Security update for portus

Announcement ID:	SUSE-SU-2016:1146-1
Rating:	important
References:	bsc#963326 bsc#963327 bsc#963328 bsc#963563 bsc#963604 bsc#963608 bsc#963617 bsc#963625 bsc#963627 bsc#969943
Cross-References:	CVE-2015-7576 CVE-2015-7577 CVE-2015-7578 CVE-2015-7579 CVE-2015-7580 CVE-2015-7581 CVE-2016-0751 CVE-2016-0752 CVE-2016-0753 CVE-2016-2098
CVSS scores:	CVE-2015-7576 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2015-7577 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2015-7578 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2015-7579 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2015-7580 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2015-7581 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-0751 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-0752 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-0753 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2016-0753 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2016-2098 ( NVD ): 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Products:	Containers Module 12 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves 10 vulnerabilities can now be installed.

Description:

Portus was updated to version 2.0.3, which brings several fixes and enhancements:

• Fixed crono job when a repository could not be found.
• Fixed compatibility issues with Docker 1.10 and Distribution 2.3.
• Handle multiple scopes in token requests.
• Add optional fields to token response.
• Fixed notification events for Distribution v2.3.
• Paginate through the catalog properly.
• Do not remove all the repositories if fetching one fails.
• Fixed SMTP setup.
• Don't let crono overflow the 'log' column on the DB.
• Show the actual LDAP error on invalid login.
• Fixed the location of crono logs.
• Always use relative paths.
• Set RUBYLIB when using portusctl.
• Don't count hidden teams on the admin panel.
• Warn developers on unsupported docker-compose versions.
• Directly invalidate LDAP logins without name and password.
• Don't show the "I forgot my password" link on LDAP.

The following Rubygems bundled within Portus have been updated to fix security issues:

• CVE-2016-2098: rubygem-actionpack (bsc#969943).
• CVE-2015-7578: rails-html-sanitizer (bsc#963326).
• CVE-2015-7579: rails-html-sanitizer (bsc#963327).
• CVE-2015-7580: rails-html-sanitizer (bsc#963328).
• CVE-2015-7576: rubygem-actionpack, rubygem-activesupport (bsc#963563).
• CVE-2015-7577: rubygem-activerecord (bsc#963604).
• CVE-2016-0751: rugygem-actionpack (bsc#963627).
• CVE-2016-0752: rubygem-actionpack, rubygem-actionview (bsc#963608).
• CVE-2016-0753: rubygem-activemodel, rubygem-activesupport, rubygem-activerecord (bsc#963617).
• CVE-2015-7581: rubygem-actionpack (bsc#963625).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Containers Module 12
  zypper in -t patch SUSE-SLE-Module-Containers-12-2016-672=1

Package List:

• Containers Module 12 (x86_64)
  • portus-debugsource-2.0.3-2.4
  • portus-2.0.3-2.4
  • portus-debuginfo-2.0.3-2.4

References:

• https://www.suse.com/security/cve/CVE-2015-7576.html
• https://www.suse.com/security/cve/CVE-2015-7577.html
• https://www.suse.com/security/cve/CVE-2015-7578.html
• https://www.suse.com/security/cve/CVE-2015-7579.html
• https://www.suse.com/security/cve/CVE-2015-7580.html
• https://www.suse.com/security/cve/CVE-2015-7581.html
• https://www.suse.com/security/cve/CVE-2016-0751.html
• https://www.suse.com/security/cve/CVE-2016-0752.html
• https://www.suse.com/security/cve/CVE-2016-0753.html
• https://www.suse.com/security/cve/CVE-2016-2098.html
• https://bugzilla.suse.com/show_bug.cgi?id=963326
• https://bugzilla.suse.com/show_bug.cgi?id=963327
• https://bugzilla.suse.com/show_bug.cgi?id=963328
• https://bugzilla.suse.com/show_bug.cgi?id=963563
• https://bugzilla.suse.com/show_bug.cgi?id=963604
• https://bugzilla.suse.com/show_bug.cgi?id=963608
• https://bugzilla.suse.com/show_bug.cgi?id=963617
• https://bugzilla.suse.com/show_bug.cgi?id=963625
• https://bugzilla.suse.com/show_bug.cgi?id=963627
• https://bugzilla.suse.com/show_bug.cgi?id=969943