SUSE-SU-2020:3423-1: moderate: Security update for buildah
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Nov 19 13:21:36 MST 2020
SUSE Security Update: Security update for buildah
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:3423-1
Rating: moderate
References: #1165184 #1167864
Cross-References: CVE-2019-10214 CVE-2020-10696
Affected Products:
SUSE Linux Enterprise Module for Containers 15-SP2
SUSE Linux Enterprise Module for Containers 15-SP1
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for buildah fixes the following issues:
buildah was updated to v1.17.0 (bsc#1165184):
* Handle cases where other tools mount/unmount containers
* overlay.MountReadOnly: support RO overlay mounts
* overlay: use fusermount for rootless umounts
* overlay: fix umount
* Switch default log level of Buildah to Warn. Users need to see these
messages
* Drop error messages about OCI/Docker format to Warning level
* build(deps): bump github.com/containers/common from 0.26.0 to 0.26.2
* tests/testreport: adjust for API break in storage v1.23.6
* build(deps): bump github.com/containers/storage from 1.23.5 to 1.23.7
* build(deps): bump github.com/fsouza/go-dockerclient from 1.6.5 to 1.6.6
* copier: put: ignore Typeflag="g"
* Use curl to get repo file (fix #2714)
* build(deps): bump github.com/containers/common from 0.25.0 to 0.26.0
* build(deps): bump github.com/spf13/cobra from 1.0.0 to 1.1.1
* Remove docs that refer to bors, since we're not using it
* Buildah bud should not use stdin by default
* bump containerd, docker, and golang.org/x/sys
* Makefile: cross: remove windows.386 target
* copier.copierHandlerPut: don't check length when there are errors
* Stop excessive wrapping
* CI: require that conformance tests pass
* bump(github.com/openshift/imagebuilder) to v1.1.8
* Skip tlsVerify insecure BUILD_REGISTRY_SOURCES
* Fix build path wrong containers/podman#7993
* refactor pullpolicy to avoid deps
* build(deps): bump github.com/containers/common from 0.24.0 to 0.25.0
* CI: run gating tasks with a lot more memory
* ADD and COPY: descend into excluded directories, sometimes
* copier: add more context to a couple of error messages
* copier: check an error earlier
* copier: log stderr output as debug on success
* Update nix pin with make nixpkgs
* Set directory ownership when copied with ID mapping
* build(deps): bump github.com/sirupsen/logrus from 1.6.0 to 1.7.0
* build(deps): bump github.com/containers/common from 0.23.0 to 0.24.0
* Cirrus: Remove bors artifacts
* Sort build flag definitions alphabetically
* ADD: only expand archives at the right time
* Remove configuration for bors
* Shell Completion for podman build flags
* Bump c/common to v0.24.0
* New CI check: xref --help vs man pages
* CI: re-enable several linters
* Move --userns-uid-map/--userns-gid-map description into buildah man page
* add: preserve ownerships and permissions on ADDed archives
* Makefile: tweak the cross-compile target
* Bump containers/common to v0.23.0
* chroot: create bind mount targets 0755 instead of 0700
* Change call to Split() to safer SplitN()
* chroot: fix handling of errno seccomp rules
* build(deps): bump github.com/containers/image/v5 from 5.5.2 to 5.6.0
* Add In Progress section to contributing
* integration tests: make sure tests run in ${topdir}/tests
* Run(): ignore containers.conf's environment configuration
* Warn when setting healthcheck in OCI format
* Cirrus: Skip git-validate on branches
* tools: update git-validation to the latest commit
* tools: update golangci-lint to v1.18.0
* Add a few tests of push command
* Add(): fix handling of relative paths with no ContextDir
* build(deps): bump github.com/containers/common from 0.21.0 to 0.22.0
* Lint: Use same linters as podman
* Validate: reference HEAD
* Fix buildah mount to display container names not ids
* Update nix pin with make nixpkgs
* Add missing --format option in buildah from man page
* Fix up code based on codespell
* build(deps): bump github.com/openshift/imagebuilder from 1.1.6 to 1.1.7
* build(deps): bump github.com/containers/storage from 1.23.4 to 1.23.5
* Improve buildah completions
