containers/storage
* chroot: use ActKillThread instead of ActKill
* use resolvconf package from c/common/libnetwork
* update c/common to latest main
* copier: add `NoOverwriteNonDirDir` option
* Sort buildoptions and move cli/build functions to internal
* Fix TODO: de-spaghettify run mounts
* Move options parsing out of build.go and into pkg/cli
* [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
* build, multiarch: support splitting build logs for --platform
* [CI:BUILD] WIP Cleanup Image Dockerfiles
* cli remove stutter
* docker-parity: ignore sanity check if baseImage history is null
* build, commit: allow disabling image history with --omit-history
* Fix use generic/ambiguous DEBUG name
* Cirrus: use Ubuntu 22.04 LTS
* Fix codespell errors
* Remove util.StringInSlice because it is defined in containers/common
* buildah: add support for renaming a device in rootless setups
* squash: never use build cache when computing last step of last stage
* Update vendor of containers/(common, storage, image)
* buildkit: supports additionalBuildContext in builds via --build-context
* buildah source pull/push: show progress bar
* run: allow resuing secret twice in different RUN steps
* test helpers: default to being rootless-aware
* Add --cpp-flag flag to buildah build
* build: accept branch and subdirectory when context is git repo
* Vendor in latest containers/common
* vendor: update c/storage and c/image
* Fix gentoo install docs
* copier: move NSS load to new process
* Add test for prevention of reusing encrypted layers
* Make `buildah build --label foo` create an empty 'foo' label again


Update to version 1.26.4:

* build, multiarch: support splitting build logs for --platform
* copier: add `NoOverwriteNonDirDir` option
* docker-parity: ignore sanity check if baseImage history is null
* build, commit: allow disabling image history with --omit-history
* buildkit: supports additionalBuildContext in builds via --build-context
* Add --cpp-flag flag to buildah build

Update to version 1.26.3:

* define.downloadToDirectory: fail early if bad HTTP response
* add: fail on bad http response instead of writing to container
* squash: never use build cache when computing last step of last stage
* run: allow resuing secret twice in different RUN steps
* integration tests: update expected error messages
* integration tests: quote '?' in shell scripts
* Use errors.Is() to check for storage errors
* lint: inspectable is never nil
* chroot: use ActKillThread instead of ActKill
* chroot: honor DefaultErrnoRet
* Set user namespace defaults correctly for the library
* contrib/rpm/buildah.spec: fix `rpm` parser warnings

Drop requires on apparmor pattern, should be moved elsewhere
for systems which want AppArmor instead of SELinux.

- Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file
  is required to build.

Update to version 1.26.2:

* buildah: add support for renaming a device in rootless setups

Update to version 1.26.1:

* Make `buildah build --label foo` create an empty 'foo' label again
* imagebuildah,build: move deepcopy of args before we spawn goroutine
* Vendor in containers/storage v1.40.2
* buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
* help output: get more consistent about option usage text
* Handle OS version and features flags
* buildah build: --annotation and --label should remove values
* buildah build: add a --env
* buildah: deep copy options.Args before performing concurrent build/stage
* test: inline platform and builtinargs behaviour
* vendor: bump imagebuilder to master/009dbc6
* build: automatically set correct TARGETPLATFORM where expected
* Vendor in containers/(common, storage, image)
* imagebuildah, executor: process arg variables while populating baseMap
* buildkit: add support for custom build output with --output
* Cirrus: Update CI VMs to F36
* fix staticcheck linter warning for deprecated function
* Fix docs build on FreeBSD
* copier.unwrapError(): update for Go 1.16
* copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
* copier.Put(): write to read-only directories
* Ed's periodic test cleanup
* using consistent lowercase 'invalid' word in returned err msg
* use etchosts package from c/common
* run: set actual hostname in /etc/hostname to match docker parity
* Update vendor of containers/(common,storage,image)
* manifest-create: allow creating manifest list from local image
* Update vendor of storage,common,image
* Initialize network backend before first pull
* oci spec: change special mount points for namespaces
* tests/helpers.bash: assert handle corner cases correctly
* buildah: actually use containers.conf settings
* integration tests: learn to start a dummy registry
* Fix error check to work on Podman
* buildah build should accept at most one arg
* tests: reduce concurrency for flaky bud-multiple-platform-no-run
* vendor in latest containers/common,image,storage
* manifest-add: allow override arch,variant while adding image
* Remove a stray `\` from .containerenv
* Vendor in latest opencontainers/selinux v1.10.1
* build, commit: allow removing default identity labels
* Create shorter names for containers based on image IDs
* test: skip rootless on cgroupv2 in root env
* fix hang when oci runtime fails
* Set permissions for GitHub actions
* copier test: use correct UID/GID in test archives
* run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3773-1
Released:    Wed Oct 26 12:19:29 2022
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1204383,CVE-2022-32221
This update for curl fixes the following issues:

  - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3776-1
Released:    Wed Oct 26 14:06:43 2022
Summary:     Recommended update for permissions
Type:        recommended
Severity:    important
References:  1203911,1204137
This update for permissions fixes the following issues:

- Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't
  properly support ICMP_PROTO sockets feature yet (bsc#1204137)
- Fix regression introduced by backport of security fix (bsc#1203911)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3784-1
Released:    Wed Oct 26 18:03:28 2022
Summary:     Security update for libtasn1
Type:        security
Severity:    critical
References:  1204690,CVE-2021-46848
This update for libtasn1 fixes the following issues:

- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)


The following package changes have been done:

- curl-7.66.0-150200.4.42.1 updated
- libcurl4-7.66.0-150200.4.42.1 updated
- libgpg-error0-1.42-150300.9.3.1 updated
- libtasn1-6-4.13-150000.4.8.1 updated
- libtasn1-4.13-150000.4.8.1 updated
- permissions-20181225-150200.23.20.1 updated
- container:sles15-image-15.0.0-17.20.57 updated

SUSE: 2022:2743-1 bci/python Security Update

October 28, 2022
The container bci/python was updated

Summary

Advisory ID: SUSE-SU-2022:3766-1 Released: Wed Oct 26 11:38:01 2022 Summary: Security update for buildah Type: security Severity: important Advisory ID: SUSE-SU-2022:3773-1 Released: Wed Oct 26 12:19:29 2022 Summary: Security update for curl Type: security Severity: important Advisory ID: SUSE-RU-2022:3776-1 Released: Wed Oct 26 14:06:43 2022 Summary: Recommended update for permissions Type: recommended Severity: important Advisory ID: SUSE-SU-2022:3784-1 Released: Wed Oct 26 18:03:28 2022 Summary: Security update for libtasn1 Type: security Severity: critical

References

References : 1167864 1181961 1202812 1203911 1204137 1204383 1204690 CVE-2020-10696

CVE-2021-20206 CVE-2021-46848 CVE-2022-2990 CVE-2022-32221

1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990

This update for buildah fixes the following issues:

- CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).

- CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).

- CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

Buildah was updated to version 1.27.1:

* run: add container gid to additional groups

- Add fix for CVE-2022-2990 / bsc#1202812

Update to version 1.27.0:

* Don't try to call runLabelStdioPipes if spec.Linux is not set

* build: support filtering cache by duration using --cache-ttl

* build: support building from commit when using git repo as build context

* build: clean up git repos correctly when using subdirs

* integration tests: quote '?' in shell scripts

* test: manifest inspect should have OCIv1 annotation

* vendor: bump to c/[email protected]

* Failure to determine a file or directory should print an error

* refactor: remove unused CommitOptions from generateBuildOutput

* stage_executor: generate output for cases with no commit

* stage_executor, commit: output only if last stage in build

* Use errors.Is() instead of os.Is{Not,}Exist

* Minor test tweak for podman-remote compatibility

* Cirrus: Use the latest imgts container

* imagebuildah: complain about the right Dockerfile

* tests: don't try to wrap `nil` errors

* cmd/buildah.commitCmd: don't shadow 'err'

* cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig

* Fix a copy/paste error message

* Fix a typo in an error message

* build,cache: support pulling/pushing cache layers to/from remote sources

* Update vendor of containers/(common, storage, image)

* Rename chroot/run.go to chroot/run_linux.go

* Don't bother telling codespell to skip files that don't exist

* Set user namespace defaults correctly for the library

* imagebuildah: optimize cache hits for COPY and ADD instructions

* Cirrus: Update VM images w/ updated bats

* docs, run: show SELinux label flag for cache and bind mounts

* imagebuildah, build: remove undefined concurrent writes

* bump github.com/opencontainers/runtime-tools

* Add FreeBSD support for 'buildah info'

* Vendor in latest containers/(storage, common, image)

* Add freebsd cross build targets

* Make the jail package build on 32bit platforms

* Cirrus: Ensure the build-push VM image is labeled

* GHA: Fix dynamic script filename

* Vendor in containers/(common, storage, image)

