Security update for skopeo

Announcement ID:	SUSE-SU-2020:0712-1
Rating:	moderate
References:	bsc#1159530 bsc#1165715
Cross-References:	CVE-2019-10214
CVSS scores:	CVE-2019-10214 ( SUSE ): 9.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2019-10214 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	Server Applications Module 15-SP1 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0

An update that solves one vulnerability and has one security fix can now be installed.

Description:

This update for skopeo fixes the following issues:

Update to skopeo v0.1.41 (bsc#1165715):

• Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1
• Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8
• Bump github.com/containers/common from 0.0.7 to 0.1.4
• Remove the reference to openshift/api
• vendor github.com/containers/image/v5@v5.2.0
• Manually update buildah to v1.13.1
• add specific authfile options to copy (and sync) command.
• Bump github.com/containers/buildah from 1.11.6 to 1.12.0
• Add context to --encryption-key / --decryption-key processing failures
• Bump github.com/containers/storage from 1.15.2 to 1.15.3
• Bump github.com/containers/buildah from 1.11.5 to 1.11.6
• remove direct reference on c/image/storage
• Makefile: set GOBIN
• Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7
• Bump github.com/containers/storage from 1.15.1 to 1.15.2
• Introduce the sync command
• openshift cluster: remove .docker directory on teardown
• Bump github.com/containers/storage from 1.14.0 to 1.15.1
• document installation via apk on alpine
• Fix typos in doc for image encryption
• Image encryption/decryption support in skopeo
• make vendor-in-container
• Bump github.com/containers/buildah from 1.11.4 to 1.11.5
• Travis: use go v1.13
• Use a Windows Nano Server image instead of Server Core for multi-arch testing
• Increase test timeout to 15 minutes
• Run the test-system container without --net=host
• Mount /run/systemd/journal/socket into test-system containers
• Don't unnecessarily filter out vendor from (go list ./...) output
• Use -mod=vendor in (go {list,test,vet})
• Bump github.com/containers/buildah from 1.8.4 to 1.11.4
• Bump github.com/urfave/cli from 1.20.0 to 1.22.1
• skopeo: drop support for ostree
• Don't critically fail on a 403 when listing tags
• Revert "Temporarily work around auth.json location confusion"
• Remove references to atomic
• Remove references to storage.conf
• Dockerfile: use golang-github-cpuguy83-go-md2man
• bump version to v0.1.41-dev
• systemtest: inspect container image different from current platform arch

Changes in v0.1.40:

• vendor containers/image v5.0.0
• copy: add a --all/-a flag
• System tests: various fixes
• Temporarily work around auth.json location confusion
• systemtest: copy: docker->storage->oci-archive
• systemtest/010-inspect.bats: require only PATH
• systemtest: add simple env test in inspect.bats
• bash completion: add comments to keep scattered options in sync
• bash completion: use read -r instead of disabling SC2207
• bash completion: support --opt arg completion
• bash-completion: use replacement instead of sed
• bash completion: disable shellcheck SC2207
• bash completion: double-quote to avoid re-splitting
• bash completions: use bash replacement instead of sed
• bash completion: remove unused variable
• bash-completions: split decl and assignment to avoid masking retvals
• bash completion: double-quote fixes
• bash completion: hard-set PROG=skopeo
• bash completion: remove unused variable
• bash completion: use || instead of -o
• bash completion: rm eval on assigned variable
• copy: add --dest-compress-format and --dest-compress-level
• flag: add optionalIntValue
• Makefile: use go proxy
• inspect --raw: skip the NewImage() step
• update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f
• inspect.go: inspect env variables
• ostree: use both image and & storage buildtags

Update to skopeo v0.1.39 (bsc#1159530):

• inspect: add a --config flag
• Add --no-creds flag to skopeo inspect
• Add --quiet option to skopeo copy
• New progress bars
• Parallel Pulls and Pushes for major speed improvements
• containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries.
• enforce blocking of registries
• Allow storage-multiple-manifests
• When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output
• man pages: add --dest-oci-accept-uncompressed-layers
• completions:
• Introduce transports completions
• Fix bash completions when a option requires a argument
• Use only spaces in indent
• Fix completions with a global option
• add --dest-oci-accept-uncompressed-layers

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-712=1

Package List:

• Server Applications Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • skopeo-0.1.41-4.11.1
  • skopeo-debuginfo-0.1.41-4.11.1

References:

• https://www.suse.com/security/cve/CVE-2019-10214.html
• https://bugzilla.suse.com/show_bug.cgi?id=1159530
• https://bugzilla.suse.com/show_bug.cgi?id=1165715