* Cirrus: Fix validate commit epoch
* Fix bash completion of manifest flags
* Uniform some man pages
* Update Buildah Tutorial to address BZ1867426
* Update bash completion of manifest add sub command
* copier.Get(): hard link targets shouldn't be relative paths
* build(deps): bump github.com/onsi/gomega from 1.10.1 to 1.10.2
* Pass timestamp down to history lines
* Timestamp gets updated everytime you inspect an image
* bud.bats: use absolute paths in newly-added tests
* contrib/cirrus/lib.sh: don't use CN for the hostname
* tests: Add some tests
* Update manifest add man page
* Extend flags of manifest add
* build(deps): bump github.com/containers/storage from 1.23.3 to 1.23.4
* build(deps): bump github.com/onsi/ginkgo from 1.14.0 to 1.14.1
* CI: expand cross-compile checks
Update to v1.16.2:
* fix build on 32bit arches
* containerImageRef.NewImageSource(): don't always force timestamps
* Add fuse module warning to image readme
* Heed our retry delay option values when retrying commit/pull/push
* Switch to containers/common for seccomp
* Use --timestamp rather then --omit-timestamp
* docs: remove outdated notice
* docs: remove outdated notice
* build-using-dockerfile: add a hidden --log-rusage flag
* build(deps): bump github.com/containers/image/v5 from 5.5.1 to 5.5.2
* Discard ReportWriter if user sets options.Quiet
* build(deps): bump github.com/containers/common from 0.19.0 to 0.20.3
* Fix ownership of content copied using COPY --from
* newTarDigester: zero out timestamps in tar headers
* Update nix pin with `make nixpkgs`
* bud.bats: correct .dockerignore integration tests
* Use pipes for copying
* run: include stdout in error message
* run: use the correct error for errors.Wrapf
* copier: un-export internal types
* copier: add Mkdir()
* in_podman: don't get tripped up by $CIRRUS_CHANGE_TITLE
* docs/buildah-commit.md: tweak some wording, add a --rm example
* imagebuildah: don’t blank out destination names when COPYing
* Replace retry functions with common/pkg/retry
* StageExecutor.historyMatches: compare timestamps using .Equal
* Update vendor of containers/common
* Fix errors found in coverity scan
* Change namespace handling flags to better match podman commands
* conformance testing: ignore buildah.BuilderIdentityAnnotation labels
* Vendor in containers/storage v1.23.0
* Add buildah.IsContainer interface
* Avoid feeding run_buildah to pipe
* fix(buildahimage): add xz dependency in buildah image
* Bump github.com/containers/common from 0.15.2 to 0.18.0
* Howto for rootless image building from OpenShift
* Add --omit-timestamp flag to buildah bud
* Update nix pin with `make nixpkgs`
* Shutdown storage on failures
* Handle COPY --from when an argument is used
* Bump github.com/seccomp/containers-golang from 0.5.0 to 0.6.0
* Cirrus: Use newly built VM images
* Bump github.com/opencontainers/runc from 1.0.0-rc91 to 1.0.0-rc92
* Enhance the .dockerignore man pages
* conformance: add a test for COPY from subdirectory
* fix bug manifest inspct
* Add documentation for .dockerignore
* Add BuilderIdentityAnnotation to identify buildah version
* DOC: Add quay.io/containers/buildah image to README.md
* Update buildahimages readme
* fix spelling mistake in "info" command result display
* Don't bind /etc/host and /etc/resolv.conf if network is not present
* blobcache: avoid an unnecessary NewImage()
* Build static binary with `buildGoModule`
* copier: split StripSetidBits into
StripSetuidBit/StripSetgidBit/StripStickyBit
* tarFilterer: handle multiple archives
* Fix a race we hit during conformance tests
* Rework conformance testing
* Update 02-registries-repositories.md
* test-unit: invoke cmd/buildah tests with --flags
* parse: fix a type mismatch in a test
* Fix compilation of tests/testreport/testreport
* build.sh: log the version of Go that we're using
* test-unit: increase the test timeout to 40/45 minutes
* Add the "copier" package
* Fix & add notes regarding problematic language in codebase
* Add dependency on github.com/stretchr/testify/require
* CompositeDigester: add the ability to filter tar streams
* BATS tests: make more robust
* vendor golang.org/x/text at v0.3.3
