suse-su-2020:0712-1
Vulnerability from csaf_suse
Published
2020-03-18 09:26
Modified
2020-03-18 09:26
Summary
Security update for skopeo
Notes
Title of the patch
Security update for skopeo
Description of the patch
This update for skopeo fixes the following issues:
Update to skopeo v0.1.41 (bsc#1165715):
- Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1
- Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8
- Bump github.com/containers/common from 0.0.7 to 0.1.4
- Remove the reference to openshift/api
- vendor github.com/containers/image/v5@v5.2.0
- Manually update buildah to v1.13.1
- add specific authfile options to copy (and sync) command.
- Bump github.com/containers/buildah from 1.11.6 to 1.12.0
- Add context to --encryption-key / --decryption-key processing
failures
- Bump github.com/containers/storage from 1.15.2 to 1.15.3
- Bump github.com/containers/buildah from 1.11.5 to 1.11.6
- remove direct reference on c/image/storage
- Makefile: set GOBIN
- Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7
- Bump github.com/containers/storage from 1.15.1 to 1.15.2
- Introduce the sync command
- openshift cluster: remove .docker directory on teardown
- Bump github.com/containers/storage from 1.14.0 to 1.15.1
- document installation via apk on alpine
- Fix typos in doc for image encryption
- Image encryption/decryption support in skopeo
- make vendor-in-container
- Bump github.com/containers/buildah from 1.11.4 to 1.11.5
- Travis: use go v1.13
- Use a Windows Nano Server image instead of Server Core for
multi-arch testing
- Increase test timeout to 15 minutes
- Run the test-system container without --net=host
- Mount /run/systemd/journal/socket into test-system containers
- Don't unnecessarily filter out vendor from (go list ./...)
output
- Use -mod=vendor in (go {list,test,vet})
- Bump github.com/containers/buildah from 1.8.4 to 1.11.4
- Bump github.com/urfave/cli from 1.20.0 to 1.22.1
- skopeo: drop support for ostree
- Don't critically fail on a 403 when listing tags
- Revert 'Temporarily work around auth.json location confusion'
- Remove references to atomic
- Remove references to storage.conf
- Dockerfile: use golang-github-cpuguy83-go-md2man
- bump version to v0.1.41-dev
- systemtest: inspect container image different from current
platform arch
Changes in v0.1.40:
- vendor containers/image v5.0.0
- copy: add a --all/-a flag
- System tests: various fixes
- Temporarily work around auth.json location confusion
- systemtest: copy: docker->storage->oci-archive
- systemtest/010-inspect.bats: require only PATH
- systemtest: add simple env test in inspect.bats
- bash completion: add comments to keep scattered options in sync
- bash completion: use read -r instead of disabling SC2207
- bash completion: support --opt arg completion
- bash-completion: use replacement instead of sed
- bash completion: disable shellcheck SC2207
- bash completion: double-quote to avoid re-splitting
- bash completions: use bash replacement instead of sed
- bash completion: remove unused variable
- bash-completions: split decl and assignment to avoid masking
retvals
- bash completion: double-quote fixes
- bash completion: hard-set PROG=skopeo
- bash completion: remove unused variable
- bash completion: use `||` instead of `-o`
- bash completion: rm eval on assigned variable
- copy: add --dest-compress-format and --dest-compress-level
- flag: add optionalIntValue
- Makefile: use go proxy
- inspect --raw: skip the NewImage() step
- update OCI image-spec to
775207bd45b6cb8153ce218cc59351799217451f
- inspect.go: inspect env variables
- ostree: use both image and & storage buildtags
Update to skopeo v0.1.39 (bsc#1159530):
- inspect: add a --config flag
- Add --no-creds flag to skopeo inspect
- Add --quiet option to skopeo copy
- New progress bars
- Parallel Pulls and Pushes for major speed improvements
- containers/image moved to a new progress-bar library to fix various
issues related to overlapping bars and redundant entries.
