SUSE 5176 Published by

A skopeo security update has been released for openSUSE Leap 15.1 that solves one vulnerability.



openSUSE Security Update: Security update for skopeo
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0377-1
Rating: moderate
References: #1159530 #1165715
Cross-References: CVE-2019-10214
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for skopeo fixes the following issues:

Update to skopeo v0.1.41 (bsc#1165715):

- Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1
- Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8
- Bump github.com/containers/common from 0.0.7 to 0.1.4
- Remove the reference to openshift/api
- vendor github.com/containers/image/v5@v5.2.0
- Manually update buildah to v1.13.1
- add specific authfile options to copy (and sync) command.
- Bump github.com/containers/buildah from 1.11.6 to 1.12.0
- Add context to --encryption-key / --decryption-key processing failures
- Bump github.com/containers/storage from 1.15.2 to 1.15.3
- Bump github.com/containers/buildah from 1.11.5 to 1.11.6
- remove direct reference on c/image/storage
- Makefile: set GOBIN
- Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7
- Bump github.com/containers/storage from 1.15.1 to 1.15.2
- Introduce the sync command
- openshift cluster: remove .docker directory on teardown
- Bump github.com/containers/storage from 1.14.0 to 1.15.1
- document installation via apk on alpine
- Fix typos in doc for image encryption
- Image encryption/decryption support in skopeo
- make vendor-in-container
- Bump github.com/containers/buildah from 1.11.4 to 1.11.5
- Travis: use go v1.13
- Use a Windows Nano Server image instead of Server Core for multi-arch
testing
- Increase test timeout to 15 minutes
- Run the test-system container without --net=host
- Mount /run/systemd/journal/socket into test-system containers
- Don't unnecessarily filter out vendor from (go list ./...)
output
- Use -mod=vendor in (go {list,test,vet})
- Bump github.com/containers/buildah from 1.8.4 to 1.11.4
- Bump github.com/urfave/cli from 1.20.0 to 1.22.1
- skopeo: drop support for ostree
- Don't critically fail on a 403 when listing tags
- Revert "Temporarily work around auth.json location confusion"
- Remove references to atomic
- Remove references to storage.conf
- Dockerfile: use golang-github-cpuguy83-go-md2man
- bump version to v0.1.41-dev
- systemtest: inspect container image different from current platform arch

Changes in v0.1.40:

- vendor containers/image v5.0.0
- copy: add a --all/-a flag
- System tests: various fixes
- Temporarily work around auth.json location confusion
- systemtest: copy: docker->storage->oci-archive
- systemtest/010-inspect.bats: require only PATH
- systemtest: add simple env test in inspect.bats
- bash completion: add comments to keep scattered options in sync
- bash completion: use read -r instead of disabling SC2207
- bash completion: support --opt arg completion
- bash-completion: use replacement instead of sed
- bash completion: disable shellcheck SC2207
- bash completion: double-quote to avoid re-splitting
- bash completions: use bash replacement instead of sed
- bash completion: remove unused variable
- bash-completions: split decl and assignment to avoid masking retvals
- bash completion: double-quote fixes
- bash completion: hard-set PROG=skopeo
- bash completion: remove unused variable
- bash completion: use `||` instead of `-o`
- bash completion: rm eval on assigned variable
- copy: add --dest-compress-format and --dest-compress-level
- flag: add optionalIntValue
- Makefile: use go proxy
- inspect --raw: skip the NewImage() step
- update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f
- inspect.go: inspect env variables
- ostree: use both image and & storage buildtags

Update to skopeo v0.1.39 (bsc#1159530):

- inspect: add a --config flag
- Add --no-creds flag to skopeo inspect
- Add --quiet option to skopeo copy
- New progress bars
- Parallel Pulls and Pushes for major speed improvements
- containers/image moved to a new progress-bar library to fix various
issues related to overlapping bars and redundant entries.
- enforce blocking of registries
- Allow storage-multiple-manifests
- When copying images and the output is not a tty (e.g., when piping to a
file) print single lines instead of using progress bars. This avoids
long and hard to parse output
- man pages: add --dest-oci-accept-uncompressed-layers
- completions:
- Introduce transports completions
- Fix bash completions when a option requires a argument
- Use only spaces in indent
- Fix completions with a global option
- add --dest-oci-accept-uncompressed-layers

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-377=1


Package List:

- openSUSE Leap 15.1 (x86_64):

skopeo-0.1.41-lp151.2.6.1
skopeo-debuginfo-0.1.41-lp151.2.6.1

References:

  https://www.suse.com/security/cve/CVE-2019-10214.html
  https://bugzilla.suse.com/1159530
  https://bugzilla.suse.com/1165715