Security update for skopeo

SUSE Security Update: Security update for skopeo
Announcement ID: SUSE-SU-2020:0712-1
Rating: moderate
References: #1159530 #1165715
Cross-References:CVE-2019-10214
Affected Products:
  • SUSE Linux Enterprise Module for Server Applications 15-SP1

An update that solves one vulnerability and has one errata is now available.

Description:

This update for skopeo fixes the following issues:
Update to skopeo v0.1.41 (bsc#1165715):

  • Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1
  • Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8
  • Bump github.com/containers/common from 0.0.7 to 0.1.4
  • Remove the reference to openshift/api
  • vendor github.com/containers/image/v5@v5.2.0
  • Manually update buildah to v1.13.1
  • add specific authfile options to copy (and sync) command.
  • Bump github.com/containers/buildah from 1.11.6 to 1.12.0
  • Add context to --encryption-key / --decryption-key processing failures
  • Bump github.com/containers/storage from 1.15.2 to 1.15.3
  • Bump github.com/containers/buildah from 1.11.5 to 1.11.6
  • remove direct reference on c/image/storage
  • Makefile: set GOBIN
  • Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7
  • Bump github.com/containers/storage from 1.15.1 to 1.15.2
  • Introduce the sync command
  • openshift cluster: remove .docker directory on teardown
  • Bump github.com/containers/storage from 1.14.0 to 1.15.1
  • document installation via apk on alpine
  • Fix typos in doc for image encryption
  • Image encryption/decryption support in skopeo
  • make vendor-in-container
  • Bump github.com/containers/buildah from 1.11.4 to 1.11.5
  • Travis: use go v1.13
  • Use a Windows Nano Server image instead of Server Core for multi-arch testing
  • Increase test timeout to 15 minutes
  • Run the test-system container without --net=host
  • Mount /run/systemd/journal/socket into test-system containers
  • Don't unnecessarily filter out vendor from (go list ./...) output
  • Use -mod=vendor in (go {list,test,vet})
  • Bump github.com/containers/buildah from 1.8.4 to 1.11.4
  • Bump github.com/urfave/cli from 1.20.0 to 1.22.1
  • skopeo: drop support for ostree
  • Don't critically fail on a 403 when listing tags
  • Revert "Temporarily work around auth.json location confusion"
  • Remove references to atomic
  • Remove references to storage.conf
  • Dockerfile: use golang-github-cpuguy83-go-md2man
  • bump version to v0.1.41-dev
  • systemtest: inspect container image different from current platform arch

Changes in v0.1.40:
  • vendor containers/image v5.0.0
  • copy: add a --all/-a flag
  • System tests: various fixes
  • Temporarily work around auth.json location confusion
  • systemtest: copy: docker->storage->oci-archive
  • systemtest/010-inspect.bats: require only PATH
  • systemtest: add simple env test in inspect.bats
  • bash completion: add comments to keep scattered options in sync
  • bash completion: use read -r instead of disabling SC2207
  • bash completion: support --opt arg completion
  • bash-completion: use replacement instead of sed
  • bash completion: disable shellcheck SC2207
  • bash completion: double-quote to avoid re-splitting
  • bash completions: use bash replacement instead of sed
  • bash completion: remove unused variable
  • bash-completions: split decl and assignment to avoid masking retvals
  • bash completion: double-quote fixes
  • bash completion: hard-set PROG=skopeo
  • bash completion: remove unused variable
  • bash completion: use `||` instead of `-o`
  • bash completion: rm eval on assigned variable
  • copy: add --dest-compress-format and --dest-compress-level
  • flag: add optionalIntValue
  • Makefile: use go proxy
  • inspect --raw: skip the NewImage() step
  • update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f
  • inspect.go: inspect env variables
  • ostree: use both image and & storage buildtags


Update to skopeo v0.1.39 (bsc#1159530):
  • inspect: add a --config flag
  • Add --no-creds flag to skopeo inspect
  • Add --quiet option to skopeo copy
  • New progress bars
  • Parallel Pulls and Pushes for major speed improvements
  • containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries.
  • enforce blocking of registries
  • Allow storage-multiple-manifests
  • When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output
  • man pages: add --dest-oci-accept-uncompressed-layers
  • completions: - Introduce transports completions - Fix bash completions when a option requires a argument - Use only spaces in indent - Fix completions with a global option - add --dest-oci-accept-uncompressed-layers

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Module for Server Applications 15-SP1:
    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-712=1

Package List:

  • SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64):
    • skopeo-0.1.41-4.11.1
    • skopeo-debuginfo-0.1.41-4.11.1

References: