SUSE-SU-2020:0712-1: moderate: Security update for skopeo

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Mar 18 08:15:40 MDT 2020 

   SUSE Security Update: Security update for skopeo
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:0712-1
Rating:             moderate
References:         #1159530 #1165715 
Cross-References:   CVE-2019-10214
Affected Products:
                    SUSE Linux Enterprise Module for Server Applications 15-SP1
______________________________________________________________________________

   An update that solves one vulnerability and has one errata
   is now available.

Description:

   This update for skopeo fixes the following issues:

   Update to skopeo v0.1.41 (bsc#1165715):

   - Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1
   - Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8
   - Bump github.com/containers/common from 0.0.7 to 0.1.4
   - Remove the reference to openshift/api
   - vendor github.com/containers/image/v5 at v5.2.0
   - Manually update buildah to v1.13.1
   - add specific authfile options to copy (and sync) command.
   - Bump github.com/containers/buildah from 1.11.6 to 1.12.0
   - Add context to --encryption-key / --decryption-key processing failures
   - Bump github.com/containers/storage from 1.15.2 to 1.15.3
   - Bump github.com/containers/buildah from 1.11.5 to 1.11.6
   - remove direct reference on c/image/storage
   - Makefile: set GOBIN
   - Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7
   - Bump github.com/containers/storage from 1.15.1 to 1.15.2
   - Introduce the sync command
   - openshift cluster: remove .docker directory on teardown
   - Bump github.com/containers/storage from 1.14.0 to 1.15.1
   - document installation via apk on alpine
   - Fix typos in doc for image encryption
   - Image encryption/decryption support in skopeo
   - make vendor-in-container
   - Bump github.com/containers/buildah from 1.11.4 to 1.11.5
   - Travis: use go v1.13
   - Use a Windows Nano Server image instead of Server Core for multi-arch
     testing
   - Increase test timeout to 15 minutes
   - Run the test-system container without --net=host
   - Mount /run/systemd/journal/socket into test-system containers
   - Don't unnecessarily filter out vendor from (go list ./...)
     output
   - Use -mod=vendor in (go {list,test,vet})
   - Bump github.com/containers/buildah from 1.8.4 to 1.11.4
   - Bump github.com/urfave/cli from 1.20.0 to 1.22.1
   - skopeo: drop support for ostree
   - Don't critically fail on a 403 when listing tags
   - Revert "Temporarily work around auth.json location confusion"
   - Remove references to atomic
   - Remove references to storage.conf
   - Dockerfile: use golang-github-cpuguy83-go-md2man
   - bump version to v0.1.41-dev
   - systemtest: inspect container image different from current platform arch

   Changes in v0.1.40:

   - vendor containers/image v5.0.0
   - copy: add a --all/-a flag
   - System tests: various fixes
   - Temporarily work around auth.json location confusion
   - systemtest: copy: docker->storage->oci-archive
   - systemtest/010-inspect.bats: require only PATH
   - systemtest: add simple env test in inspect.bats
   - bash completion: add comments to keep scattered options in sync
   - bash completion: use read -r instead of disabling SC2207
   - bash completion: support --opt arg completion
   - bash-completion: use replacement instead of sed
   - bash completion: disable shellcheck SC2207
   - bash completion: double-quote to avoid re-splitting
   - bash completions: use bash replacement instead of sed
   - bash completion: remove unused variable
   - bash-completions: split decl and assignment to avoid masking retvals
   - bash completion: double-quote fixes
   - bash completion: hard-set PROG=skopeo
   - bash completion: remove unused variable
   - bash completion: use `||` instead of `-o`
   - bash completion: rm eval on assigned variable
   - copy: add --dest-compress-format and --dest-compress-level
   - flag: add optionalIntValue
   - Makefile: use go proxy
   - inspect --raw: skip the NewImage() step
   - update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f
   - inspect.go: inspect env variables
   - ostree: use both image and & storage buildtags


   Update to skopeo v0.1.39 (bsc#1159530):

   - inspect: add a --config flag
   - Add --no-creds flag to skopeo inspect
   - Add --quiet option to skopeo copy
   - New progress bars
   - Parallel Pulls and Pushes for major speed improvements
   - containers/image moved to a new progress-bar library to fix various
     issues related to overlapping bars and redundant entries.
   - enforce blocking of registries
   - Allow storage-multiple-manifests
   - When copying images and the output is not a tty (e.g., when piping to a
     file) print single lines instead of using progress bars. This avoids
     long and hard to parse output
   - man pages: add --dest-oci-accept-uncompressed-layers
   - completions:
     - Introduce transports completions
     - Fix bash completions when a option requires a argument
     - Use only spaces in indent
      - Fix completions with a global option
     - add --dest-oci-accept-uncompressed-layers


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Server Applications 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-712=1



Package List:

   - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64):

      skopeo-0.1.41-4.11.1
      skopeo-debuginfo-0.1.41-4.11.1


References:

   https://www.suse.com/security/cve/CVE-2019-10214.html
   https://bugzilla.suse.com/1159530
   https://bugzilla.suse.com/1165715

More information about the sle-security-updates mailing list