opensuse-su-2020:0377-1
Vulnerability from csaf_opensuse
Published
2020-03-25 09:19
Modified
2020-03-25 09:19
Summary
Security update for skopeo

Notes

Title of the patch
Security update for skopeo
Description of the patch
This update for skopeo fixes the following issues: Update to skopeo v0.1.41 (bsc#1165715): - Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1 - Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8 - Bump github.com/containers/common from 0.0.7 to 0.1.4 - Remove the reference to openshift/api - vendor github.com/containers/image/v5@v5.2.0 - Manually update buildah to v1.13.1 - add specific authfile options to copy (and sync) command. - Bump github.com/containers/buildah from 1.11.6 to 1.12.0 - Add context to --encryption-key / --decryption-key processing failures - Bump github.com/containers/storage from 1.15.2 to 1.15.3 - Bump github.com/containers/buildah from 1.11.5 to 1.11.6 - remove direct reference on c/image/storage - Makefile: set GOBIN - Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7 - Bump github.com/containers/storage from 1.15.1 to 1.15.2 - Introduce the sync command - openshift cluster: remove .docker directory on teardown - Bump github.com/containers/storage from 1.14.0 to 1.15.1 - document installation via apk on alpine - Fix typos in doc for image encryption - Image encryption/decryption support in skopeo - make vendor-in-container - Bump github.com/containers/buildah from 1.11.4 to 1.11.5 - Travis: use go v1.13 - Use a Windows Nano Server image instead of Server Core for multi-arch testing - Increase test timeout to 15 minutes - Run the test-system container without --net=host - Mount /run/systemd/journal/socket into test-system containers - Don't unnecessarily filter out vendor from (go list ./...) output - Use -mod=vendor in (go {list,test,vet}) - Bump github.com/containers/buildah from 1.8.4 to 1.11.4 - Bump github.com/urfave/cli from 1.20.0 to 1.22.1 - skopeo: drop support for ostree - Don't critically fail on a 403 when listing tags - Revert 'Temporarily work around auth.json location confusion' - Remove references to atomic - Remove references to storage.conf - Dockerfile: use golang-github-cpuguy83-go-md2man - bump version to v0.1.41-dev - systemtest: inspect container image different from current platform arch Changes in v0.1.40: - vendor containers/image v5.0.0 - copy: add a --all/-a flag - System tests: various fixes - Temporarily work around auth.json location confusion - systemtest: copy: docker->storage->oci-archive - systemtest/010-inspect.bats: require only PATH - systemtest: add simple env test in inspect.bats - bash completion: add comments to keep scattered options in sync - bash completion: use read -r instead of disabling SC2207 - bash completion: support --opt arg completion - bash-completion: use replacement instead of sed - bash completion: disable shellcheck SC2207 - bash completion: double-quote to avoid re-splitting - bash completions: use bash replacement instead of sed - bash completion: remove unused variable - bash-completions: split decl and assignment to avoid masking retvals - bash completion: double-quote fixes - bash completion: hard-set PROG=skopeo - bash completion: remove unused variable - bash completion: use `||` instead of `-o` - bash completion: rm eval on assigned variable - copy: add --dest-compress-format and --dest-compress-level - flag: add optionalIntValue - Makefile: use go proxy - inspect --raw: skip the NewImage() step - update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f - inspect.go: inspect env variables - ostree: use both image and & storage buildtags Update to skopeo v0.1.39 (bsc#1159530): - inspect: add a --config flag - Add --no-creds flag to skopeo inspect - Add --quiet option to skopeo copy - New progress bars - Parallel Pulls and Pushes for major speed improvements - containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries. - enforce blocking of registries - Allow storage-multiple-manifests - When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output - man pages: add --dest-oci-accept-uncompressed-layers - completions: - Introduce transports completions - Fix bash completions when a option requires a argument - Use only spaces in indent - Fix completions with a global option - add --dest-oci-accept-uncompressed-layers This update was imported from the SUSE:SLE-15:Update update project.