- enforce blocking of registries
- Allow storage-multiple-manifests
- When copying images and the output is not a tty (e.g., when piping to a
file) print single lines instead of using progress bars. This avoids
long and hard to parse output
- man pages: add --dest-oci-accept-uncompressed-layers
- completions:
- Introduce transports completions
- Fix bash completions when a option requires a argument
- Use only spaces in indent
- Fix completions with a global option
- add --dest-oci-accept-uncompressed-layers
Patchnames
SUSE-2020-712,SUSE-SLE-Module-Server-Applications-15-SP1-2020-712
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for skopeo",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for skopeo fixes the following issues:\n\nUpdate to skopeo v0.1.41 (bsc#1165715):\n\n- Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1\n- Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8\n- Bump github.com/containers/common from 0.0.7 to 0.1.4\n- Remove the reference to openshift/api\n- vendor github.com/containers/image/v5@v5.2.0\n- Manually update buildah to v1.13.1\n- add specific authfile options to copy (and sync) command.\n- Bump github.com/containers/buildah from 1.11.6 to 1.12.0\n- Add context to --encryption-key / --decryption-key processing\n failures\n- Bump github.com/containers/storage from 1.15.2 to 1.15.3\n- Bump github.com/containers/buildah from 1.11.5 to 1.11.6\n- remove direct reference on c/image/storage\n- Makefile: set GOBIN\n- Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7\n- Bump github.com/containers/storage from 1.15.1 to 1.15.2\n- Introduce the sync command\n- openshift cluster: remove .docker directory on teardown\n- Bump github.com/containers/storage from 1.14.0 to 1.15.1\n- document installation via apk on alpine\n- Fix typos in doc for image encryption\n- Image encryption/decryption support in skopeo\n- make vendor-in-container\n- Bump github.com/containers/buildah from 1.11.4 to 1.11.5\n- Travis: use go v1.13\n- Use a Windows Nano Server image instead of Server Core for\n multi-arch testing\n- Increase test timeout to 15 minutes\n- Run the test-system container without --net=host\n- Mount /run/systemd/journal/socket into test-system containers\n- Don\u0027t unnecessarily filter out vendor from (go list ./...)\n output\n- Use -mod=vendor in (go {list,test,vet})\n- Bump github.com/containers/buildah from 1.8.4 to 1.11.4\n- Bump github.com/urfave/cli from 1.20.0 to 1.22.1\n- skopeo: drop support for ostree\n- Don\u0027t critically fail on a 403 when listing tags\n- Revert \u0027Temporarily work around auth.json location confusion\u0027\n- Remove references to atomic\n- Remove references to storage.conf\n- Dockerfile: use golang-github-cpuguy83-go-md2man\n- bump version to v0.1.41-dev\n- systemtest: inspect container image different from current\n platform arch\n\nChanges in v0.1.40:\n\n- vendor containers/image v5.0.0\n- copy: add a --all/-a flag\n- System tests: various fixes\n- Temporarily work around auth.json location confusion\n- systemtest: copy: docker-\u003estorage-\u003eoci-archive\n- systemtest/010-inspect.bats: require only PATH\n- systemtest: add simple env test in inspect.bats\n- bash completion: add comments to keep scattered options in sync\n- bash completion: use read -r instead of disabling SC2207\n- bash completion: support --opt arg completion\n- bash-completion: use replacement instead of sed\n- bash completion: disable shellcheck SC2207\n- bash completion: double-quote to avoid re-splitting\n- bash completions: use bash replacement instead of sed\n- bash completion: remove unused variable\n- bash-completions: split decl and assignment to avoid masking\n retvals\n- bash completion: double-quote fixes\n- bash completion: hard-set PROG=skopeo\n- bash completion: remove unused variable\n- bash completion: use `||` instead of `-o`\n- bash completion: rm eval on assigned variable\n- copy: add --dest-compress-format and --dest-compress-level\n- flag: add optionalIntValue\n- Makefile: use go proxy\n- inspect --raw: skip the NewImage() step\n- update OCI image-spec to\n 775207bd45b6cb8153ce218cc59351799217451f\n- inspect.go: inspect env variables\n- ostree: use both image and \u0026 storage buildtags\n\n\nUpdate to skopeo v0.1.39 (bsc#1159530):\n\n- inspect: add a --config flag\n- Add --no-creds flag to skopeo inspect\n- Add --quiet option to skopeo copy\n- New progress bars\n- Parallel Pulls and Pushes for major speed improvements\n- containers/image moved to a new progress-bar library to fix various\n issues related to overlapping bars and redundant entries.\n- enforce blocking of registries\n- Allow storage-multiple-manifests\n- When copying images and the output is not a tty (e.g., when piping to a\n file) print single lines instead of using progress bars. This avoids\n long and hard to parse output\n- man pages: add --dest-oci-accept-uncompressed-layers\n- completions: \n - Introduce transports completions\n - Fix bash completions when a option requires a argument\n - Use only spaces in indent\n - Fix completions with a global option\n - add --dest-oci-accept-uncompressed-layers\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2020-712,SUSE-SLE-Module-Server-Applications-15-SP1-2020-712",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_0712-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2020:0712-1",