* Run codespell

* Remove import of github.com/pkg/errors

* Avoid using cgo in pkg/jail

* Rename footypes to fooTypes for naming consistency

* Move cleanupTempVolumes and cleanupRunMounts to run_common.go

* Make the various run mounts work for FreeBSD

* Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go

* Move runSetupRunMounts to run_common.go

* Move cleanableDestinationListFromMounts to run_common.go

* Make setupMounts and runSetupBuiltinVolumes work on FreeBSD

* Move setupMounts and runSetupBuiltinVolumes to run_common.go

* Tidy up - runMakeStdioPipe can't be shared with linux

* Move runAcceptTerminal to run_common.go

* Move stdio copying utilities to run_common.go

* Move runUsingRuntime and runCollectOutput to run_common.go

* Move fileCloser, waitForSync and contains to run_common.go

* Move checkAndOverrideIsolationOptions to run_common.go

* Move DefaultNamespaceOptions to run_common.go

* Move getNetworkInterface to run_common.go

* Move configureEnvironment to run_common.go

* Don't crash in configureUIDGID if Process.Capabilities is nil

* Move configureUIDGID to run_common.go

* Move runLookupPath to run_common.go

* Move setupTerminal to run_common.go

* Move etc file generation utilities to run_common.go

* Add run support for FreeBSD

* Add a simple FreeBSD jail library

* Add FreeBSD support to pkg/chrootuser

* Sync call signature for RunUsingChroot with chroot/run.go

* test: verify feature to resolve basename with args

* vendor: bump openshift/imagebuilder to [email protected]

* GHA: Remove required reserved-name use

* buildah: set XDG_RUNTIME_DIR before setting default runroot

* imagebuildah: honor build output even if build container is not commited

* chroot: honor DefaultErrnoRet

* [CI:DOCS] improve pull-policy documentation

* tests: retrofit test since --file does not supports dir

* Switch to golang native error wrapping

* BuildDockerfiles: error out if path to containerfile is a directory

* define.downloadToDirectory: fail early if bad HTTP response

* GHA: Allow re-use of Cirrus-Cron fail-mail workflow

* add: fail on bad http response instead of writing to container

* [CI:DOCS] Update buildahimage comment

* lint: inspectable is never nil

* vendor: c/common to [email protected]

* build: support OCI hooks for ephemeral build containers

* [CI:BUILD] Install latest buildah instead of compiling

* Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]

* Make sure cpp is installed in buildah images

* demo: use unshare for rootless invocations

* buildah.spec.rpkg: initial addition

* build: fix test for subid 4

* build, userns: add support for --userns=auto

* Fix building upstream buildah image

* Remove redundant buildahimages-are-sane validation

* Docs: Update multi-arch buildah images readme

* Cirrus: Migrate multiarch build off github actions

* retrofit-tests: we skip unused stages so use stages

* stage_executor: dont rely on stage while looking for additional-context

* buildkit, multistage: skip computing unwanted stages

* More test cleanup

* copier: work around freebsd bug for 'mkdir /'

* Replace $BUILDAH_BINARY with buildah() function

* Fix up buildah images

* Make util and copier build on FreeBSD

* Vendor in latest github.com/sirupsen/logrus

* Makefile: allow building without .git

* run_unix: don't return an error from getNetworkInterface

* run_unix: return a valid DefaultNamespaceOptions

* Update vendor of containers/storage

* chroot: use ActKillThread instead of ActKill

* use resolvconf package from c/common/libnetwork

* update c/common to latest main

* copier: add `NoOverwriteNonDirDir` option

* Sort buildoptions and move cli/build functions to internal

* Fix TODO: de-spaghettify run mounts

* Move options parsing out of build.go and into pkg/cli

* [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps

* build, multiarch: support splitting build logs for --platform

* [CI:BUILD] WIP Cleanup Image Dockerfiles

* cli remove stutter

* docker-parity: ignore sanity check if baseImage history is null

* build, commit: allow disabling image history with --omit-history

* Fix use generic/ambiguous DEBUG name

* Cirrus: use Ubuntu 22.04 LTS

* Fix codespell errors

* Remove util.StringInSlice because it is defined in containers/common

* buildah: add support for renaming a device in rootless setups

* squash: never use build cache when computing last step of last stage

* Update vendor of containers/(common, storage, image)

* buildkit: supports additionalBuildContext in builds via --build-context

* buildah source pull/push: show progress bar

* run: allow resuing secret twice in different RUN steps

* test helpers: default to being rootless-aware

* Add --cpp-flag flag to buildah build

* build: accept branch and subdirectory when context is git repo

* Vendor in latest containers/common

* vendor: update c/storage and c/image

* Fix gentoo install docs

* copier: move NSS load to new process

* Add test for prevention of reusing encrypted layers

* Make `buildah build --label foo` create an empty 'foo' label again

Update to version 1.26.4:

* build, multiarch: support splitting build logs for --platform

* copier: add `NoOverwriteNonDirDir` option

* docker-parity: ignore sanity check if baseImage history is null

* build, commit: allow disabling image history with --omit-history

* buildkit: supports additionalBuildContext in builds via --build-context

* Add --cpp-flag flag to buildah build

Update to version 1.26.3:

* define.downloadToDirectory: fail early if bad HTTP response

* add: fail on bad http response instead of writing to container

* squash: never use build cache when computing last step of last stage

* run: allow resuing secret twice in different RUN steps

* integration tests: update expected error messages

* integration tests: quote '?' in shell scripts

* Use errors.Is() to check for storage errors

* lint: inspectable is never nil

* chroot: use ActKillThread instead of ActKill

* chroot: honor DefaultErrnoRet

* Set user namespace defaults correctly for the library

* contrib/rpm/buildah.spec: fix `rpm` parser warnings

Drop requires on apparmor pattern, should be moved elsewhere

for systems which want AppArmor instead of SELinux.

- Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file

is required to build.

Update to version 1.26.2:

* buildah: add support for renaming a device in rootless setups

Update to version 1.26.1:

* Make `buildah build --label foo` create an empty 'foo' label again

* imagebuildah,build: move deepcopy of args before we spawn goroutine

* Vendor in containers/storage v1.40.2

* buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated

* help output: get more consistent about option usage text

* Handle OS version and features flags

* buildah build: --annotation and --label should remove values

* buildah build: add a --env

* buildah: deep copy options.Args before performing concurrent build/stage

* test: inline platform and builtinargs behaviour

* vendor: bump imagebuilder to master/009dbc6

* build: automatically set correct TARGETPLATFORM where expected

* Vendor in containers/(common, storage, image)

* imagebuildah, executor: process arg variables while populating baseMap

* buildkit: add support for custom build output with --output

* Cirrus: Update CI VMs to F36

* fix staticcheck linter warning for deprecated function

* Fix docs build on FreeBSD

* copier.unwrapError(): update for Go 1.16

* copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit

* copier.Put(): write to read-only directories

* Ed's periodic test cleanup

* using consistent lowercase 'invalid' word in returned err msg

* use etchosts package from c/common

* run: set actual hostname in /etc/hostname to match docker parity

* Update vendor of containers/(common,storage,image)

* manifest-create: allow creating manifest list from local image

* Update vendor of storage,common,image

* Initialize network backend before first pull

* oci spec: change special mount points for namespaces

* tests/helpers.bash: assert handle corner cases correctly

* buildah: actually use containers.conf settings

* integration tests: learn to start a dummy registry

* Fix error check to work on Podman

* buildah build should accept at most one arg

* tests: reduce concurrency for flaky bud-multiple-platform-no-run

* vendor in latest containers/common,image,storage

* manifest-add: allow override arch,variant while adding image

* Remove a stray `\` from .containerenv

* Vendor in latest opencontainers/selinux v1.10.1

* build, commit: allow removing default identity labels

* Create shorter names for containers based on image IDs

* test: skip rootless on cgroupv2 in root env

* fix hang when oci runtime fails

* Set permissions for GitHub actions

* copier test: use correct UID/GID in test archives

* run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM

1204383,CVE-2022-32221

This update for curl fixes the following issues:

- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

1203911,1204137

This update for permissions fixes the following issues:

- Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't

properly support ICMP_PROTO sockets feature yet (bsc#1204137)

- Fix regression introduced by backport of security fix (bsc#1203911)

1204690,CVE-2021-46848

This update for libtasn1 fixes the following issues:

- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

The following package changes have been done:

- curl-7.66.0-150200.4.42.1 updated

- libcurl4-7.66.0-150200.4.42.1 updated

- libgpg-error0-1.42-150300.9.3.1 updated

- libtasn1-6-4.13-150000.4.8.1 updated

- libtasn1-4.13-150000.4.8.1 updated

- permissions-20181225-150200.23.20.1 updated

- container:sles15-image-15.0.0-17.20.57 updated

Severity
Container Advisory ID : SUSE-CU-2022:2743-1
Container Tags : bci/python:3 , bci/python:3.9 , bci/python:3.9-20.4
Container Release : 20.4
Severity : critical
Type : security

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.