Patchnames
openSUSE-2020-377
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for skopeo",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for skopeo fixes the following issues:\n\nUpdate to skopeo v0.1.41 (bsc#1165715):\n\n- Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1\n- Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8\n- Bump github.com/containers/common from 0.0.7 to 0.1.4\n- Remove the reference to openshift/api\n- vendor github.com/containers/image/v5@v5.2.0\n- Manually update buildah to v1.13.1\n- add specific authfile options to copy (and sync) command.\n- Bump github.com/containers/buildah from 1.11.6 to 1.12.0\n- Add context to --encryption-key / --decryption-key processing\n  failures\n- Bump github.com/containers/storage from 1.15.2 to 1.15.3\n- Bump github.com/containers/buildah from 1.11.5 to 1.11.6\n- remove direct reference on c/image/storage\n- Makefile: set GOBIN\n- Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7\n- Bump github.com/containers/storage from 1.15.1 to 1.15.2\n- Introduce the sync command\n- openshift cluster: remove .docker directory on teardown\n- Bump github.com/containers/storage from 1.14.0 to 1.15.1\n- document installation via apk on alpine\n- Fix typos in doc for image encryption\n- Image encryption/decryption support in skopeo\n- make vendor-in-container\n- Bump github.com/containers/buildah from 1.11.4 to 1.11.5\n- Travis: use go v1.13\n- Use a Windows Nano Server image instead of Server Core for\n  multi-arch testing\n- Increase test timeout to 15 minutes\n- Run the test-system container without --net=host\n- Mount /run/systemd/journal/socket into test-system containers\n- Don\u0027t unnecessarily filter out vendor from (go list ./...)\n  output\n- Use -mod=vendor in (go {list,test,vet})\n- Bump github.com/containers/buildah from 1.8.4 to 1.11.4\n- Bump github.com/urfave/cli from 1.20.0 to 1.22.1\n- skopeo: drop support for ostree\n- Don\u0027t critically fail on a 403 when listing tags\n- Revert \u0027Temporarily work around auth.json location confusion\u0027\n- Remove references to atomic\n- Remove references to storage.conf\n- Dockerfile: use golang-github-cpuguy83-go-md2man\n- bump version to v0.1.41-dev\n- systemtest: inspect container image different from current\n  platform arch\n\nChanges in v0.1.40:\n\n- vendor containers/image v5.0.0\n- copy: add a --all/-a flag\n- System tests: various fixes\n- Temporarily work around auth.json location confusion\n- systemtest: copy: docker-\u003estorage-\u003eoci-archive\n- systemtest/010-inspect.bats: require only PATH\n- systemtest: add simple env test in inspect.bats\n- bash completion: add comments to keep scattered options in sync\n- bash completion: use read -r instead of disabling SC2207\n- bash completion: support --opt arg completion\n- bash-completion: use replacement instead of sed\n- bash completion: disable shellcheck SC2207\n- bash completion: double-quote to avoid re-splitting\n- bash completions: use bash replacement instead of sed\n- bash completion: remove unused variable\n- bash-completions: split decl and assignment to avoid masking\n  retvals\n- bash completion: double-quote fixes\n- bash completion: hard-set PROG=skopeo\n- bash completion: remove unused variable\n- bash completion: use `||` instead of `-o`\n- bash completion: rm eval on assigned variable\n- copy: add --dest-compress-format and --dest-compress-level\n- flag: add optionalIntValue\n- Makefile: use go proxy\n- inspect --raw: skip the NewImage() step\n- update OCI image-spec to\n  775207bd45b6cb8153ce218cc59351799217451f\n- inspect.go: inspect env variables\n- ostree: use both image and \u0026 storage buildtags\n\n\nUpdate to skopeo v0.1.39 (bsc#1159530):\n\n- inspect: add a --config flag\n- Add --no-creds flag to skopeo inspect\n- Add --quiet option to skopeo copy\n- New progress bars\n- Parallel Pulls and Pushes for major speed improvements\n- containers/image moved to a new progress-bar library to fix various\n  issues related to overlapping bars and redundant entries.\n- enforce blocking of registries\n- Allow storage-multiple-manifests\n- When copying images and the output is not a tty (e.g., when piping to a\n  file) print single lines instead of using progress bars. This avoids\n  long and hard to parse output\n- man pages: add --dest-oci-accept-uncompressed-layers\n- completions: \n  - Introduce transports completions\n  - Fix bash completions when a option requires a argument\n  - Use only spaces in indent\n   - Fix completions with a global option\n  - add --dest-oci-accept-uncompressed-layers\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2020-377",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0377-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2020:0377-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ILBJ4PWG72SOBVPDNPC2K2KBEYLGL36/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2020:0377-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ILBJ4PWG72SOBVPDNPC2K2KBEYLGL36/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1159530",
        "url": "https://bugzilla.suse.com/1159530"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1165715",
        "url": "https://bugzilla.suse.com/1165715"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-10214 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-10214/"
      }
    ],
    "title": "Security update for skopeo",
    "tracking": {
      "current_release_date": "2020-03-25T09:19:16Z",
      "generator": {
        "date": "2020-03-25T09:19:16Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2020:0377-1",
      "initial_release_date": "2020-03-25T09:19:16Z",
      "revision_history": [
        {
          "date": "2020-03-25T09:19:16Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "skopeo-0.1.41-lp151.2.6.1.x86_64",
                "product": {
                  "name": "skopeo-0.1.41-lp151.2.6.1.x86_64",
                  "product_id": "skopeo-0.1.41-lp151.2.6.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.1",
                "product": {
                  "name": "openSUSE Leap 15.1",
                  "product_id": "openSUSE Leap 15.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "skopeo-0.1.41-lp151.2.6.1.x86_64 as component of openSUSE Leap 15.1",
          "product_id": "openSUSE Leap 15.1:skopeo-0.1.41-lp151.2.6.1.x86_64"
        },
        "product_reference": "skopeo-0.1.41-lp151.2.6.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-10214",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-10214"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:skopeo-0.1.41-lp151.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-10214",
          "url": "https://www.suse.com/security/cve/CVE-2019-10214"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1144065 for CVE-2019-10214",
          "url": "https://bugzilla.suse.com/1144065"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:skopeo-0.1.41-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.1:skopeo-0.1.41-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-03-25T09:19:16Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-10214"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.