openSUSE Security Update: Security update for skopeo
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0377-1
Rating: moderate
References: #1159530 #1165715
Cross-References: CVE-2019-10214
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for skopeo fixes the following issues:

Update to skopeo v0.1.41 (bsc#1165715):

– Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1
– Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8
– Bump github.com/containers/common from 0.0.7 to 0.1.4
– Remove the reference to openshift/api
– vendor github.com/containers/image/v5@v5.2.0
– Manually update buildah to v1.13.1
– add specific authfile options to copy (and sync) command.
– Bump github.com/containers/buildah from 1.11.6 to 1.12.0
– Add context to –encryption-key / –decryption-key processing failures
– Bump github.com/containers/storage from 1.15.2 to 1.15.3
– Bump github.com/containers/buildah from 1.11.5 to 1.11.6
– remove direct reference on c/image/storage
– Makefile: set GOBIN
– Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7
– Bump github.com/containers/storage from 1.15.1 to 1.15.2
– Introduce the sync command
– openshift cluster: remove .docker directory on teardown
– Bump github.com/containers/storage from 1.14.0 to 1.15.1
– document installation via apk on alpine
– Fix typos in doc for image encryption
– Image encryption/decryption support in skopeo
– make vendor-in-container
– Bump github.com/containers/buildah from 1.11.4 to 1.11.5
– Travis: use go v1.13
– Use a Windows Nano Server image instead of Server Core for multi-arch
testing
– Increase test timeout to 15 minutes
– Run the test-system container without –net=host
– Mount /run/systemd/journal/socket into test-system containers
– Don’t unnecessarily filter out vendor from (go list ./…)
output
– Use -mod=vendor in (go {list,test,vet})
– Bump github.com/containers/buildah from 1.8.4 to 1.11.4
– Bump github.com/urfave/cli from 1.20.0 to 1.22.1
– skopeo: drop support for ostree
– Don’t critically fail on a 403 when listing tags
– Revert “Temporarily work around auth.json location confusion”
– Remove references to atomic
– Remove references to storage.conf
– Dockerfile: use golang-github-cpuguy83-go-md2man
– bump version to v0.1.41-dev
– systemtest: inspect container image different from current platform arch

Changes in v0.1.40:

– vendor containers/image v5.0.0
– copy: add a –all/-a flag
– System tests: various fixes
– Temporarily work around auth.json location confusion
– systemtest: copy: docker->storage->oci-archive
– systemtest/010-inspect.bats: require only PATH
– systemtest: add simple env test in inspect.bats
– bash completion: add comments to keep scattered options in sync
– bash completion: use read -r instead of disabling SC2207
– bash completion: support –opt arg completion
– bash-completion: use replacement instead of sed
– bash completion: disable shellcheck SC2207
– bash completion: double-quote to avoid re-splitting
– bash completions: use bash replacement instead of sed
– bash completion: remove unused variable
– bash-completions: split decl and assignment to avoid masking retvals
– bash completion: double-quote fixes
– bash completion: hard-set PROG=skopeo
– bash completion: remove unused variable
– bash completion: use `||` instead of `-o`
– bash completion: rm eval on assigned variable
– copy: add –dest-compress-format and –dest-compress-level
– flag: add optionalIntValue
– Makefile: use go proxy
– inspect –raw: skip the NewImage() step
– update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f
– inspect.go: inspect env variables
– ostree: use both image and & storage buildtags

Update to skopeo v0.1.39 (bsc#1159530):

– inspect: add a –config flag
– Add –no-creds flag to skopeo inspect
– Add –quiet option to skopeo copy
– New progress bars
– Parallel Pulls and Pushes for major speed improvements
– containers/image moved to a new progress-bar library to fix various
issues related to overlapping bars and redundant entries.
– enforce blocking of registries
– Allow storage-multiple-manifests
– When copying images and the output is not a tty (e.g., when piping to a
file) print single lines instead of using progress bars. This avoids
long and hard to parse output
– man pages: add –dest-oci-accept-uncompressed-layers
– completions:
– Introduce transports completions
– Fix bash completions when a option requires a argument
– Use only spaces in indent
– Fix completions with a global option
– add –dest-oci-accept-uncompressed-layers

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-377=1

Package List:

– openSUSE Leap 15.1 (x86_64):

skopeo-0.1.41-lp151.2.6.1
skopeo-debuginfo-0.1.41-lp151.2.6.1

References:

https://www.suse.com/security/cve/CVE-2019-10214.html
https://bugzilla.suse.com/1159530
https://bugzilla.suse.com/1165715

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org