openSUSE Security Update : buildah (openSUSE-2020-2106)

high Nessus Plugin ID 143496

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for buildah fixes the following issues :

buildah was updated to v1.17.0 (bsc#1165184) :

- Handle cases where other tools mount/unmount containers

- overlay.MountReadOnly: support RO overlay mounts

- overlay: use fusermount for rootless umounts

- overlay: fix umount

- Switch default log level of Buildah to Warn. Users need to see these messages

- Drop error messages about OCI/Docker format to Warning level

- build(deps): bump github.com/containers/common from 0.26.0 to 0.26.2

- tests/testreport: adjust for API break in storage v1.23.6

- build(deps): bump github.com/containers/storage from 1.23.5 to 1.23.7

- build(deps): bump github.com/fsouza/go-dockerclient from 1.6.5 to 1.6.6

- copier: put: ignore Typeflag='g'

- Use curl to get repo file (fix #2714)

- build(deps): bump github.com/containers/common from 0.25.0 to 0.26.0

- build(deps): bump github.com/spf13/cobra from 1.0.0 to 1.1.1

- Remove docs that refer to bors, since we're not using it

- Buildah bud should not use stdin by default

- bump containerd, docker, and golang.org/x/sys

- Makefile: cross: remove windows.386 target

- copier.copierHandlerPut: don't check length when there are errors

- Stop excessive wrapping

- CI: require that conformance tests pass

- bump(github.com/openshift/imagebuilder) to v1.1.8

- Skip tlsVerify insecure BUILD_REGISTRY_SOURCES

- Fix build path wrong containers/podman#7993

- refactor pullpolicy to avoid deps

- build(deps): bump github.com/containers/common from 0.24.0 to 0.25.0

- CI: run gating tasks with a lot more memory

- ADD and COPY: descend into excluded directories, sometimes

- copier: add more context to a couple of error messages

- copier: check an error earlier

- copier: log stderr output as debug on success

- Update nix pin with make nixpkgs

- Set directory ownership when copied with ID mapping

- build(deps): bump github.com/sirupsen/logrus from 1.6.0 to 1.7.0

- build(deps): bump github.com/containers/common from 0.23.0 to 0.24.0

- Cirrus: Remove bors artifacts

- Sort build flag definitions alphabetically

- ADD: only expand archives at the right time

- Remove configuration for bors

- Shell Completion for podman build flags

- Bump c/common to v0.24.0

- New CI check: xref --help vs man pages

- CI: re-enable several linters

- Move --userns-uid-map/--userns-gid-map description into buildah man page

- add: preserve ownerships and permissions on ADDed archives

- Makefile: tweak the cross-compile target

- Bump containers/common to v0.23.0

- chroot: create bind mount targets 0755 instead of 0700

- Change call to Split() to safer SplitN()

- chroot: fix handling of errno seccomp rules

- build(deps): bump github.com/containers/image/v5 from 5.5.2 to 5.6.0

- Add In Progress section to contributing

- integration tests: make sure tests run in $(topdir)/tests

- Run(): ignore containers.conf's environment configuration

- Warn when setting healthcheck in OCI format

- Cirrus: Skip git-validate on branches

- tools: update git-validation to the latest commit

- tools: update golangci-lint to v1.18.0

- Add a few tests of push command

- Add(): fix handling of relative paths with no ContextDir

- build(deps): bump github.com/containers/common from 0.21.0 to 0.22.0

- Lint: Use same linters as podman

- Validate: reference HEAD

- Fix buildah mount to display container names not ids

- Update nix pin with make nixpkgs

- Add missing --format option in buildah from man page

- Fix up code based on codespell

- build(deps): bump github.com/openshift/imagebuilder from 1.1.6 to 1.1.7

- build(deps): bump github.com/containers/storage from 1.23.4 to 1.23.5

- Improve buildah completions

- Cirrus: Fix validate commit epoch

- Fix bash completion of manifest flags

- Uniform some man pages

- Update Buildah Tutorial to address BZ1867426

- Update bash completion of manifest add sub command

- copier.Get(): hard link targets shouldn't be relative paths

- build(deps): bump github.com/onsi/gomega from 1.10.1 to 1.10.2

- Pass timestamp down to history lines

- Timestamp gets updated everytime you inspect an image

- bud.bats: use absolute paths in newly-added tests

- contrib/cirrus/lib.sh: don't use CN for the hostname

- tests: Add some tests

- Update manifest add man page

- Extend flags of manifest add

- build(deps): bump github.com/containers/storage from 1.23.3 to 1.23.4

- build(deps): bump github.com/onsi/ginkgo from 1.14.0 to 1.14.1

- CI: expand cross-compile checks

Update to v1.16.2 :

- fix build on 32bit arches

- containerImageRef.NewImageSource(): don't always force timestamps

- Add fuse module warning to image readme

- Heed our retry delay option values when retrying commit/pull/push

- Switch to containers/common for seccomp

- Use --timestamp rather then --omit-timestamp

- docs: remove outdated notice

- docs: remove outdated notice

- build-using-dockerfile: add a hidden --log-rusage flag

- build(deps): bump github.com/containers/image/v5 from 5.5.1 to 5.5.2

- Discard ReportWriter if user sets options.Quiet

- build(deps): bump github.com/containers/common from 0.19.0 to 0.20.3

- Fix ownership of content copied using COPY --from

- newTarDigester: zero out timestamps in tar headers

- Update nix pin with `make nixpkgs`

- bud.bats: correct .dockerignore integration tests

- Use pipes for copying

- run: include stdout in error message

- run: use the correct error for errors.Wrapf

- copier: un-export internal types

- copier: add Mkdir()

- in_podman: don't get tripped up by $CIRRUS_CHANGE_TITLE

- docs/buildah-commit.md: tweak some wording, add a --rm example

- imagebuildah: don’t blank out destination names when COPYing

- Replace retry functions with common/pkg/retry

- StageExecutor.historyMatches: compare timestamps using .Equal

- Update vendor of containers/common

- Fix errors found in coverity scan

- Change namespace handling flags to better match podman commands

- conformance testing: ignore buildah.BuilderIdentityAnnotation labels

- Vendor in containers/storage v1.23.0

- Add buildah.IsContainer interface

- Avoid feeding run_buildah to pipe

- fix(buildahimage): add xz dependency in buildah image

- Bump github.com/containers/common from 0.15.2 to 0.18.0

- Howto for rootless image building from OpenShift

- Add --omit-timestamp flag to buildah bud

- Update nix pin with `make nixpkgs`

- Shutdown storage on failures

- Handle COPY --from when an argument is used

- Bump github.com/seccomp/containers-golang from 0.5.0 to 0.6.0

- Cirrus: Use newly built VM images

- Bump github.com/opencontainers/runc from 1.0.0-rc91 to 1.0.0-rc92

- Enhance the .dockerignore man pages

- conformance: add a test for COPY from subdirectory

- fix bug manifest inspct

- Add documentation for .dockerignore

- Add BuilderIdentityAnnotation to identify buildah version

- DOC: Add quay.io/containers/buildah image to README.md

- Update buildahimages readme

- fix spelling mistake in 'info' command result display

- Don't bind /etc/host and /etc/resolv.conf if network is not present

- blobcache: avoid an unnecessary NewImage()

- Build static binary with `buildGoModule`

- copier: split StripSetidBits into StripSetuidBit/StripSetgidBit/StripStickyBit

- tarFilterer: handle multiple archives

- Fix a race we hit during conformance tests

- Rework conformance testing

- Update 02-registries-repositories.md

- test-unit: invoke cmd/buildah tests with --flags

- parse: fix a type mismatch in a test

- Fix compilation of tests/testreport/testreport

- build.sh: log the version of Go that we're using

- test-unit: increase the test timeout to 40/45 minutes

- Add the 'copier' package

- Fix & add notes regarding problematic language in codebase

- Add dependency on github.com/stretchr/testify/require

- CompositeDigester: add the ability to filter tar streams

- BATS tests: make more robust

- vendor golang.org/x/[email protected]

- Switch golang 1.12 to golang 1.13

- imagebuildah: wait for stages that might not have even started yet

- chroot, run: not fail on bind mounts from /sys

- chroot: do not use setgroups if it is blocked

- Set engine env from containers.conf

- imagebuildah: return the right stage's image as the 'final' image

- Fix a help string

- Deduplicate environment variables

- switch containers/libpod to containers/podman

- Bump github.com/containers/ocicrypt from 1.0.2 to 1.0.3

- Bump github.com/opencontainers/selinux from 1.5.2 to 1.6.0

- Mask out /sys/dev to prevent information leak

- linux: skip errors from the runtime kill

- Mask over the /sys/fs/selinux in mask branch

- Add VFS additional image store to container

- tests: add auth tests

- Allow 'readonly' as alias to 'ro' in mount options

- Ignore OS X specific consistency mount option

- Bump github.com/onsi/ginkgo from 1.13.0 to 1.14.0

- Bump github.com/containers/common from 0.14.0 to 0.15.2

- Rootless Buildah should default to IsolationOCIRootless

- imagebuildah: fix inheriting multi-stage builds

- Make imagebuildah.BuildOptions.Architecture/OS optional

- Make imagebuildah.BuildOptions.Jobs optional

- Resolve a possible race in imagebuildah.Executor.startStage()

- Switch scripts to use containers.conf

- Bump openshift/imagebuilder to v1.1.6

- Bump go.etcd.io/bbolt from 1.3.4 to 1.3.5

- buildah, bud: support --jobs=N for parallel execution

- executor: refactor build code inside new function

- Add bud regression tests

- Cirrus: Fix missing htpasswd in registry img

- docs: clarify the 'triples' format

- CHANGELOG.md: Fix markdown formatting

- Add nix derivation for static builds

- Bump to v1.16.0-dev

- Update to v1.15.1

- Mask over the /sys/fs/selinux in mask branch

- chroot: do not use setgroups if it is blocked

- chroot, run: not fail on bind mounts from /sys

- Allow 'readonly' as alias to 'ro' in mount options

- Add VFS additional image store to container

- vendor golang.org/x/[email protected]

- Make imagebuildah.BuildOptions.Architecture/OS optional

Update to v1.15.0 :

- Add CVE-2020-10696 to CHANGELOG.md and changelog.txt

- fix lighttpd example

- remove dependency on openshift struct

- Warn on unset build arguments

- vendor: update seccomp/containers-golang to v0.4.1

- Updated docs

- clean up comments

- update exit code for tests

- Implement commit for encryption

- implementation of encrypt/decrypt push/pull/bud/from

- fix resolve docker image name as transport

- Add preliminary profiling support to the CLI

- Evaluate symlinks in build context directory

- fix error info about get signatures for containerImageSource

- Add Security Policy

- Cirrus: Fixes from review feedback

- imagebuildah: stages shouldn't count as their base images

- Update containers/common v0.10.0

- Add registry to buildahimage Dockerfiles

- Cirrus: Use pre-installed VM packages + F32

- Cirrus: Re-enable all distro versions

- Cirrus: Update to F31 + Use cache images

- golangci-lint: Disable gosimple

- Lower number of golangci-lint threads

- Fix permissions on containers.conf

- Don't force tests to use runc

- Return exit code from failed containers

- cgroup_manager should be under [engine]

- Use c/common/pkg/auth in login/logout

- Cirrus: Temporarily disable Ubuntu 19 testing

- Add containers.conf to stablebyhand build

- Update gitignore to exclude test Dockerfiles

- Remove warning for systemd inside of container

Update to v1.14.6 :

- Make image history work correctly with new args handling

- Don't add args to the RUN environment from the Builder

Update to v1.14.5 :

- Revert FIPS mode change

Update to v1.14.4 :

- Update unshare man page to fix script example

- Fix compilation errors on non linux platforms

- Preserve volume uid and gid through subsequent commands

- Fix potential CVE in tarfile w/ symlink

- Fix .dockerignore with globs and ! commands

Update to v1.14.2 :

