SUSE SLES15 Security Update : skopeo (SUSE-SU-2020:0712-1)

medium Nessus Plugin ID 134697

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

This update for skopeo fixes the following issues :

Update to skopeo v0.1.41 (bsc#1165715) :

Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1

Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8

Bump github.com/containers/common from 0.0.7 to 0.1.4

Remove the reference to openshift/api

vendor github.com/containers/image/[email protected]

Manually update buildah to v1.13.1

add specific authfile options to copy (and sync) command.

Bump github.com/containers/buildah from 1.11.6 to 1.12.0

Add context to --encryption-key / --decryption-key processing failures

Bump github.com/containers/storage from 1.15.2 to 1.15.3

Bump github.com/containers/buildah from 1.11.5 to 1.11.6

remove direct reference on c/image/storage

Makefile: set GOBIN

Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7

Bump github.com/containers/storage from 1.15.1 to 1.15.2

Introduce the sync command

openshift cluster: remove .docker directory on teardown

Bump github.com/containers/storage from 1.14.0 to 1.15.1

document installation via apk on alpine

Fix typos in doc for image encryption

Image encryption/decryption support in skopeo

make vendor-in-container

Bump github.com/containers/buildah from 1.11.4 to 1.11.5

Travis: use go v1.13

Use a Windows Nano Server image instead of Server Core for multi-arch testing

Increase test timeout to 15 minutes

Run the test-system container without --net=host

Mount /run/systemd/journal/socket into test-system containers

Don't unnecessarily filter out vendor from (go list ./...) output

Use -mod=vendor in (go {list,test,vet})

Bump github.com/containers/buildah from 1.8.4 to 1.11.4

Bump github.com/urfave/cli from 1.20.0 to 1.22.1

skopeo: drop support for ostree

Don't critically fail on a 403 when listing tags

Revert 'Temporarily work around auth.json location confusion'

Remove references to atomic

Remove references to storage.conf

Dockerfile: use golang-github-cpuguy83-go-md2man

bump version to v0.1.41-dev

systemtest: inspect container image different from current platform arch

Changes in v0.1.40: vendor containers/image v5.0.0

copy: add a --all/-a flag

System tests: various fixes

Temporarily work around auth.json location confusion

systemtest: copy: docker->storage->oci-archive

systemtest/010-inspect.bats: require only PATH

systemtest: add simple env test in inspect.bats

bash completion: add comments to keep scattered options in sync

bash completion: use read -r instead of disabling SC2207

bash completion: support --opt arg completion

bash-completion: use replacement instead of sed

bash completion: disable shellcheck SC2207

bash completion: double-quote to avoid re-splitting

bash completions: use bash replacement instead of sed

bash completion: remove unused variable

bash-completions: split decl and assignment to avoid masking retvals

bash completion: double-quote fixes

bash completion: hard-set PROG=skopeo

bash completion: remove unused variable

bash completion: use `||` instead of `-o`

bash completion: rm eval on assigned variable

copy: add --dest-compress-format and --dest-compress-level

flag: add optionalIntValue

Makefile: use go proxy

inspect --raw: skip the NewImage() step

update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f

inspect.go: inspect env variables

ostree: use both image and & storage buildtags

Update to skopeo v0.1.39 (bsc#1159530): inspect: add a --config flag

Add --no-creds flag to skopeo inspect

Add --quiet option to skopeo copy

New progress bars

Parallel Pulls and Pushes for major speed improvements

containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries.

enforce blocking of registries

Allow storage-multiple-manifests

When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output

man pages: add --dest-oci-accept-uncompressed-layers

completions :

- Introduce transports completions

- Fix bash completions when a option requires a argument

- Use only spaces in indent

- Fix completions with a global option

- add --dest-oci-accept-uncompressed-layers

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in
-t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-712=1

See Also

https://bugzilla.suse.com/show_bug.cgi?id=1159530

https://bugzilla.suse.com/show_bug.cgi?id=1165715

https://www.suse.com/security/cve/CVE-2019-10214/

http://www.nessus.org/u?3b5c5e74

Plugin Details

Severity: Medium

ID: 134697

File Name: suse_SU-2020-0712-1.nasl

Version: 1.3

Type: local

Agent: unix

Published: 3/19/2020

Updated: 3/21/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2019-10214

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:skopeo, p-cpe:/a:novell:suse_linux:skopeo-debuginfo, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/18/2020

Vulnerability Publication Date: 11/25/2019

Reference Information

CVE: CVE-2019-10214