Detections
Analytics
SUSE SLES15 Security Update : skopeo (SUSE-SU-2020:0712-1)
medium Nessus Plugin ID 134697
Language:
Synopsis
The remote SUSE host is missing one or more security updates.Description
This update for skopeo fixes the following issues :Update to skopeo v0.1.41 (bsc#1165715) :
Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1
Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8
Bump github.com/containers/common from 0.0.7 to 0.1.4
Remove the reference to openshift/api
vendor github.com/containers/image/[email protected]
Manually update buildah to v1.13.1
add specific authfile options to copy (and sync) command.
Bump github.com/containers/buildah from 1.11.6 to 1.12.0
Add context to --encryption-key / --decryption-key processing failures
Bump github.com/containers/storage from 1.15.2 to 1.15.3
Bump github.com/containers/buildah from 1.11.5 to 1.11.6
remove direct reference on c/image/storage
Makefile: set GOBIN
Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7
Bump github.com/containers/storage from 1.15.1 to 1.15.2
Introduce the sync command
openshift cluster: remove .docker directory on teardown
Bump github.com/containers/storage from 1.14.0 to 1.15.1
document installation via apk on alpine
Fix typos in doc for image encryption
Image encryption/decryption support in skopeo
make vendor-in-container
Bump github.com/containers/buildah from 1.11.4 to 1.11.5
Travis: use go v1.13
Use a Windows Nano Server image instead of Server Core for multi-arch testing
Increase test timeout to 15 minutes
Run the test-system container without --net=host
Mount /run/systemd/journal/socket into test-system containers
Don't unnecessarily filter out vendor from (go list ./...) output
Use -mod=vendor in (go {list,test,vet})
Bump github.com/containers/buildah from 1.8.4 to 1.11.4
Bump github.com/urfave/cli from 1.20.0 to 1.22.1
skopeo: drop support for ostree
Don't critically fail on a 403 when listing tags
Revert 'Temporarily work around auth.json location confusion'
Remove references to atomic
Remove references to storage.conf
Dockerfile: use golang-github-cpuguy83-go-md2man
bump version to v0.1.41-dev
systemtest: inspect container image different from current platform arch
Changes in v0.1.40: vendor containers/image v5.0.0
copy: add a --all/-a flag
System tests: various fixes
Temporarily work around auth.json location confusion
systemtest: copy: docker->storage->oci-archive
systemtest/010-inspect.bats: require only PATH
systemtest: add simple env test in inspect.bats
bash completion: add comments to keep scattered options in sync
bash completion: use read -r instead of disabling SC2207
bash completion: support --opt arg completion
bash-completion: use replacement instead of sed
bash completion: disable shellcheck SC2207
bash completion: double-quote to avoid re-splitting
bash completions: use bash replacement instead of sed
bash completion: remove unused variable
bash-completions: split decl and assignment to avoid masking retvals
bash completion: double-quote fixes
bash completion: hard-set PROG=skopeo
bash completion: remove unused variable
bash completion: use `||` instead of `-o`
bash completion: rm eval on assigned variable
copy: add --dest-compress-format and --dest-compress-level
flag: add optionalIntValue
Makefile: use go proxy
inspect --raw: skip the NewImage() step
update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f
inspect.go: inspect env variables
ostree: use both image and & storage buildtags
Update to skopeo v0.1.39 (bsc#1159530): inspect: add a --config flag
Add --no-creds flag to skopeo inspect
Add --quiet option to skopeo copy
New progress bars
Parallel Pulls and Pushes for major speed improvements
containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries.
enforce blocking of registries
Allow storage-multiple-manifests
When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output
man pages: add --dest-oci-accept-uncompressed-layers
completions :
- Introduce transports completions
- Fix bash completions when a option requires a argument
- Use only spaces in indent
- Fix completions with a global option
- add --dest-oci-accept-uncompressed-layers
Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'.Alternatively you can run the command listed for your product :
SUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in
-t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-712=1
See Also
https://bugzilla.suse.com/show_bug.cgi?id=1159530
https://bugzilla.suse.com/show_bug.cgi?id=1165715
Plugin Details
Severity: Medium
ID: 134697
File Name: suse_SU-2020-0712-1.nasl
Version: 1.3
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 3/19/2020
Updated: 3/21/2024
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.2
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS Score Source: CVE-2019-10214
CVSS v3
Risk Factor: Medium
Base Score: 5.9
Temporal Score: 5.2
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:skopeo, p-cpe:/a:novell:suse_linux:skopeo-debuginfo, cpe:/o:novell:suse_linux:15
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 3/18/2020
Vulnerability Publication Date: 11/25/2019
Reference Information
CVE: CVE-2019-10214