"url": "https://www.suse.com/support/update/announcement/2020/suse-su-20200712-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2020:0712-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2020-March/006624.html"
},
{
"category": "self",
"summary": "SUSE Bug 1159530",
"url": "https://bugzilla.suse.com/1159530"
},
{
"category": "self",
"summary": "SUSE Bug 1165715",
"url": "https://bugzilla.suse.com/1165715"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-10214 page",
"url": "https://www.suse.com/security/cve/CVE-2019-10214/"
}
],
"title": "Security update for skopeo",
"tracking": {
"current_release_date": "2020-03-18T09:26:58Z",
"generator": {
"date": "2020-03-18T09:26:58Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2020:0712-1",
"initial_release_date": "2020-03-18T09:26:58Z",
"revision_history": [
{
"date": "2020-03-18T09:26:58Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "skopeo-0.1.41-4.11.1.aarch64",
"product": {
"name": "skopeo-0.1.41-4.11.1.aarch64",
"product_id": "skopeo-0.1.41-4.11.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "skopeo-0.1.41-4.11.1.i586",
"product": {
"name": "skopeo-0.1.41-4.11.1.i586",
"product_id": "skopeo-0.1.41-4.11.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "skopeo-0.1.41-4.11.1.ppc64le",
"product": {
"name": "skopeo-0.1.41-4.11.1.ppc64le",
"product_id": "skopeo-0.1.41-4.11.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "skopeo-0.1.41-4.11.1.s390x",
"product": {
"name": "skopeo-0.1.41-4.11.1.s390x",
"product_id": "skopeo-0.1.41-4.11.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "skopeo-0.1.41-4.11.1.x86_64",
"product": {
"name": "skopeo-0.1.41-4.11.1.x86_64",
"product_id": "skopeo-0.1.41-4.11.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Server Applications 15 SP1",
"product": {
"name": "SUSE Linux Enterprise Module for Server Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-server-applications:15:sp1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-0.1.41-4.11.1.aarch64 as component of SUSE Linux Enterprise Module for Server Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.aarch64"
},
"product_reference": "skopeo-0.1.41-4.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-0.1.41-4.11.1.ppc64le as component of SUSE Linux Enterprise Module for Server Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.ppc64le"
},
"product_reference": "skopeo-0.1.41-4.11.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-0.1.41-4.11.1.s390x as component of SUSE Linux Enterprise Module for Server Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.s390x"
},
"product_reference": "skopeo-0.1.41-4.11.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skopeo-0.1.41-4.11.1.x86_64 as component of SUSE Linux Enterprise Module for Server Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.x86_64"
},
"product_reference": "skopeo-0.1.41-4.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-10214",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-10214"
}
],
"notes": [
{
"category": "general",
"text": "The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.aarch64",
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.ppc64le",
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.s390x",
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-10214",
"url": "https://www.suse.com/security/cve/CVE-2019-10214"
},
{
"category": "external",
"summary": "SUSE Bug 1144065 for CVE-2019-10214",
"url": "https://bugzilla.suse.com/1144065"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.aarch64",
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.ppc64le",
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.s390x",
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.aarch64",
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.ppc64le",
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.s390x",
"SUSE Linux Enterprise Module for Server Applications 15 SP1:skopeo-0.1.41-4.11.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-18T09:26:58Z",
"details": "important"
}
],
"title": "CVE-2019-10214"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…