SUSE: 2022:3766-1 important: buildah | LinuxSecurity.com

   SUSE Security Update: Security update for buildah
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3766-1
Rating:             important
References:         #1167864 #1181961 #1202812 
Cross-References:   CVE-2020-10696 CVE-2021-20206 CVE-2022-2990
                   
CVSS scores:
                    CVE-2020-10696 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2020-10696 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-20206 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-20206 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-2990 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
                    CVE-2022-2990 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Products:
                    SUSE Linux Enterprise Desktop 15-SP3
                    SUSE Linux Enterprise High Performance Computing 15-SP3
                    SUSE Linux Enterprise Micro 5.1
                    SUSE Linux Enterprise Micro 5.2
                    SUSE Linux Enterprise Module for Basesystem 15-SP3
                    SUSE Linux Enterprise Module for Containers 15-SP3
                    SUSE Linux Enterprise Server 15-SP3
                    SUSE Linux Enterprise Server for SAP Applications 15-SP3
                    SUSE Linux Enterprise Storage 7.1
                    SUSE Manager Proxy 4.2
                    SUSE Manager Retail Branch Server 4.2
                    SUSE Manager Server 4.2
                    openSUSE Leap 15.3
                    openSUSE Leap Micro 5.2
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for buildah fixes the following issues:

   - CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to
     execute arbitrary binaries on the host (bsc#1181961).
   - CVE-2020-10696: Fixed an issue that could lead to files being
     overwritten during the image building process (bsc#1167864).
   - CVE-2022-2990: Fixed possible information disclosure and modification /
     bsc#1202812

   Buildah was updated to version 1.27.1:

   * run: add container gid to additional groups

   - Add fix for CVE-2022-2990 / bsc#1202812


   Update to version 1.27.0:

   * Don't try to call runLabelStdioPipes if spec.Linux is not set
   * build: support filtering cache by duration using --cache-ttl
   * build: support building from commit when using git repo as build context
   * build: clean up git repos correctly when using subdirs
   * integration tests: quote "?" in shell scripts
   * test: manifest inspect should have OCIv1 annotation
   * vendor: bump to c/[email protected]
   * Failure to determine a file or directory should print an error
   * refactor: remove unused CommitOptions from generateBuildOutput
   * stage_executor: generate output for cases with no commit
   * stage_executor, commit: output only if last stage in build
   * Use errors.Is() instead of os.Is{Not,}Exist
   * Minor test tweak for podman-remote compatibility
   * Cirrus: Use the latest imgts container
   * imagebuildah: complain about the right Dockerfile
   * tests: don't try to wrap `nil` errors
   * cmd/buildah.commitCmd: don't shadow "err"
   * cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
   * Fix a copy/paste error message
   * Fix a typo in an error message
   * build,cache: support pulling/pushing cache layers to/from remote sources
   * Update vendor of containers/(common, storage, image)
   * Rename chroot/run.go to chroot/run_linux.go
   * Don't bother telling codespell to skip files that don't exist
   * Set user namespace defaults correctly for the library
   * imagebuildah: optimize cache hits for COPY and ADD instructions
   * Cirrus: Update VM images w/ updated bats
   * docs, run: show SELinux label flag for cache and bind mounts
   * imagebuildah, build: remove undefined concurrent writes
   * bump github.com/opencontainers/runtime-tools
   * Add FreeBSD support for 'buildah info'
   * Vendor in latest containers/(storage, common, image)
   * Add freebsd cross build targets
   * Make the jail package build on 32bit platforms
   * Cirrus: Ensure the build-push VM image is labeled
   * GHA: Fix dynamic script filename
   * Vendor in containers/(common, storage, image)
   * Run codespell
   * Remove import of github.com/pkg/errors
   * Avoid using cgo in pkg/jail
   * Rename footypes to fooTypes for naming consistency
   * Move cleanupTempVolumes and cleanupRunMounts to run_common.go
   * Make the various run mounts work for FreeBSD
   * Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
   * Move runSetupRunMounts to run_common.go
   * Move cleanableDestinationListFromMounts to run_common.go
   * Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
   * Move setupMounts and runSetupBuiltinVolumes to run_common.go
   * Tidy up - runMakeStdioPipe can't be shared with linux
   * Move runAcceptTerminal to run_common.go
   * Move stdio copying utilities to run_common.go
   * Move runUsingRuntime and runCollectOutput to run_common.go
   * Move fileCloser, waitForSync and contains to run_common.go
   * Move checkAndOverrideIsolationOptions to run_common.go
   * Move DefaultNamespaceOptions to run_common.go
   * Move getNetworkInterface to run_common.go
   * Move configureEnvironment to run_common.go
   * Don't crash in configureUIDGID if Process.Capabilities is nil
   * Move configureUIDGID to run_common.go
   * Move runLookupPath to run_common.go
   * Move setupTerminal to run_common.go
   * Move etc file generation utilities to run_common.go
   * Add run support for FreeBSD
   * Add a simple FreeBSD jail library
   * Add FreeBSD support to pkg/chrootuser
   * Sync call signature for RunUsingChroot with chroot/run.go
   * test: verify feature to resolve basename with args
   * vendor: bump openshift/imagebuilder to [email protected]
   * GHA: Remove required reserved-name use
   * buildah: set XDG_RUNTIME_DIR before setting default runroot
   * imagebuildah: honor build output even if build container is not commited
   * chroot: honor DefaultErrnoRet
   * [CI:DOCS] improve pull-policy documentation
   * tests: retrofit test since --file does not supports dir
   * Switch to golang native error wrapping
   * BuildDockerfiles: error out if path to containerfile is a directory
   * define.downloadToDirectory: fail early if bad HTTP response
   * GHA: Allow re-use of Cirrus-Cron fail-mail workflow
   * add: fail on bad http response instead of writing to container
   * [CI:DOCS] Update buildahimage comment
   * lint: inspectable is never nil
   * vendor: c/common to [email protected]
   * build: support OCI hooks for ephemeral build containers
   * [CI:BUILD] Install latest buildah instead of compiling
   * Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
   * Make sure cpp is installed in buildah images
   * demo: use unshare for rootless invocations
   * buildah.spec.rpkg: initial addition
   * build: fix test for subid 4
   * build, userns: add support for --userns=auto
   * Fix building upstream buildah image
   * Remove redundant buildahimages-are-sane validation
   * Docs: Update multi-arch buildah images readme
   * Cirrus: Migrate multiarch build off github actions
   * retrofit-tests: we skip unused stages so use stages
   * stage_executor: dont rely on stage while looking for additional-context
   * buildkit, multistage: skip computing unwanted stages
   * More test cleanup
   * copier: work around freebsd bug for "mkdir /"
   * Replace $BUILDAH_BINARY with buildah() function
   * Fix up buildah images
   * Make util and copier build on FreeBSD
   * Vendor in latest github.com/sirupsen/logrus
   * Makefile: allow building without .git
   * run_unix: don't return an error from getNetworkInterface
   * run_unix: return a valid DefaultNamespaceOptions
   * Update vendor of containers/storage
   * chroot: use ActKillThread instead of ActKill
   * use resolvconf package from c/common/libnetwork
   * update c/common to latest main
   * copier: add `NoOverwriteNonDirDir` option
   * Sort buildoptions and move cli/build functions to internal
   * Fix TODO: de-spaghettify run mounts
   * Move options parsing out of build.go and into pkg/cli
   * [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
   * build, multiarch: support splitting build logs for --platform
   * [CI:BUILD] WIP Cleanup Image Dockerfiles
   * cli remove stutter
   * docker-parity: ignore sanity check if baseImage history is null
   * build, commit: allow disabling image history with --omit-history
   * Fix use generic/ambiguous DEBUG name
   * Cirrus: use Ubuntu 22.04 LTS
   * Fix codespell errors
   * Remove util.StringInSlice because it is defined in containers/common
   * buildah: add support for renaming a device in rootless setups
   * squash: never use build cache when computing last step of last stage
   * Update vendor of containers/(common, storage, image)
   * buildkit: supports additionalBuildContext in builds via --build-context
   * buildah source pull/push: show progress bar
   * run: allow resuing secret twice in different RUN steps
   * test helpers: default to being rootless-aware
   * Add --cpp-flag flag to buildah build
   * build: accept branch and subdirectory when context is git repo
   * Vendor in latest containers/common
   * vendor: update c/storage and c/image
   * Fix gentoo install docs
   * copier: move NSS load to new process
   * Add test for prevention of reusing encrypted layers
   * Make `buildah build --label foo` create an empty "foo" label again


