Security update for skopeo

Announcement ID: SUSE-SU-2020:0712-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2019-10214 ( SUSE ): 9.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
  • CVE-2019-10214 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:
  • Server Applications Module 15-SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise Real Time 15 SP1
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Manager Proxy 4.0
  • SUSE Manager Retail Branch Server 4.0
  • SUSE Manager Server 4.0

An update that solves one vulnerability and has one security fix can now be installed.

Description:

This update for skopeo fixes the following issues:

Update to skopeo v0.1.41 (bsc#1165715):

  • Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1
  • Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8
  • Bump github.com/containers/common from 0.0.7 to 0.1.4
  • Remove the reference to openshift/api
  • vendor github.com/containers/image/v5@v5.2.0
  • Manually update buildah to v1.13.1
  • add specific authfile options to copy (and sync) command.
  • Bump github.com/containers/buildah from 1.11.6 to 1.12.0
  • Add context to --encryption-key / --decryption-key processing failures
  • Bump github.com/containers/storage from 1.15.2 to 1.15.3
  • Bump github.com/containers/buildah from 1.11.5 to 1.11.6
  • remove direct reference on c/image/storage
  • Makefile: set GOBIN
  • Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7
  • Bump github.com/containers/storage from 1.15.1 to 1.15.2
  • Introduce the sync command
  • openshift cluster: remove .docker directory on teardown
  • Bump github.com/containers/storage from 1.14.0 to 1.15.1
  • document installation via apk on alpine
  • Fix typos in doc for image encryption
  • Image encryption/decryption support in skopeo
  • make vendor-in-container
  • Bump github.com/containers/buildah from 1.11.4 to 1.11.5
  • Travis: use go v1.13
  • Use a Windows Nano Server image instead of Server Core for multi-arch testing
  • Increase test timeout to 15 minutes
  • Run the test-system container without --net=host
  • Mount /run/systemd/journal/socket into test-system containers
  • Don't unnecessarily filter out vendor from (go list ./...) output
  • Use -mod=vendor in (go {list,test,vet})
  • Bump github.com/containers/buildah from 1.8.4 to 1.11.4
  • Bump github.com/urfave/cli from 1.20.0 to 1.22.1
  • skopeo: drop support for ostree
  • Don't critically fail on a 403 when listing tags
  • Revert "Temporarily work around auth.json location confusion"
  • Remove references to atomic
  • Remove references to storage.conf
  • Dockerfile: use golang-github-cpuguy83-go-md2man
  • bump version to v0.1.41-dev
  • systemtest: inspect container image different from current platform arch

Changes in v0.1.40:

  • vendor containers/image v5.0.0
  • copy: add a --all/-a flag
  • System tests: various fixes
  • Temporarily work around auth.json location confusion
  • systemtest: copy: docker->storage->oci-archive
  • systemtest/010-inspect.bats: require only PATH
  • systemtest: add simple env test in inspect.bats
  • bash completion: add comments to keep scattered options in sync
  • bash completion: use read -r instead of disabling SC2207
  • bash completion: support --opt arg completion
  • bash-completion: use replacement instead of sed
  • bash completion: disable shellcheck SC2207
  • bash completion: double-quote to avoid re-splitting
  • bash completions: use bash replacement instead of sed
  • bash completion: remove unused variable
  • bash-completions: split decl and assignment to avoid masking retvals
  • bash completion: double-quote fixes
  • bash completion: hard-set PROG=skopeo
  • bash completion: remove unused variable
  • bash completion: use || instead of -o
  • bash completion: rm eval on assigned variable
  • copy: add --dest-compress-format and --dest-compress-level
  • flag: add optionalIntValue
  • Makefile: use go proxy
  • inspect --raw: skip the NewImage() step
  • update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f
  • inspect.go: inspect env variables
  • ostree: use both image and & storage buildtags

Update to skopeo v0.1.39 (bsc#1159530):

  • inspect: add a --config flag
  • Add --no-creds flag to skopeo inspect
  • Add --quiet option to skopeo copy
  • New progress bars
  • Parallel Pulls and Pushes for major speed improvements
  • containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries.
  • enforce blocking of registries
  • Allow storage-multiple-manifests
  • When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output
  • man pages: add --dest-oci-accept-uncompressed-layers
  • completions:
  • Introduce transports completions
  • Fix bash completions when a option requires a argument
  • Use only spaces in indent
  • Fix completions with a global option
  • add --dest-oci-accept-uncompressed-layers

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Server Applications Module 15-SP1
    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-712=1

Package List:

  • Server Applications Module 15-SP1 (aarch64 ppc64le s390x x86_64)
    • skopeo-0.1.41-4.11.1
    • skopeo-debuginfo-0.1.41-4.11.1

References: