Detections
Analytics

openSUSE Security Update : skopeo (openSUSE-2020-377)

medium Nessus Plugin ID 134933

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for skopeo fixes the following issues :

Update to skopeo v0.1.41 (bsc#1165715) :

 - Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1

 - Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8

 - Bump github.com/containers/common from 0.0.7 to 0.1.4

 - Remove the reference to openshift/api

 - vendor github.com/containers/image/[email protected]

 - Manually update buildah to v1.13.1

 - add specific authfile options to copy (and sync) command.

 - Bump github.com/containers/buildah from 1.11.6 to 1.12.0

 - Add context to --encryption-key / --decryption-key processing failures

 - Bump github.com/containers/storage from 1.15.2 to 1.15.3

 - Bump github.com/containers/buildah from 1.11.5 to 1.11.6

 - remove direct reference on c/image/storage

 - Makefile: set GOBIN

 - Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7

 - Bump github.com/containers/storage from 1.15.1 to 1.15.2

 - Introduce the sync command

 - openshift cluster: remove .docker directory on teardown

 - Bump github.com/containers/storage from 1.14.0 to 1.15.1

 - document installation via apk on alpine

 - Fix typos in doc for image encryption

 - Image encryption/decryption support in skopeo

 - make vendor-in-container

 - Bump github.com/containers/buildah from 1.11.4 to 1.11.5

 - Travis: use go v1.13

 - Use a Windows Nano Server image instead of Server Core for multi-arch testing

 - Increase test timeout to 15 minutes

 - Run the test-system container without --net=host

 - Mount /run/systemd/journal/socket into test-system containers

 - Don't unnecessarily filter out vendor from (go list ./...) output

 - Use -mod=vendor in (go (list,test,vet))

 - Bump github.com/containers/buildah from 1.8.4 to 1.11.4

 - Bump github.com/urfave/cli from 1.20.0 to 1.22.1

 - skopeo: drop support for ostree

 - Don't critically fail on a 403 when listing tags

 - Revert 'Temporarily work around auth.json location confusion'

 - Remove references to atomic

 - Remove references to storage.conf

 - Dockerfile: use golang-github-cpuguy83-go-md2man

 - bump version to v0.1.41-dev

 - systemtest: inspect container image different from current platform arch

Changes in v0.1.40 :

 - vendor containers/image v5.0.0

 - copy: add a --all/-a flag

 - System tests: various fixes

 - Temporarily work around auth.json location confusion

 - systemtest: copy: docker->storage->oci-archive

 - systemtest/010-inspect.bats: require only PATH

 - systemtest: add simple env test in inspect.bats

 - bash completion: add comments to keep scattered options in sync

 - bash completion: use read -r instead of disabling SC2207

 - bash completion: support --opt arg completion

 - bash-completion: use replacement instead of sed

 - bash completion: disable shellcheck SC2207

 - bash completion: double-quote to avoid re-splitting

 - bash completions: use bash replacement instead of sed

 - bash completion: remove unused variable

 - bash-completions: split decl and assignment to avoid masking retvals

 - bash completion: double-quote fixes

 - bash completion: hard-set PROG=skopeo

 - bash completion: remove unused variable

 - bash completion: use `||` instead of `-o`

 - bash completion: rm eval on assigned variable

 - copy: add --dest-compress-format and
 --dest-compress-level

 - flag: add optionalIntValue

 - Makefile: use go proxy

 - inspect --raw: skip the NewImage() step

 - update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f

 - inspect.go: inspect env variables

 - ostree: use both image and & storage buildtags

Update to skopeo v0.1.39 (bsc#1159530) :

 - inspect: add a --config flag

 - Add --no-creds flag to skopeo inspect

 - Add --quiet option to skopeo copy

 - New progress bars

 - Parallel Pulls and Pushes for major speed improvements

 - containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries.

 - enforce blocking of registries

 - Allow storage-multiple-manifests

 - When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output

 - man pages: add --dest-oci-accept-uncompressed-layers

 - completions :

 - Introduce transports completions

 - Fix bash completions when a option requires a argument

 - Use only spaces in indent

 - Fix completions with a global option

 - add --dest-oci-accept-uncompressed-layers

This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected skopeo packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1159530

https://bugzilla.opensuse.org/show_bug.cgi?id=1165715

Plugin Details

Severity: Medium

ID: 134933

File Name: openSUSE-2020-377.nasl

Version: 1.3

Type: local

Agent: unix

Published: 3/26/2020

Updated: 3/20/2024

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2019-10214

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:skopeo, p-cpe:/a:novell:opensuse:skopeo-debuginfo, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 3/25/2020

Vulnerability Publication Date: 11/25/2019

Reference Information

CVE: CVE-2019-10214