Security update for skopeo SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0377-1 Final 1 1 2020-03-25T09:19:16Z current 2020-03-25T09:19:16Z 2020-03-25T09:19:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for skopeo This update for skopeo fixes the following issues: Update to skopeo v0.1.41 (bsc#1165715): - Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1 - Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8 - Bump github.com/containers/common from 0.0.7 to 0.1.4 - Remove the reference to openshift/api - vendor github.com/containers/image/v5@v5.2.0 - Manually update buildah to v1.13.1 - add specific authfile options to copy (and sync) command. - Bump github.com/containers/buildah from 1.11.6 to 1.12.0 - Add context to --encryption-key / --decryption-key processing failures - Bump github.com/containers/storage from 1.15.2 to 1.15.3 - Bump github.com/containers/buildah from 1.11.5 to 1.11.6 - remove direct reference on c/image/storage - Makefile: set GOBIN - Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7 - Bump github.com/containers/storage from 1.15.1 to 1.15.2 - Introduce the sync command - openshift cluster: remove .docker directory on teardown - Bump github.com/containers/storage from 1.14.0 to 1.15.1 - document installation via apk on alpine - Fix typos in doc for image encryption - Image encryption/decryption support in skopeo - make vendor-in-container - Bump github.com/containers/buildah from 1.11.4 to 1.11.5 - Travis: use go v1.13 - Use a Windows Nano Server image instead of Server Core for multi-arch testing - Increase test timeout to 15 minutes - Run the test-system container without --net=host - Mount /run/systemd/journal/socket into test-system containers - Don't unnecessarily filter out vendor from (go list ./...) output - Use -mod=vendor in (go {list,test,vet}) - Bump github.com/containers/buildah from 1.8.4 to 1.11.4 - Bump github.com/urfave/cli from 1.20.0 to 1.22.1 - skopeo: drop support for ostree - Don't critically fail on a 403 when listing tags - Revert 'Temporarily work around auth.json location confusion' - Remove references to atomic - Remove references to storage.conf - Dockerfile: use golang-github-cpuguy83-go-md2man - bump version to v0.1.41-dev - systemtest: inspect container image different from current platform arch Changes in v0.1.40: - vendor containers/image v5.0.0 - copy: add a --all/-a flag - System tests: various fixes - Temporarily work around auth.json location confusion - systemtest: copy: docker->storage->oci-archive - systemtest/010-inspect.bats: require only PATH - systemtest: add simple env test in inspect.bats - bash completion: add comments to keep scattered options in sync - bash completion: use read -r instead of disabling SC2207 - bash completion: support --opt arg completion - bash-completion: use replacement instead of sed - bash completion: disable shellcheck SC2207 - bash completion: double-quote to avoid re-splitting - bash completions: use bash replacement instead of sed - bash completion: remove unused variable - bash-completions: split decl and assignment to avoid masking retvals - bash completion: double-quote fixes - bash completion: hard-set PROG=skopeo - bash completion: remove unused variable - bash completion: use `||` instead of `-o` - bash completion: rm eval on assigned variable - copy: add --dest-compress-format and --dest-compress-level - flag: add optionalIntValue - Makefile: use go proxy - inspect --raw: skip the NewImage() step - update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f - inspect.go: inspect env variables - ostree: use both image and & storage buildtags Update to skopeo v0.1.39 (bsc#1159530): - inspect: add a --config flag - Add --no-creds flag to skopeo inspect - Add --quiet option to skopeo copy - New progress bars - Parallel Pulls and Pushes for major speed improvements - containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries. - enforce blocking of registries - Allow storage-multiple-manifests - When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output - man pages: add --dest-oci-accept-uncompressed-layers - completions: - Introduce transports completions - Fix bash completions when a option requires a argument - Use only spaces in indent - Fix completions with a global option - add --dest-oci-accept-uncompressed-layers This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-377 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ILBJ4PWG72SOBVPDNPC2K2KBEYLGL36/ E-Mail link for openSUSE-SU-2020:0377-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1159530 SUSE Bug 1159530 https://bugzilla.suse.com/1165715 SUSE Bug 1165715 https://www.suse.com/security/cve/CVE-2019-10214/ SUSE CVE CVE-2019-10214 page openSUSE Leap 15.1 skopeo-0.1.41-lp151.2.6.1 skopeo-0.1.41-lp151.2.6.1 as a component of openSUSE Leap 15.1 The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens. CVE-2019-10214 openSUSE Leap 15.1:skopeo-0.1.41-lp151.2.6.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ILBJ4PWG72SOBVPDNPC2K2KBEYLGL36/ https://www.suse.com/security/cve/CVE-2019-10214.html CVE-2019-10214 https://bugzilla.suse.com/1144065 SUSE Bug 1144065