- Search for local runtime per values in containers.conf

- Set correct ownership on working directory

- Improve remote manifest retrieval

- Correct a couple of incorrect format specifiers

- manifest push --format: force an image type, not a list type

- run: adjust the order in which elements are added to $

- getDateAndDigestAndSize(): handle creation time not being set

- Make the commit id clear like Docker

- Show error on copied file above context directory in build

- pull/from/commit/push: retry on most failures

- Repair buildah so it can use containers.conf on the server side

- Fixing formatting & build instructions

- Fix XDG_RUNTIME_DIR for authfile

- Show validation command-line

Update to v1.14.0 :

- getDateAndDigestAndSize(): use manifest.Digest

- Touch up os/arch doc

- chroot: handle slightly broken seccomp defaults

- buildahimage: specify fuse-overlayfs mount options

- parse: don't complain about not being able to rename something to itself

- Fix build for 32bit platforms

- Allow users to set OS and architecture on bud

- Fix COPY in containerfile with envvar

- Add --sign-by to bud/commit/push, --remove-signatures for pull/push

- Add support for containers.conf

- manifest push: add --format option

Update to v1.13.1 :

- copyFileWithTar: close source files at the right time

- copy: don't digest files that we ignore

- Check for .dockerignore specifically

- Don't setup excludes, if their is only one pattern to match

- set HOME env to /root on chroot-isolation by default

- docs: fix references to containers-*.5

- fix bug Add check .dockerignore COPY file

- buildah bud --volume: run from tmpdir, not source dir

- Fix imageNamePrefix to give consistent names in buildah-from

- cpp: use -traditional and -undef flags

- discard outputs coming from onbuild command on buildah-from --quiet

- make --format columnizing consistent with buildah images

- Fix option handling for volumes in build

- Rework overlay pkg for use with libpod

- Fix buildahimage builds for buildah

- Add support for FIPS-Mode backends

- Set the TMPDIR for pulling/pushing image to $TMPDIR

Update to v1.12.0 :

- Allow ADD to use http src

- imgtype: reset storage opts if driver overridden

- Start using containers/common

- overlay.bats typo: fuse-overlays should be fuse-overlayfs

- chroot: Unmount with MNT_DETACH instead of UnmountMountpoints()

- bind: don't complain about missing mountpoints

- imgtype: check earlier for expected manifest type

- Add history names support

Update to v1.11.6 :

- Handle missing equal sign in --from and --chown flags for COPY/ADD

- bud COPY does not download URL

- Fix .dockerignore exclude regression

- commit(docker): always set ContainerID and ContainerConfig

- Touch up commit man page image parameter

- Add builder identity annotations.

Update to v1.11.5 :

- buildah: add 'manifest' command

- pkg/supplemented: add a package for grouping images together

- pkg/manifests: add a manifest list build/manipulation API

- Update for ErrUnauthorizedForCredentials API change in containers/image

- Update for manifest-lists API changes in containers/image

- version: also note the version of containers/image

- Move to containers/image v5.0.0

- Enable --device directory as src device

- Add clarification to the Tutorial for new users

- Silence 'using cache' to ensure -q is fully quiet

- Move runtime flag to bud from common

- Commit: check for storage.ErrImageUnknown using errors.Cause()

- Fix crash when invalid COPY --from flag is specified.

Update to v1.11.4 :

- buildah: add a 'manifest' command

- pkg/manifests: add a manifest list build/manipulation API

- Update for ErrUnauthorizedForCredentials API change in containers/image

- Update for manifest-lists API changes in containers/image

- Move to containers/image v5.0.0

- Enable --device directory as src device

- Add clarification to the Tutorial for new users

- Silence 'using cache' to ensure -q is fully quiet

- Move runtime flag to bud from common

- Commit: check for storage.ErrImageUnknown using errors.Cause()

- Fix crash when invalid COPY --from flag is specified.

Update to v1.11.3 :

- Add cgroups2

- Add support for retrieving context from stdin '-'

- Added tutorial on how to include Buildah as library

- Fix --build-args handling

- Print build 'STEP' line to stdout, not stderr

- Use Containerfile by default

Update to v1.11.2 :

- Add some cleanup code

- Move devices code to unit specific directory.