   Update to version 1.26.4:

   * build, multiarch: support splitting build logs for --platform
   * copier: add `NoOverwriteNonDirDir` option
   * docker-parity: ignore sanity check if baseImage history is null
   * build, commit: allow disabling image history with --omit-history
   * buildkit: supports additionalBuildContext in builds via --build-context
   * Add --cpp-flag flag to buildah build

   Update to version 1.26.3:

   * define.downloadToDirectory: fail early if bad HTTP response
   * add: fail on bad http response instead of writing to container
   * squash: never use build cache when computing last step of last stage
   * run: allow resuing secret twice in different RUN steps
   * integration tests: update expected error messages
   * integration tests: quote "?" in shell scripts
   * Use errors.Is() to check for storage errors
   * lint: inspectable is never nil
   * chroot: use ActKillThread instead of ActKill
   * chroot: honor DefaultErrnoRet
   * Set user namespace defaults correctly for the library
   * contrib/rpm/buildah.spec: fix `rpm` parser warnings

   Drop requires on apparmor pattern, should be moved elsewhere for systems
   which want AppArmor instead of SELinux.

   - Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is
     required to build.

   Update to version 1.26.2:

   * buildah: add support for renaming a device in rootless setups

   Update to version 1.26.1:

   * Make `buildah build --label foo` create an empty "foo" label again
   * imagebuildah,build: move deepcopy of args before we spawn goroutine
   * Vendor in containers/storage v1.40.2
   * buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
   * help output: get more consistent about option usage text
   * Handle OS version and features flags
   * buildah build: --annotation and --label should remove values
   * buildah build: add a --env
   * buildah: deep copy options.Args before performing concurrent build/stage
   * test: inline platform and builtinargs behaviour
   * vendor: bump imagebuilder to master/009dbc6
   * build: automatically set correct TARGETPLATFORM where expected
   * Vendor in containers/(common, storage, image)
   * imagebuildah, executor: process arg variables while populating baseMap
   * buildkit: add support for custom build output with --output
   * Cirrus: Update CI VMs to F36
   * fix staticcheck linter warning for deprecated function
   * Fix docs build on FreeBSD
   * copier.unwrapError(): update for Go 1.16
   * copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
   * copier.Put(): write to read-only directories
   * Ed's periodic test cleanup
   * using consistent lowercase 'invalid' word in returned err msg
   * use etchosts package from c/common
   * run: set actual hostname in /etc/hostname to match docker parity
   * Update vendor of containers/(common,storage,image)
   * manifest-create: allow creating manifest list from local image
   * Update vendor of storage,common,image
   * Initialize network backend before first pull
   * oci spec: change special mount points for namespaces
   * tests/helpers.bash: assert handle corner cases correctly
   * buildah: actually use containers.conf settings
   * integration tests: learn to start a dummy registry
   * Fix error check to work on Podman
   * buildah build should accept at most one arg
   * tests: reduce concurrency for flaky bud-multiple-platform-no-run
   * vendor in latest containers/common,image,storage
   * manifest-add: allow override arch,variant while adding image
   * Remove a stray `\` from .containerenv
   * Vendor in latest opencontainers/selinux v1.10.1
   * build, commit: allow removing default identity labels
   * Create shorter names for containers based on image IDs
   * test: skip rootless on cgroupv2 in root env
   * fix hang when oci runtime fails
   * Set permissions for GitHub actions
   * copier test: use correct UID/GID in test archives
   * run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap Micro 5.2:

      zypper in -t patch openSUSE-Leap-Micro-5.2-2022-3766=1

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-3766=1

   - SUSE Linux Enterprise Module for Containers 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2022-3766=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-3766=1

   - SUSE Linux Enterprise Micro 5.2:

      zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-3766=1

   - SUSE Linux Enterprise Micro 5.1:

      zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-3766=1



Package List:

   - openSUSE Leap Micro 5.2 (aarch64 x86_64):

      libgpg-error-debugsource-1.42-150300.9.3.1
      libgpg-error0-1.42-150300.9.3.1
      libgpg-error0-debuginfo-1.42-150300.9.3.1

   - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

      buildah-1.27.1-150300.8.11.1
      libgpg-error-debugsource-1.42-150300.9.3.1
      libgpg-error-devel-1.42-150300.9.3.1
      libgpg-error-devel-debuginfo-1.42-150300.9.3.1
      libgpg-error0-1.42-150300.9.3.1
      libgpg-error0-debuginfo-1.42-150300.9.3.1

   - openSUSE Leap 15.3 (x86_64):

      libgpg-error-devel-32bit-1.42-150300.9.3.1
      libgpg-error-devel-32bit-debuginfo-1.42-150300.9.3.1
      libgpg-error0-32bit-1.42-150300.9.3.1
      libgpg-error0-32bit-debuginfo-1.42-150300.9.3.1

   - SUSE Linux Enterprise Module for Containers 15-SP3 (aarch64 ppc64le s390x x86_64):

      buildah-1.27.1-150300.8.11.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64):

      libgpg-error-debugsource-1.42-150300.9.3.1
      libgpg-error-devel-1.42-150300.9.3.1
      libgpg-error-devel-debuginfo-1.42-150300.9.3.1
      libgpg-error0-1.42-150300.9.3.1
      libgpg-error0-debuginfo-1.42-150300.9.3.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64):

      libgpg-error0-32bit-1.42-150300.9.3.1
      libgpg-error0-32bit-debuginfo-1.42-150300.9.3.1

   - SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64):

      libgpg-error-debugsource-1.42-150300.9.3.1
      libgpg-error0-1.42-150300.9.3.1
      libgpg-error0-debuginfo-1.42-150300.9.3.1

   - SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):

      libgpg-error-debugsource-1.42-150300.9.3.1
      libgpg-error0-1.42-150300.9.3.1
      libgpg-error0-debuginfo-1.42-150300.9.3.1


References:

   https://www.suse.com/security/cve/CVE-2020-10696.html
   https://www.suse.com/security/cve/CVE-2021-20206.html
   https://www.suse.com/security/cve/CVE-2022-2990.html
   https://bugzilla.suse.com/1167864
   https://bugzilla.suse.com/1181961
   https://bugzilla.suse.com/1202812

