{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for skopeo","title":"Title of the patch"},{"category":"description","text":"This update for skopeo fixes the following issues:\n\nUpdate to skopeo v0.1.41 (bsc#1165715):\n\n- Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1\n- Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8\n- Bump github.com/containers/common from 0.0.7 to 0.1.4\n- Remove the reference to openshift/api\n- vendor github.com/containers/image/v5@v5.2.0\n- Manually update buildah to v1.13.1\n- add specific authfile options to copy (and sync) command.\n- Bump github.com/containers/buildah from 1.11.6 to 1.12.0\n- Add context to --encryption-key / --decryption-key processing\n  failures\n- Bump github.com/containers/storage from 1.15.2 to 1.15.3\n- Bump github.com/containers/buildah from 1.11.5 to 1.11.6\n- remove direct reference on c/image/storage\n- Makefile: set GOBIN\n- Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7\n- Bump github.com/containers/storage from 1.15.1 to 1.15.2\n- Introduce the sync command\n- openshift cluster: remove .docker directory on teardown\n- Bump github.com/containers/storage from 1.14.0 to 1.15.1\n- document installation via apk on alpine\n- Fix typos in doc for image encryption\n- Image encryption/decryption support in skopeo\n- make vendor-in-container\n- Bump github.com/containers/buildah from 1.11.4 to 1.11.5\n- Travis: use go v1.13\n- Use a Windows Nano Server image instead of Server Core for\n  multi-arch testing\n- Increase test timeout to 15 minutes\n- Run the test-system container without --net=host\n- Mount /run/systemd/journal/socket into test-system containers\n- Don't unnecessarily filter out vendor from (go list ./...)\n  output\n- Use -mod=vendor in (go {list,test,vet})\n- Bump github.com/containers/buildah from 1.8.4 to 1.11.4\n- Bump github.com/urfave/cli from 1.20.0 to 1.22.1\n- skopeo: drop support for ostree\n- Don't critically fail on a 403 when listing tags\n- Revert 'Temporarily work around auth.json location confusion'\n- Remove references to atomic\n- Remove references to storage.conf\n- Dockerfile: use golang-github-cpuguy83-go-md2man\n- bump version to v0.1.41-dev\n- systemtest: inspect container image different from current\n  platform arch\n\nChanges in v0.1.40:\n\n- vendor containers/image v5.0.0\n- copy: add a --all/-a flag\n- System tests: various fixes\n- Temporarily work around auth.json location confusion\n- systemtest: copy: docker->storage->oci-archive\n- systemtest/010-inspect.bats: require only PATH\n- systemtest: add simple env test in inspect.bats\n- bash completion: add comments to keep scattered options in sync\n- bash completion: use read -r instead of disabling SC2207\n- bash completion: support --opt arg completion\n- bash-completion: use replacement instead of sed\n- bash completion: disable shellcheck SC2207\n- bash completion: double-quote to avoid re-splitting\n- bash completions: use bash replacement instead of sed\n- bash completion: remove unused variable\n- bash-completions: split decl and assignment to avoid masking\n  retvals\n- bash completion: double-quote fixes\n- bash completion: hard-set PROG=skopeo\n- bash completion: remove unused variable\n- bash completion: use `||` instead of `-o`\n- bash completion: rm eval on assigned variable\n- copy: add --dest-compress-format and --dest-compress-level\n- flag: add optionalIntValue\n- Makefile: use go proxy\n- inspect --raw: skip the NewImage() step\n- update OCI image-spec to\n  775207bd45b6cb8153ce218cc59351799217451f\n- inspect.go: inspect env variables\n- ostree: use both image and & storage buildtags\n\n\nUpdate to skopeo v0.1.39 (bsc#1159530):\n\n- inspect: add a --config flag\n- Add --no-creds flag to skopeo inspect\n- Add --quiet option to skopeo copy\n- New progress bars\n- Parallel Pulls and Pushes for major speed improvements\n- containers/image moved to a new progress-bar library to fix various\n  issues related to overlapping bars and redundant entries.\n- enforce blocking of registries\n- Allow storage-multiple-manifests\n- When copying images and the output is not a tty (e.g., when piping to a\n  file) print single lines instead of using progress bars. This avoids\n  long and hard to parse output\n- man pages: add --dest-oci-accept-uncompressed-layers\n- completions: \n  - Introduce transports completions\n  - Fix bash completions when a option requires a argument\n  - Use only spaces in indent\n   - Fix completions with a global option\n  - add --dest-oci-accept-uncompressed-layers\n\nThis update was imported from the SUSE:SLE-15:Update update project.","title":"Description of the patch"},{"category":"details","text":"openSUSE-2020-377","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0377-1.json"},{"category":"self","summary":"URL for openSUSE-SU-2020:0377-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ILBJ4PWG72SOBVPDNPC2K2KBEYLGL36/"},{"category":"self","summary":"E-Mail link for openSUSE-SU-2020:0377-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ILBJ4PWG72SOBVPDNPC2K2KBEYLGL36/"},{"category":"self","summary":"SUSE Bug 1159530","url":"https://bugzilla.suse.com/1159530"},{"category":"self","summary":"SUSE Bug 1165715","url":"https://bugzilla.suse.com/1165715"},{"category":"self","summary":"SUSE CVE CVE-2019-10214 page","url":"https://www.suse.com/security/cve/CVE-2019-10214/"}],"title":"Security update for skopeo","tracking":{"current_release_date":"2020-03-25T09:19:16Z","generator":{"date":"2020-03-25T09:19:16Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"openSUSE-SU-2020:0377-1","initial_release_date":"2020-03-25T09:19:16Z","revision_history":[{"date":"2020-03-25T09:19:16Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"skopeo-0.1.41-lp151.2.6.1.x86_64","product":{"name":"skopeo-0.1.41-lp151.2.6.1.x86_64","product_id":"skopeo-0.1.41-lp151.2.6.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"openSUSE Leap 15.1","product":{"name":"openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"skopeo-0.1.41-lp151.2.6.1.x86_64 as component of openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1:skopeo-0.1.41-lp151.2.6.1.x86_64"},"product_reference":"skopeo-0.1.41-lp151.2.6.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.1"}]},"vulnerabilities":[{"cve":"CVE-2019-10214","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2019-10214"}],"notes":[{"category":"general","text":"The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.1:skopeo-0.1.41-lp151.2.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2019-10214","url":"https://www.suse.com/security/cve/CVE-2019-10214"},{"category":"external","summary":"SUSE Bug 1144065 for CVE-2019-10214","url":"https://bugzilla.suse.com/1144065"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.1:skopeo-0.1.41-lp151.2.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":9,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.0"},"products":["openSUSE Leap 15.1:skopeo-0.1.41-lp151.2.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-03-25T09:19:16Z","details":"moderate"}],"title":"CVE-2019-10214"}]}