Update to v1.11.1 :

- Add --devices flag to bud and from

- Add support for /run/.containerenv

- Allow mounts.conf entries for equal source and destination paths

- Fix label and annotation for 1-line Dockerfiles

- Preserve file and directory mount permissions

- Replace --debug=false with --log-level=error

- Set TMPDIR to /var/tmp by default

- Truncate output of too long image names

- Ignore EmptyLayer if Squash is set

Update to v1.11.0 :

- Add --digestfile and Re-add push statement as debug

- Add --log-level command line option and deprecate
--debug

- Add security-related volume options to validator

- Allow buildah bud to be called without arguments

- Allow to override build date with SOURCE_DATE_EPOCH

- Correctly detect ExitError values from Run()

- Disable empty logrus timestamps to reduce logger noise

- Fix directory pull image names

- Fix handling of /dev/null masked devices

- Fix possible runtime panic on bud

- Update bud/from help to contain indicator for --dns=none

- Update documentation about bud

- Update shebangs to take env into consideration

- Use content digests in ADD/COPY history entries

- add support for cgroupsV2

- add: add a DryRun flag to AddAndCopyOptions

- add: handle hard links when copying with .dockerignore

- add: teach copyFileWithTar() about symlinks and directories

- imagebuilder: fix detection of referenced stage roots

- pull/commit/push: pay attention to $BUILD_REGISTRY_SOURCES

- run_linux: fix mounting /sys in a userns

Update to v1.10.1 :

- Add automatic apparmor tag discovery

- Add overlayfs to fuse-overlayfs tip

- Bug fix for volume minus syntax

- Bump container/storage v1.13.1 and containers/image v3.0.1

- Bump containers/image to v3.0.2 to fix keyring issue

- Fix bug whereby --get-login has no effect

- Bump github.com/containernetworking/cni to v0.7.1

- Add appamor-pattern requirement

- Update build process to match the latest repository architecture

- Update to v1.10.0

- vendor github.com/containers/[email protected]

- Remove GO111MODULE in favor of -mod=vendor

- Vendor in containers/storage v1.12.16

- Add '-' minus syntax for removal of config values

- tests: enable overlay tests for rootless

- rootless, overlay: use fuse-overlayfs

- vendor github.com/containers/[email protected]

- Added '-' syntax to remove volume config option

- delete successfully pushed message

- Add golint linter and apply fixes

- vendor github.com/containers/[email protected]

- Change wait to sleep in buildahimage readme

- Handle ReadOnly images when deleting images

- Add support for listing read/only images

- from/import: record the base image's digest, if it has one

- Fix CNI version retrieval to not require network connection

- Add misspell linter and apply fixes

- Add goimports linter and apply fixes

- Add stylecheck linter and apply fixes

- Add unconvert linter and apply fixes

- image: make sure we don't try to use zstd compression

- run.bats: skip the 'z' flag when testing --mount

- Update to runc v1.0.0-rc8

- Update to match updated runtime-tools API

- bump github.com/opencontainers/runtime-tools to v0.9.0

- Build e2e tests using the proper build tags

- Add unparam linter and apply fixes

- Run: correct a typo in the --cap-add help text

- unshare: add a --mount flag

- fix push check image name is not empty

- add: fix slow copy with no excludes

- Add errcheck linter and fix missing error check

- Improve tests/tools/Makefile parallelism and abstraction

- Fix response body not closed resource leak

- Switch to golangci-lint

- Add gomod instructions and mailing list links

- On Masked path, check if /dev/null already mounted before mounting

- Update to containers/storage v1.12.13

- Refactor code in package imagebuildah

- Add rootless podman with NFS issue in documentation

- Add --mount for buildah run

- import method ValidateVolumeOpts from libpod

- Fix typo

- Makefile: set GO111MODULE=off

- rootless: add the built-in slirp DNS server

- Update docker/libnetwork to get rid of outdated sctp package

- Update buildah-login.md

- migrate to go modules

- install.md: mention go modules

- tests/tools: go module for test binaries

- fix --volume splits comma delimited option

- Add bud test for RUN with a priv'd command

- vendor logrus v1.4.2

- pkg/cli: panic when flags can't be hidden

- pkg/unshare: check all errors

- pull: check error during report write

- run_linux.go: ignore unchecked errors

- conformance test: catch copy error

- chroot/run_test.go: export funcs to actually be executed

- tests/imgtype: ignore error when shutting down the store

- testreport: check json error

- bind/util.go: remove unused func

- rm chroot/util.go

- imagebuildah: remove unused dedupeStringSlice

- StageExecutor: EnsureContainerPath: catch error from SecureJoin()

