SUSE 5183 Published by

A buildah security update has been released for openSUSE Leap 15.3.



openSUSE-SU-2022:0770-1: moderate: Security update for buildah


openSUSE Security Update: Security update for buildah
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:0770-1
Rating: moderate
References: #1187812 #1192999 SLE-23503
Cross-References: CVE-2019-10214 CVE-2020-10696 CVE-2021-20206

CVSS scores:
CVE-2019-10214 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2019-10214 (SUSE): 9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-10696 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-10696 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-20206 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-20206 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________

An update that fixes three vulnerabilities, contains one
feature is now available.

Description:

This update for buildah fixes the following issues:

buildah was updated to version 1.23.1:

Update to version 1.22.3:

* Update dependencies
* Post-branch commit
* Accept repositories on login/logout

Update to version 1.22.0:

* c/image, c/storage, c/common vendor before Podman 3.3 release
* Proposed patch for 3399 (shadowutils)
* Fix handling of --restore shadow-utils
* runtime-flag (debug) test: handle old & new runc
* Allow dst and destination for target in secret mounts
* Multi-arch: Always push updated version-tagged img
* imagebuildah.stageExecutor.prepare(): remove pseudonym check
* refine dangling filter
* Chown with environment variables not set should fail
* Just restore protections of shadow-utils
* Remove specific kernel version number requirement from install.md
* Multi-arch image workflow: Make steps generic
* chroot: fix environment value leakage to intermediate processes
* Update nix pin with `make nixpkgs`
* buildah source - create and manage source images
* Update cirrus-cron notification GH workflow
* Reuse code from containers/common/pkg/parse
* Cirrus: Freshen VM images
* Fix excludes exception begining with / or ./
* Fix syntax for --manifest example
* vendor containers/common@main
* Cirrus: Drop dependence on fedora-minimal
* Adjust conformance-test error-message regex
* Workaround appearance of differing debug messages
* Cirrus: Install docker from package cache
* Switch rusagelogfile to use options.Out
* Turn stdio back to blocking when command finishes
* Add support for default network creation
* Cirrus: Updates for master->main rename
* Change references from master to main
* Add `--env` and `--workingdir` flags to run command
* [CI:DOCS] buildah bud: spelling --ignore-file requires parameter
* [CI:DOCS] push/pull: clarify supported transports
* Remove unused function arguments
* Create mountOptions for mount command flags
* Extract version command implementation to function
* Add --json flags to `mount` and `version` commands
* copier.Put(): set xattrs after ownership
* buildah add/copy: spelling
* buildah copy and buildah add should support .containerignore
* Remove unused util.StartsWithValidTransport
* Fix documentation of the --format option of buildah push
* Don't use alltransports.ParseImageName with known transports
* man pages: clarify `rmi` removes dangling parents
* [CI:DOCS] Fix links to c/image master branch
* imagebuildah: use the specified logger for logging preprocessing warnings
* Fix copy into workdir for a single file
* Fix docs links due to branch rename
* Update nix pin with `make nixpkgs`
* fix(docs): typo
* Move to v1.22.0-dev
* Fix handling of auth.json file while in a user namespace
* Add rusage-logfile flag to optionally send rusage to a file
* imagebuildah: redo step logging
* Add volumes to make running buildah within a container easier
* Add and use a "copy" helper instead of podman load/save
* Bump github.com/containers/common from 0.38.4 to 0.39.0
* containerImageRef/containerImageSource: don't buffer uncompressed layers
* containerImageRef(): squashed images have no parent images
* Sync. workflow across skopeo, buildah, and podman
* Bump github.com/containers/storage from 1.31.1 to 1.31.2
* Bump github.com/opencontainers/runc from 1.0.0-rc94 to 1.0.0-rc95
* Bump to v1.21.1-dev [NO TESTS NEEDED]

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.3:

zypper in -t patch openSUSE-SLE-15.3-2022-770=1


Package List:

- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

buildah-1.23.1-150300.8.3.1

References:

  https://www.suse.com/security/cve/CVE-2019-10214.html
  https://www.suse.com/security/cve/CVE-2020-10696.html
  https://www.suse.com/security/cve/CVE-2021-20206.html
  https://bugzilla.suse.com/1187812
  https://bugzilla.suse.com/1192999