SUSE: 2022:3766-1 important: buildah

October 26, 2022
An update that fixes three vulnerabilities is now available

Summary

This update for buildah fixes the following issues: - CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961). - CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864). - CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812 Buildah was updated to version 1.27.1: * run: add container gid to additional groups - Add fix for CVE-2022-2990 / bsc#1202812 Update to version 1.27.0: * Don't try to call runLabelStdioPipes if spec.Linux is not set * build: support filtering cache by duration using --cache-ttl * build: support building from commit when using git repo as build context * build: clean up git repos correctly when using subdirs * integration tests: quote "?" in shell scripts * test: manifest inspect should have OCIv1 annotation * vendor: bump to c/[email protected] * Failure to determine a file or directory should print an error * refactor: remove unused CommitOptions from generateBuildOutput * stage_executor: generate output for cases with no commit * stage_executor, commit: output only if last stage in build * Use errors.Is() instead of os.Is{Not,}Exist * Minor test tweak for podman-remote compatibility * Cirrus: Use the latest imgts container * imagebuildah: complain about the right Dockerfile * tests: don't try to wrap `nil` errors * cmd/buildah.commitCmd: don't shadow "err" * cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig * Fix a copy/paste error message * Fix a typo in an error message * build,cache: support pulling/pushing cache layers to/from remote sources * Update vendor of containers/(common, storage, image) * Rename chroot/run.go to chroot/run_linux.go * Don't bother telling codespell to skip files that don't exist * Set user namespace defaults correctly for the library * imagebuildah: optimize cache hits for COPY and ADD instructions * Cirrus: Update VM images w/ updated bats * docs, run: show SELinux label flag for cache and bind mounts * imagebuildah, build: remove undefined concurrent writes * bump github.com/opencontainers/runtime-tools * Add FreeBSD support for 'buildah info' * Vendor in latest containers/(storage, common, image) * Add freebsd cross build targets * Make the jail package build on 32bit platforms * Cirrus: Ensure the build-push VM image is labeled * GHA: Fix dynamic script filename * Vendor in containers/(common, storage, image) * Run codespell * Remove import of github.com/pkg/errors * Avoid using cgo in pkg/jail * Rename footypes to fooTypes for naming consistency * Move cleanupTempVolumes and cleanupRunMounts to run_common.go * Make the various run mounts work for FreeBSD * Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go * Move runSetupRunMounts to run_common.go * Move cleanableDestinationListFromMounts to run_common.go * Make setupMounts and runSetupBuiltinVolumes work on FreeBSD * Move setupMounts and runSetupBuiltinVolumes to run_common.go * Tidy up - runMakeStdioPipe can't be shared with linux * Move runAcceptTerminal to run_common.go * Move stdio copying utilities to run_common.go * Move runUsingRuntime and runCollectOutput to run_common.go * Move fileCloser, waitForSync and contains to run_common.go * Move checkAndOverrideIsolationOptions to run_common.go * Move DefaultNamespaceOptions to run_common.go * Move getNetworkInterface to run_common.go * Move configureEnvironment to run_common.go * Don't crash in configureUIDGID if Process.Capabilities is nil * Move configureUIDGID to run_common.go * Move runLookupPath to run_common.go * Move setupTerminal to run_common.go * Move etc file generation utilities to run_common.go * Add run support for FreeBSD * Add a simple FreeBSD jail library * Add FreeBSD support to pkg/chrootuser * Sync call signature for RunUsingChroot with chroot/run.go * test: verify feature to resolve basename with args * vendor: bump openshift/imagebuilder to [email protected] * GHA: Remove required reserved-name use * buildah: set XDG_RUNTIME_DIR before setting default runroot * imagebuildah: honor build output even if build container is not commited * chroot: honor DefaultErrnoRet * [CI:DOCS] improve pull-policy documentation * tests: retrofit test since --file does not supports dir * Switch to golang native error wrapping * BuildDockerfiles: error out if path to containerfile is a directory * define.downloadToDirectory: fail early if bad HTTP response * GHA: Allow re-use of Cirrus-Cron fail-mail workflow * add: fail on bad http response instead of writing to container * [CI:DOCS] Update buildahimage comment * lint: inspectable is never nil * vendor: c/common to [email protected] * build: support OCI hooks for ephemeral build containers * [CI:BUILD] Install latest buildah instead of compiling * Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED] * Make sure cpp is installed in buildah images * demo: use unshare for rootless invocations * buildah.spec.rpkg: initial addition * build: fix test for subid 4 * build, userns: add support for --userns=auto * Fix building upstream buildah image * Remove redundant buildahimages-are-sane validation * Docs: Update multi-arch buildah images readme * Cirrus: Migrate multiarch build off github actions * retrofit-tests: we skip unused stages so use stages * stage_executor: dont rely on stage while looking for additional-context * buildkit, multistage: skip computing unwanted stages * More test cleanup * copier: work around freebsd bug for "mkdir /" * Replace $BUILDAH_BINARY with buildah() function * Fix up buildah images * Make util and copier build on FreeBSD * Vendor in latest github.com/sirupsen/logrus * Makefile: allow building without .git * run_unix: don't return an error from getNetworkInterface * run_unix: return a valid DefaultNamespaceOptions * Update vendor of containers/storage * chroot: use ActKillThread instead of ActKill * use resolvconf package from c/common/libnetwork * update c/common to latest main * copier: add `NoOverwriteNonDirDir` option * Sort buildoptions and move cli/build functions to internal * Fix TODO: de-spaghettify run mounts * Move options parsing out of build.go and into pkg/cli * [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps * build, multiarch: support splitting build logs for --platform * [CI:BUILD] WIP Cleanup Image Dockerfiles * cli remove stutter * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * Fix use generic/ambiguous DEBUG name * Cirrus: use Ubuntu 22.04 LTS * Fix codespell errors * Remove util.StringInSlice because it is defined in containers/common * buildah: add support for renaming a device in rootless setups * squash: never use build cache when computing last step of last stage * Update vendor of containers/(common, storage, image) * buildkit: supports additionalBuildContext in builds via --build-context * buildah source pull/push: show progress bar * run: allow resuing secret twice in different RUN steps * test helpers: default to being rootless-aware * Add --cpp-flag flag to buildah build * build: accept branch and subdirectory when context is git repo * Vendor in latest containers/common * vendor: update c/storage and c/image * Fix gentoo install docs * copier: move NSS load to new process * Add test for prevention of reusing encrypted layers * Make `buildah build --label foo` create an empty "foo" label again Update to version 1.26.4: * build, multiarch: support splitting build logs for --platform * copier: add `NoOverwriteNonDirDir` option * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * buildkit: supports additionalBuildContext in builds via --build-context * Add --cpp-flag flag to buildah build Update to version 1.26.3: * define.downloadToDirectory: fail early if bad HTTP response * add: fail on bad http response instead of writing to container * squash: never use build cache when computing last step of last stage * run: allow resuing secret twice in different RUN steps * integration tests: update expected error messages * integration tests: quote "?" in shell scripts * Use errors.Is() to check for storage errors * lint: inspectable is never nil * chroot: use ActKillThread instead of ActKill * chroot: honor DefaultErrnoRet * Set user namespace defaults correctly for the library * contrib/rpm/buildah.spec: fix `rpm` parser warnings Drop requires on apparmor pattern, should be moved elsewhere for systems which want AppArmor instead of SELinux. - Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build. Update to version 1.26.2: * buildah: add support for renaming a device in rootless setups Update to version 1.26.1: * Make `buildah build --label foo` create an empty "foo" label again * imagebuildah,build: move deepcopy of args before we spawn goroutine * Vendor in containers/storage v1.40.2 * buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated * help output: get more consistent about option usage text * Handle OS version and features flags * buildah build: --annotation and --label should remove values * buildah build: add a --env * buildah: deep copy options.Args before performing concurrent build/stage * test: inline platform and builtinargs behaviour * vendor: bump imagebuilder to master/009dbc6 * build: automatically set correct TARGETPLATFORM where expected * Vendor in containers/(common, storage, image) * imagebuildah, executor: process arg variables while populating baseMap * buildkit: add support for custom build output with --output * Cirrus: Update CI VMs to F36 * fix staticcheck linter warning for deprecated function * Fix docs build on FreeBSD * copier.unwrapError(): update for Go 1.16 * copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit * copier.Put(): write to read-only directories * Ed's periodic test cleanup * using consistent lowercase 'invalid' word in returned err msg * use etchosts package from c/common * run: set actual hostname in /etc/hostname to match docker parity * Update vendor of containers/(common,storage,image) * manifest-create: allow creating manifest list from local image * Update vendor of storage,common,image * Initialize network backend before first pull * oci spec: change special mount points for namespaces * tests/helpers.bash: assert handle corner cases correctly * buildah: actually use containers.conf settings * integration tests: learn to start a dummy registry * Fix error check to work on Podman * buildah build should accept at most one arg * tests: reduce concurrency for flaky bud-multiple-platform-no-run * vendor in latest containers/common,image,storage * manifest-add: allow override arch,variant while adding image * Remove a stray `\` from .containerenv * Vendor in latest opencontainers/selinux v1.10.1 * build, commit: allow removing default identity labels * Create shorter names for containers based on image IDs * test: skip rootless on cgroupv2 in root env * fix hang when oci runtime fails * Set permissions for GitHub actions * copier test: use correct UID/GID in test archives * run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap Micro 5.2: zypper in -t patch openSUSE-Leap-Micro-5.2-2022-3766=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-3766=1 - SUSE Linux Enterprise Module for Containers 15-SP3: zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2022-3766=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-3766=1 - SUSE Linux Enterprise Micro 5.2: zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-3766=1 - SUSE Linux Enterprise Micro 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-3766=1 Package List: - openSUSE Leap Micro 5.2 (aarch64 x86_64): libgpg-error-debugsource-1.42-150300.9.3.1 libgpg-error0-1.42-150300.9.3.1 libgpg-error0-debuginfo-1.42-150300.9.3.1 - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): buildah-1.27.1-150300.8.11.1 libgpg-error-debugsource-1.42-150300.9.3.1 libgpg-error-devel-1.42-150300.9.3.1 libgpg-error-devel-debuginfo-1.42-150300.9.3.1 libgpg-error0-1.42-150300.9.3.1 libgpg-error0-debuginfo-1.42-150300.9.3.1 - openSUSE Leap 15.3 (x86_64): libgpg-error-devel-32bit-1.42-150300.9.3.1 libgpg-error-devel-32bit-debuginfo-1.42-150300.9.3.1 libgpg-error0-32bit-1.42-150300.9.3.1 libgpg-error0-32bit-debuginfo-1.42-150300.9.3.1 - SUSE Linux Enterprise Module for Containers 15-SP3 (aarch64 ppc64le s390x x86_64): buildah-1.27.1-150300.8.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libgpg-error-debugsource-1.42-150300.9.3.1 libgpg-error-devel-1.42-150300.9.3.1 libgpg-error-devel-debuginfo-1.42-150300.9.3.1 libgpg-error0-1.42-150300.9.3.1 libgpg-error0-debuginfo-1.42-150300.9.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libgpg-error0-32bit-1.42-150300.9.3.1 libgpg-error0-32bit-debuginfo-1.42-150300.9.3.1 - SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64): libgpg-error-debugsource-1.42-150300.9.3.1 libgpg-error0-1.42-150300.9.3.1 libgpg-error0-debuginfo-1.42-150300.9.3.1 - SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64): libgpg-error-debugsource-1.42-150300.9.3.1 libgpg-error0-1.42-150300.9.3.1 libgpg-error0-debuginfo-1.42-150300.9.3.1