* Switch golang 1.12 to golang 1.13
* imagebuildah: wait for stages that might not have even started yet
* chroot, run: not fail on bind mounts from /sys
* chroot: do not use setgroups if it is blocked
* Set engine env from containers.conf
* imagebuildah: return the right stage's image as the "final" image
* Fix a help string
* Deduplicate environment variables
* switch containers/libpod to containers/podman
* Bump github.com/containers/ocicrypt from 1.0.2 to 1.0.3
* Bump github.com/opencontainers/selinux from 1.5.2 to 1.6.0
* Mask out /sys/dev to prevent information leak
* linux: skip errors from the runtime kill
* Mask over the /sys/fs/selinux in mask branch
* Add VFS additional image store to container
* tests: add auth tests
* Allow "readonly" as alias to "ro" in mount options
* Ignore OS X specific consistency mount option
* Bump github.com/onsi/ginkgo from 1.13.0 to 1.14.0
* Bump github.com/containers/common from 0.14.0 to 0.15.2
* Rootless Buildah should default to IsolationOCIRootless
* imagebuildah: fix inheriting multi-stage builds
* Make imagebuildah.BuildOptions.Architecture/OS optional
* Make imagebuildah.BuildOptions.Jobs optional
* Resolve a possible race in imagebuildah.Executor.startStage()
* Switch scripts to use containers.conf
* Bump openshift/imagebuilder to v1.1.6
* Bump go.etcd.io/bbolt from 1.3.4 to 1.3.5
* buildah, bud: support --jobs=N for parallel execution
* executor: refactor build code inside new function
* Add bud regression tests
* Cirrus: Fix missing htpasswd in registry img
* docs: clarify the 'triples' format
* CHANGELOG.md: Fix markdown formatting
* Add nix derivation for static builds
* Bump to v1.16.0-dev
- Update to v1.15.1
* Mask over the /sys/fs/selinux in mask branch
* chroot: do not use setgroups if it is blocked
* chroot, run: not fail on bind mounts from /sys
* Allow "readonly" as alias to "ro" in mount options
* Add VFS additional image store to container
* vendor golang.org/x/text at v0.3.3
* Make imagebuildah.BuildOptions.Architecture/OS optional
Update to v1.15.0:
* Add CVE-2020-10696 to CHANGELOG.md and changelog.txt
* fix lighttpd example
* remove dependency on openshift struct
* Warn on unset build arguments
* vendor: update seccomp/containers-golang to v0.4.1
* Updated docs
* clean up comments
* update exit code for tests
* Implement commit for encryption
* implementation of encrypt/decrypt push/pull/bud/from
* fix resolve docker image name as transport
* Add preliminary profiling support to the CLI
* Evaluate symlinks in build context directory
* fix error info about get signatures for containerImageSource
* Add Security Policy
* Cirrus: Fixes from review feedback
* imagebuildah: stages shouldn't count as their base images
* Update containers/common v0.10.0
* Add registry to buildahimage Dockerfiles
* Cirrus: Use pre-installed VM packages + F32
* Cirrus: Re-enable all distro versions
* Cirrus: Update to F31 + Use cache images
* golangci-lint: Disable gosimple
* Lower number of golangci-lint threads
* Fix permissions on containers.conf
* Don't force tests to use runc
* Return exit code from failed containers
* cgroup_manager should be under [engine]
* Use c/common/pkg/auth in login/logout
* Cirrus: Temporarily disable Ubuntu 19 testing
* Add containers.conf to stablebyhand build
* Update gitignore to exclude test Dockerfiles
* Remove warning for systemd inside of container
Update to v1.14.6:
* Make image history work correctly with new args handling
* Don't add args to the RUN environment from the Builder
Update to v1.14.5:
* Revert FIPS mode change
Update to v1.14.4:
* Update unshare man page to fix script example
* Fix compilation errors on non linux platforms
* Preserve volume uid and gid through subsequent commands
* Fix potential CVE in tarfile w/ symlink
* Fix .dockerignore with globs and ! commands
Update to v1.14.2:
* Search for local runtime per values in containers.conf
* Set correct ownership on working directory
* Improve remote manifest retrieval
* Correct a couple of incorrect format specifiers
* manifest push --format: force an image type, not a list type
* run: adjust the order in which elements are added to $
* getDateAndDigestAndSize(): handle creation time not being set
* Make the commit id clear like Docker
* Show error on copied file above context directory in build
* pull/from/commit/push: retry on most failures
* Repair buildah so it can use containers.conf on the server side
* Fixing formatting & build instructions
* Fix XDG_RUNTIME_DIR for authfile
* Show validation command-line
Update to v1.14.0:
* getDateAndDigestAndSize(): use manifest.Digest
* Touch up os/arch doc
* chroot: handle slightly broken seccomp defaults
* buildahimage: specify fuse-overlayfs mount options
* parse: don't complain about not being able to rename something to itself
* Fix build for 32bit platforms
* Allow users to set OS and architecture on bud
* Fix COPY in containerfile with envvar
* Add --sign-by to bud/commit/push, --remove-signatures for pull/push
* Add support for containers.conf
* manifest push: add --format option
Update to v1.13.1:
* copyFileWithTar: close source files at the right time
* copy: don't digest files that we ignore
* Check for .dockerignore specifically
* Don't setup excludes, if their is only one pattern to match
* set HOME env to /root on chroot-isolation by default
* docs: fix references to containers-*.5
* fix bug Add check .dockerignore COPY file
* buildah bud --volume: run from tmpdir, not source dir
* Fix imageNamePrefix to give consistent names in buildah-from
* cpp: use -traditional and -undef flags
* discard outputs coming from onbuild command on buildah-from --quiet
* make --format columnizing consistent with buildah images
* Fix option handling for volumes in build
* Rework overlay pkg for use with libpod
* Fix buildahimage builds for buildah
* Add support for FIPS-Mode backends
* Set the TMPDIR for pulling/pushing image to $TMPDIR
Update to v1.12.0:
* Allow ADD to use http src
* imgtype: reset storage opts if driver overridden
* Start using containers/common
* overlay.bats typo: fuse-overlays should be fuse-overlayfs
* chroot: Unmount with MNT_DETACH instead of UnmountMountpoints()
* bind: don't complain about missing mountpoints
* imgtype: check earlier for expected manifest type
* Add history names support
Update to v1.11.6:
* Handle missing equal sign in --from and --chown flags for COPY/ADD
* bud COPY does not download URL
* Fix .dockerignore exclude regression
* commit(docker): always set ContainerID and ContainerConfig
* Touch up commit man page image parameter
* Add builder identity annotations.
Update to v1.11.5:
* buildah: add "manifest" command
* pkg/supplemented: add a package for grouping images together
* pkg/manifests: add a manifest list build/manipulation API
* Update for ErrUnauthorizedForCredentials API change in containers/image
* Update for manifest-lists API changes in containers/image
* version: also note the version of containers/image
* Move to containers/image v5.0.0
* Enable --device directory as src device
* Add clarification to the Tutorial for new users
* Silence "using cache" to ensure -q is fully quiet
* Move runtime flag to bud from common
* Commit: check for storage.ErrImageUnknown using errors.Cause()
* Fix crash when invalid COPY --from flag is specified.
Update to v1.11.4:
* buildah: add a "manifest" command
* pkg/manifests: add a manifest list build/manipulation API
* Update for ErrUnauthorizedForCredentials API change in containers/image
* Update for manifest-lists API changes in containers/image
* Move to containers/image v5.0.0
* Enable --device directory as src device
* Add clarification to the Tutorial for new users
* Silence "using cache" to ensure -q is fully quiet
* Move runtime flag to bud from common
* Commit: check for storage.ErrImageUnknown using errors.Cause()
* Fix crash when invalid COPY --from flag is specified.
Update to v1.11.3:
* Add cgroups2
* Add support for retrieving context from stdin "-"
* Added tutorial on how to include Buildah as library
* Fix --build-args handling
* Print build 'STEP' line to stdout, not stderr
* Use Containerfile by default
Update to v1.11.2:
* Add some cleanup code
* Move devices code to unit specific directory.
Update to v1.11.1:
* Add --devices flag to bud and from
* Add support for /run/.containerenv
* Allow mounts.conf entries for equal source and destination paths
* Fix label and annotation for 1-line Dockerfiles
* Preserve file and directory mount permissions
* Replace --debug=false with --log-level=error
* Set TMPDIR to /var/tmp by default
* Truncate output of too long image names
* Ignore EmptyLayer if Squash is set
Update to v1.11.0:
* Add --digestfile and Re-add push statement as debug
* Add --log-level command line option and deprecate --debug
* Add security-related volume options to validator
* Allow buildah bud to be called without arguments
* Allow to override build date with SOURCE_DATE_EPOCH
* Correctly detect ExitError values from Run()
* Disable empty logrus timestamps to reduce logger noise
* Fix directory pull image names
* Fix handling of /dev/null masked devices
* Fix possible runtime panic on bud
* Update bud/from help to contain indicator for --dns=none
* Update documentation about bud
* Update shebangs to take env into consideration
* Use content digests in ADD/COPY history entries
* add support for cgroupsV2
* add: add a DryRun flag to AddAndCopyOptions
* add: handle hard links when copying with .dockerignore
* add: teach copyFileWithTar() about symlinks and directories
* imagebuilder: fix detection of referenced stage roots
* pull/commit/push: pay attention to $BUILD_REGISTRY_SOURCES
* run_linux: fix mounting /sys in a userns
Update to v1.10.1:
* Add automatic apparmor tag discovery
* Add overlayfs to fuse-overlayfs tip
* Bug fix for volume minus syntax
* Bump container/storage v1.13.1 and containers/image v3.0.1
* Bump containers/image to v3.0.2 to fix keyring issue
* Fix bug whereby --get-login has no effect
* Bump github.com/containernetworking/cni to v0.7.1
- Add appamor-pattern requirement
- Update build process to match the latest repository architecture
- Update to v1.10.0
* vendor github.com/containers/image at v3.0.0
* Remove GO111MODULE in favor of -mod=vendor
* Vendor in containers/storage v1.12.16
* Add '-' minus syntax for removal of config values
* tests: enable overlay tests for rootless
* rootless, overlay: use fuse-overlayfs
* vendor github.com/containers/image at v2.0.1
* Added '-' syntax to remove volume config option
* delete successfully pushed message
* Add golint linter and apply fixes
* vendor github.com/containers/storage at v1.12.15
* Change wait to sleep in buildahimage readme
* Handle ReadOnly images when deleting images
* Add support for listing read/only images
* from/import: record the base image's digest, if it has one
* Fix CNI version retrieval to not require network connection
* Add misspell linter and apply fixes
* Add goimports linter and apply fixes
* Add stylecheck linter and apply fixes
* Add unconvert linter and apply fixes
* image: make sure we don't try to use zstd compression
* run.bats: skip the "z" flag when testing --mount
* Update to runc v1.0.0-rc8
* Update to match updated runtime-tools API
* bump github.com/opencontainers/runtime-tools to v0.9.0
* Build e2e tests using the proper build tags
* Add unparam linter and apply fixes
* Run: correct a typo in the --cap-add help text
* unshare: add a --mount flag
* fix push check image name is not empty
* add: fix slow copy with no excludes
* Add errcheck linter and fix missing error check
* Improve tests/tools/Makefile parallelism and abstraction
* Fix response body not closed resource leak
* Switch to golangci-lint
* Add gomod instructions and mailing list links
* On Masked path, check if /dev/null already mounted before mounting
* Update to containers/storage v1.12.13
* Refactor code in package imagebuildah
* Add rootless podman with NFS issue in documentation
* Add --mount for buildah run
* import method ValidateVolumeOpts from libpod
* Fix typo
* Makefile: set GO111MODULE=off
* rootless: add the built-in slirp DNS server
* Update docker/libnetwork to get rid of outdated sctp package
* Update buildah-login.md
* migrate to go modules
* install.md: mention go modules