- imagebuildah/build.go: return instead of branching

- rmi: avoid redundant branching

- conformance tests: nilness: allocate map

- imagebuildah/build.go: avoid redundant filepath.Join()

- imagebuildah/build.go: avoid redundant os.Stat()

- imagebuildah: omit comparison to bool

- fix 'ineffectual assignment' lint errors

- docker: ignore 'repeats json tag' lint error

- pkg/unshare: use ... instead of iterating a slice

- conformance: bud test: use raw strings for regexes

- conformance suite: remove unused func/var

- buildah test suite: remove unused vars/funcs

- testreport: fix golangci-lint errors

- util: remove redundant return statement

- chroot: only log clean-up errors

- images_test: ignore golangci-lint error

- blobcache: log error when draining the pipe

- imagebuildah: check errors in deferred calls

- chroot: fix error handling in deferred funcs

- cmd: check all errors

- chroot/run_test.go: check errors

- chroot/run.go: check errors in deferred calls

- imagebuildah.Executor: remove unused onbuild field

- docker/types.go: remove unused struct fields

- util: use strings.ContainsRune instead of index check

- Cirrus: Initial implementation

- buildah-run: fix-out-of-range panic (2)

- Update containers/image to v2.0.0

- run: fix hang with run and --isolation=chroot

- run: fix hang when using run

- chroot: drop unused function call

- remove --> before imgageID on build

- Always close stdin pipe

- Write deny to setgroups when doing single user mapping

- Avoid including linux/memfd.h

- Add a test for the symlink pointing to a directory

- Add missing continue

- Fix the handling of symlinks to absolute paths

- Only set default network sysctls if not rootless

- Support --dns=none like podman

- fix bug --cpu-shares parsing typo

- Fix validate complaint

- Update vendor on containers/storage to v1.12.10

- Create directory paths for COPY thereby ensuring correct perms

- imagebuildah: use a stable sort for comparing build args

- imagebuildah: tighten up cache checking

- bud.bats: add a test verying the order of --build-args

- add -t to podman run

- imagebuildah: simplify screening by top layers

- imagebuildah: handle ID mappings for COPY --from

- imagebuildah: apply additionalTags ourselves

- bud.bats: test additional tags with cached images

- bud.bats: add a test for WORKDIR and COPY with absolute destinations

- Cleanup Overlay Mounts content

- Add support for file secret mounts

- Add ability to skip secrets in mounts file

- allow 32bit builds

- fix tutorial instructions

- imagebuilder: pass the right contextDir to Add()

- add: use fileutils.PatternMatcher for .dockerignore

- bud.bats: add another .dockerignore test

- unshare: fallback to single usermapping

- addHelperSymlink: clear the destination on os.IsExist errors

- bud.bats: test replacing symbolic links

- imagebuildah: fix handling of destinations that end with '/'

- bud.bats: test COPY with a final '/' in the destination

- linux: add check for sysctl before using it

- unshare: set _CONTAINERS_ROOTLESS_GID

- Rework buildahimamges

- build context: support https git repos

- Add a test for ENV special chars behaviour

- Check in new Dockerfiles

- Apply custom SHELL during build time

- config: expand variables only at the command line

- SetEnv: we only need to expand v once

- Add default /root if empty on chroot iso

- Add support for Overlay volumes into the container.