References

#1167864 #1181961 #1202812

Cross- CVE-2020-10696 CVE-2021-20206 CVE-2022-2990

CVSS scores:

CVE-2020-10696 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2020-10696 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-20206 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2021-20206 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-2990 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE-2022-2990 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Products:

SUSE Linux Enterprise Desktop 15-SP3

SUSE Linux Enterprise High Performance Computing 15-SP3

SUSE Linux Enterprise Micro 5.1

SUSE Linux Enterprise Micro 5.2

SUSE Linux Enterprise Module for Basesystem 15-SP3

SUSE Linux Enterprise Module for Containers 15-SP3

SUSE Linux Enterprise Server 15-SP3

SUSE Linux Enterprise Server for SAP Applications 15-SP3

SUSE Linux Enterprise Storage 7.1

SUSE Manager Proxy 4.2

SUSE Manager Retail Branch Server 4.2

SUSE Manager Server 4.2

openSUSE Leap 15.3

openSUSE Leap Micro 5.2

https://www.suse.com/security/cve/CVE-2020-10696.html

https://www.suse.com/security/cve/CVE-2021-20206.html

https://www.suse.com/security/cve/CVE-2022-2990.html

https://bugzilla.suse.com/1167864

https://bugzilla.suse.com/1181961

https://bugzilla.suse.com/1202812

Severity
Announcement ID: SUSE-SU-2022:3766-1
Rating: important

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.