* tests/tools: go module for test binaries
* fix --volume splits comma delimited option
* Add bud test for RUN with a priv'd command
* vendor logrus v1.4.2
* pkg/cli: panic when flags can't be hidden
* pkg/unshare: check all errors
* pull: check error during report write
* run_linux.go: ignore unchecked errors
* conformance test: catch copy error
* chroot/run_test.go: export funcs to actually be executed
* tests/imgtype: ignore error when shutting down the store
* testreport: check json error
* bind/util.go: remove unused func
* rm chroot/util.go
* imagebuildah: remove unused dedupeStringSlice
* StageExecutor: EnsureContainerPath: catch error from SecureJoin()
* imagebuildah/build.go: return instead of branching
* rmi: avoid redundant branching
* conformance tests: nilness: allocate map
* imagebuildah/build.go: avoid redundant filepath.Join()
* imagebuildah/build.go: avoid redundant os.Stat()
* imagebuildah: omit comparison to bool
* fix "ineffectual assignment" lint errors
* docker: ignore "repeats json tag" lint error
* pkg/unshare: use ... instead of iterating a slice
* conformance: bud test: use raw strings for regexes
* conformance suite: remove unused func/var
* buildah test suite: remove unused vars/funcs
* testreport: fix golangci-lint errors
* util: remove redundant return statement
* chroot: only log clean-up errors
* images_test: ignore golangci-lint error
* blobcache: log error when draining the pipe
* imagebuildah: check errors in deferred calls
* chroot: fix error handling in deferred funcs
* cmd: check all errors
* chroot/run_test.go: check errors
* chroot/run.go: check errors in deferred calls
* imagebuildah.Executor: remove unused onbuild field
* docker/types.go: remove unused struct fields
* util: use strings.ContainsRune instead of index check
* Cirrus: Initial implementation
* buildah-run: fix-out-of-range panic (2)
* Update containers/image to v2.0.0
* run: fix hang with run and --isolation=chroot
* run: fix hang when using run
* chroot: drop unused function call
* remove --> before imgageID on build
* Always close stdin pipe
* Write deny to setgroups when doing single user mapping
* Avoid including linux/memfd.h
* Add a test for the symlink pointing to a directory
* Add missing continue
* Fix the handling of symlinks to absolute paths
* Only set default network sysctls if not rootless
* Support --dns=none like podman
* fix bug --cpu-shares parsing typo
* Fix validate complaint
* Update vendor on containers/storage to v1.12.10
* Create directory paths for COPY thereby ensuring correct perms
* imagebuildah: use a stable sort for comparing build args
* imagebuildah: tighten up cache checking
* bud.bats: add a test verying the order of --build-args
* add -t to podman run
* imagebuildah: simplify screening by top layers
* imagebuildah: handle ID mappings for COPY --from
* imagebuildah: apply additionalTags ourselves
* bud.bats: test additional tags with cached images
* bud.bats: add a test for WORKDIR and COPY with absolute destinations
* Cleanup Overlay Mounts content
* Add support for file secret mounts
* Add ability to skip secrets in mounts file
* allow 32bit builds
* fix tutorial instructions
* imagebuilder: pass the right contextDir to Add()
* add: use fileutils.PatternMatcher for .dockerignore
* bud.bats: add another .dockerignore test
* unshare: fallback to single usermapping
* addHelperSymlink: clear the destination on os.IsExist errors
* bud.bats: test replacing symbolic links
* imagebuildah: fix handling of destinations that end with '/'
* bud.bats: test COPY with a final "/" in the destination
* linux: add check for sysctl before using it
* unshare: set _CONTAINERS_ROOTLESS_GID
* Rework buildahimamges
* build context: support https git repos
* Add a test for ENV special chars behaviour
* Check in new Dockerfiles
* Apply custom SHELL during build time
* config: expand variables only at the command line
* SetEnv: we only need to expand v once
* Add default /root if empty on chroot iso
* Add support for Overlay volumes into the container.
* Export buildah validate volume functions so it can share code with libpod
* Bump baseline test to F30
* Fix rootless handling of /dev/shm size
* Avoid fmt.Printf() in the library
* imagebuildah: tighten cache checking back up
* Handle WORKDIR with dangling target
* Default Authfile to proper path
* Make buildah run --isolation follow BUILDAH_ISOLATION environment
* Vendor in latest containers/storage and containers/image
* getParent/getChildren: handle layerless images
* imagebuildah: recognize cache images for layerless images
* bud.bats: test scratch images with --layers caching
* Get CHANGELOG.md updates
* Add some symlinks to test our .dockerignore logic
* imagebuildah: addHelper: handle symbolic links
* commit/push: use an everything-allowed policy
* Correct manpage formatting in files section
* Remove must be root statement from buildah doc
* Change image names to stable, testing and upstream
* Don't create directory on container
* Replace kubernetes/pause in tests with k8s.gcr.io/pause
* imagebuildah: don't remove intermediate images if we need them
* Rework buildahimagegit to buildahimageupstream
* Fix Transient Mounts
* Handle WORKDIRs that are symlinks
* allow podman to build a client for windows
* Touch up 1.9-dev to 1.9.0-dev
* Resolve symlink when checking container path
* commit: commit on every instruction, but not always with layers
* CommitOptions: drop the unused OnBuild field
* makeImageRef: pass in the whole CommitOptions structure
* cmd: API cleanup: stores before images
* run: check if SELinux is enabled
* Fix buildahimages Dockerfiles to include support for additionalimages
mounted from host.
* Detect changes in rootdir
* Fix typo in buildah-pull(1)
* Vendor in latest containers/storage
* Keep track of any build-args used during buildah bud --layers
* commit: always set a parent ID
* imagebuildah: rework unused-argument detection
* fix bug dest path when COPY .dockerignore
* Move Host IDMAppings code from util to unshare
* Add BUILDAH_ISOLATION rootless back
* Travis CI: fail fast, upon error in any step
* imagebuildah: only commit images for intermediate stages if we have to
* Use errors.Cause() when checking for IsNotExist errors
* auto pass http_proxy to container
* imagebuildah: don't leak image structs
* Add Dockerfiles for buildahimages
* Bump to Replace golang 1.10 with 1.12
* add --dns* flags to buildah bud
* Add hack/build_speed.sh test speeds on building container images
* Create buildahimage Dockerfile for Quay
* rename 'is' to 'expect_output'
* squash.bats: test squashing in multi-layered builds
* bud.bats: test COPY --from in a Dockerfile while using the cache
* commit: make target image names optional
* Fix bud-args to allow comma separation
* oops, missed some tests in commit.bats
* new helper: expect_line_count
* New tests for #1467 (string slices in cmdline opts)
* Workarounds for dealing with travis; review feedback
* BATS tests - extensive but minor cleanup
* imagebuildah: defer pulling images for COPY --from
* imagebuildah: centralize COMMIT and image ID output
* Travis: do not use traviswait
* imagebuildah: only initialize imagebuilder configuration once per stage
* Make cleaner error on Dockerfile build errors
* unshare: move to pkg/
* unshare: move some code from cmd/buildah/unshare
* Fix handling of Slices versus Arrays
* imagebuildah: reorganize stage and per-stage logic
* imagebuildah: add empty layers for instructions
* Add missing step in installing into Ubuntu
* fix bug in .dockerignore support
* imagebuildah: deduplicate prepended "FROM" instructions
* Touch up intro
* commit: set created-by to the shell if it isn't set
* commit: check that we always set a "created-by"
* docs/buildah.md: add "containers-" prefixes under "SEE ALSO"
Update to v1.7.2
* Updates vendored containers/storage to latest version
* rootless: by default use the host network namespace
- Full changelog: https://github.com/containers/buildah/releases/tag/v1.6
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for Containers 15-SP2:
zypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2020-3423=1
- SUSE Linux Enterprise Module for Containers 15-SP1:
zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-3423=1
Package List:
- SUSE Linux Enterprise Module for Containers 15-SP2 (aarch64 ppc64le s390x x86_64):
buildah-1.17.0-3.6.1
- SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x x86_64):
buildah-1.17.0-3.6.1
References:
https://www.suse.com/security/cve/CVE-2019-10214.html
https://www.suse.com/security/cve/CVE-2020-10696.html
https://bugzilla.suse.com/1165184
https://bugzilla.suse.com/1167864
More information about the sle-security-updates
mailing list