- Export buildah validate volume functions so it can share code with libpod

- Bump baseline test to F30

- Fix rootless handling of /dev/shm size

- Avoid fmt.Printf() in the library

- imagebuildah: tighten cache checking back up

- Handle WORKDIR with dangling target

- Default Authfile to proper path

- Make buildah run --isolation follow BUILDAH_ISOLATION environment

- Vendor in latest containers/storage and containers/image

- getParent/getChildren: handle layerless images

- imagebuildah: recognize cache images for layerless images

- bud.bats: test scratch images with --layers caching

- Get CHANGELOG.md updates

- Add some symlinks to test our .dockerignore logic

- imagebuildah: addHelper: handle symbolic links

- commit/push: use an everything-allowed policy

- Correct manpage formatting in files section

- Remove must be root statement from buildah doc

- Change image names to stable, testing and upstream

- Don't create directory on container

- Replace kubernetes/pause in tests with k8s.gcr.io/pause

- imagebuildah: don't remove intermediate images if we need them

- Rework buildahimagegit to buildahimageupstream

- Fix Transient Mounts

- Handle WORKDIRs that are symlinks

- allow podman to build a client for windows

- Touch up 1.9-dev to 1.9.0-dev

- Resolve symlink when checking container path

- commit: commit on every instruction, but not always with layers

- CommitOptions: drop the unused OnBuild field

- makeImageRef: pass in the whole CommitOptions structure

- cmd: API cleanup: stores before images

- run: check if SELinux is enabled

- Fix buildahimages Dockerfiles to include support for additionalimages mounted from host.

- Detect changes in rootdir

- Fix typo in buildah-pull(1)

- Vendor in latest containers/storage

- Keep track of any build-args used during buildah bud
--layers

- commit: always set a parent ID

- imagebuildah: rework unused-argument detection

- fix bug dest path when COPY .dockerignore

- Move Host IDMAppings code from util to unshare

- Add BUILDAH_ISOLATION rootless back

- Travis CI: fail fast, upon error in any step

- imagebuildah: only commit images for intermediate stages if we have to

- Use errors.Cause() when checking for IsNotExist errors

- auto pass http_proxy to container

- imagebuildah: don't leak image structs

- Add Dockerfiles for buildahimages

- Bump to Replace golang 1.10 with 1.12

- add --dns* flags to buildah bud

- Add hack/build_speed.sh test speeds on building container images

- Create buildahimage Dockerfile for Quay

- rename 'is' to 'expect_output'

- squash.bats: test squashing in multi-layered builds

- bud.bats: test COPY --from in a Dockerfile while using the cache

- commit: make target image names optional

- Fix bud-args to allow comma separation

- oops, missed some tests in commit.bats

- new helper: expect_line_count

- New tests for #1467 (string slices in cmdline opts)

- Workarounds for dealing with travis; review feedback

- BATS tests - extensive but minor cleanup

- imagebuildah: defer pulling images for COPY --from

- imagebuildah: centralize COMMIT and image ID output

- Travis: do not use traviswait

- imagebuildah: only initialize imagebuilder configuration once per stage

- Make cleaner error on Dockerfile build errors

- unshare: move to pkg/

- unshare: move some code from cmd/buildah/unshare

- Fix handling of Slices versus Arrays

- imagebuildah: reorganize stage and per-stage logic

- imagebuildah: add empty layers for instructions

- Add missing step in installing into Ubuntu

- fix bug in .dockerignore support

- imagebuildah: deduplicate prepended 'FROM' instructions

- Touch up intro

- commit: set created-by to the shell if it isn't set

- commit: check that we always set a 'created-by'

- docs/buildah.md: add 'containers-' prefixes under 'SEE ALSO'

Update to v1.7.2

- Updates vendored containers/storage to latest version

- rootless: by default use the host network namespace

- Full changelog:
https://github.com/containers/buildah/releases/tag/v1.6

This update was imported from the SUSE:SLE-15-SP1:Update update project.

Solution

Update the affected buildah package.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1165184

https://bugzilla.opensuse.org/show_bug.cgi?id=1167864

https://github.com/containers/buildah/releases/tag/v1.6

Plugin Details

Severity: High

ID: 143496

File Name: openSUSE-2020-2106.nasl

Version: 1.3

Type: local

Agent: unix

Published: 12/7/2020

Updated: 2/6/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-10696

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:buildah, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/29/2020

Vulnerability Publication Date: 11/25/2019

Reference Information

CVE: CVE-2019-10214, CVE-2020-10696