[SUSE-SU-2022:3766-1] Security update for buildah
Severity
Important
Affected Packages
19
CVEs
3
Security update for buildah
This update for buildah fixes the following issues:
- CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
- CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
- CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812
Buildah was updated to version 1.27.1:
run: add container gid to additional groups
Add fix for CVE-2022-2990 / bsc#1202812
Update to version 1.27.0:
- Don't try to call runLabelStdioPipes if spec.Linux is not set
- build: support filtering cache by duration using --cache-ttl
- build: support building from commit when using git repo as build context
- build: clean up git repos correctly when using subdirs
- integration tests: quote '?' in shell scripts
- test: manifest inspect should have OCIv1 annotation
- vendor: bump to c/common@87fab4b7019a
- Failure to determine a file or directory should print an error
- refactor: remove unused CommitOptions from generateBuildOutput
- stage_executor: generate output for cases with no commit
- stage_executor, commit: output only if last stage in build
- Use errors.Is() instead of os.Is{Not,}Exist
- Minor test tweak for podman-remote compatibility
- Cirrus: Use the latest imgts container
- imagebuildah: complain about the right Dockerfile
- tests: don't try to wrap
nil
errors - cmd/buildah.commitCmd: don't shadow 'err'
- cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
- Fix a copy/paste error message
- Fix a typo in an error message
- build,cache: support pulling/pushing cache layers to/from remote sources
- Update vendor of containers/(common, storage, image)
- Rename chroot/run.go to chroot/run_linux.go
- Don't bother telling codespell to skip files that don't exist
- Set user namespace defaults correctly for the library
- imagebuildah: optimize cache hits for COPY and ADD instructions
- Cirrus: Update VM images w/ updated bats
- docs, run: show SELinux label flag for cache and bind mounts
- imagebuildah, build: remove undefined concurrent writes
- bump github.com/opencontainers/runtime-tools
- Add FreeBSD support for 'buildah info'
- Vendor in latest containers/(storage, common, image)
- Add freebsd cross build targets
- Make the jail package build on 32bit platforms
- Cirrus: Ensure the build-push VM image is labeled
- GHA: Fix dynamic script filename
- Vendor in containers/(common, storage, image)
- Run codespell
- Remove import of github.com/pkg/errors
- Avoid using cgo in pkg/jail
- Rename footypes to fooTypes for naming consistency
- Move cleanupTempVolumes and cleanupRunMounts to run_common.go
- Make the various run mounts work for FreeBSD
- Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
- Move runSetupRunMounts to run_common.go
- Move cleanableDestinationListFromMounts to run_common.go
- Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
- Move setupMounts and runSetupBuiltinVolumes to run_common.go
- Tidy up - runMakeStdioPipe can't be shared with linux
- Move runAcceptTerminal to run_common.go
- Move stdio copying utilities to run_common.go
- Move runUsingRuntime and runCollectOutput to run_common.go
- Move fileCloser, waitForSync and contains to run_common.go
- Move checkAndOverrideIsolationOptions to run_common.go
- Move DefaultNamespaceOptions to run_common.go
- Move getNetworkInterface to run_common.go
- Move configureEnvironment to run_common.go
- Don't crash in configureUIDGID if Process.Capabilities is nil
- Move configureUIDGID to run_common.go
- Move runLookupPath to run_common.go
- Move setupTerminal to run_common.go
- Move etc file generation utilities to run_common.go
- Add run support for FreeBSD
- Add a simple FreeBSD jail library
- Add FreeBSD support to pkg/chrootuser
- Sync call signature for RunUsingChroot with chroot/run.go
- test: verify feature to resolve basename with args
- vendor: bump openshift/imagebuilder to master@4151e43
- GHA: Remove required reserved-name use
- buildah: set XDG_RUNTIME_DIR before setting default runroot
- imagebuildah: honor build output even if build container is not commited
- chroot: honor DefaultErrnoRet
- [CI:DOCS] improve pull-policy documentation
- tests: retrofit test since --file does not supports dir
- Switch to golang native error wrapping
- BuildDockerfiles: error out if path to containerfile is a directory
- define.downloadToDirectory: fail early if bad HTTP response
- GHA: Allow re-use of Cirrus-Cron fail-mail workflow
- add: fail on bad http response instead of writing to container
- [CI:DOCS] Update buildahimage comment
- lint: inspectable is never nil
- vendor: c/common to common@7e1563b
- build: support OCI hooks for ephemeral build containers
- [CI:BUILD] Install latest buildah instead of compiling
- Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
- Make sure cpp is installed in buildah images
- demo: use unshare for rootless invocations
- buildah.spec.rpkg: initial addition
- build: fix test for subid 4
- build, userns: add support for --userns=auto
- Fix building upstream buildah image
- Remove redundant buildahimages-are-sane validation
- Docs: Update multi-arch buildah images readme
- Cirrus: Migrate multiarch build off github actions
- retrofit-tests: we skip unused stages so use stages
- stage_executor: dont rely on stage while looking for additional-context
- buildkit, multistage: skip computing unwanted stages
- More test cleanup
- copier: work around freebsd bug for 'mkdir /'
- Replace $BUILDAH_BINARY with buildah() function
- Fix up buildah images
- Make util and copier build on FreeBSD
- Vendor in latest github.com/sirupsen/logrus
- Makefile: allow building without .git
- run_unix: don't return an error from getNetworkInterface
- run_unix: return a valid DefaultNamespaceOptions
- Update vendor of containers/storage
- chroot: use ActKillThread instead of ActKill
- use resolvconf package from c/common/libnetwork
- update c/common to latest main
- copier: add
NoOverwriteNonDirDir
option - Sort buildoptions and move cli/build functions to internal
- Fix TODO: de-spaghettify run mounts
- Move options parsing out of build.go and into pkg/cli
- [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
- build, multiarch: support splitting build logs for --platform
- [CI:BUILD] WIP Cleanup Image Dockerfiles
- cli remove stutter
- docker-parity: ignore sanity check if baseImage history is null
- build, commit: allow disabling image history with --omit-history
- Fix use generic/ambiguous DEBUG name
- Cirrus: use Ubuntu 22.04 LTS
- Fix codespell errors
- Remove util.StringInSlice because it is defined in containers/common
- buildah: add support for renaming a device in rootless setups
- squash: never use build cache when computing last step of last stage
- Update vendor of containers/(common, storage, image)
- buildkit: supports additionalBuildContext in builds via --build-context
- buildah source pull/push: show progress bar
- run: allow resuing secret twice in different RUN steps
- test helpers: default to being rootless-aware
- Add --cpp-flag flag to buildah build
- build: accept branch and subdirectory when context is git repo
- Vendor in latest containers/common
- vendor: update c/storage and c/image
- Fix gentoo install docs
- copier: move NSS load to new process
- Add test for prevention of reusing encrypted layers
- Make
buildah build --label foo
create an empty 'foo' label again
Update to version 1.26.4:
- build, multiarch: support splitting build logs for --platform
- copier: add
NoOverwriteNonDirDir
option - docker-parity: ignore sanity check if baseImage history is null
- build, commit: allow disabling image history with --omit-history
- buildkit: supports additionalBuildContext in builds via --build-context
- Add --cpp-flag flag to buildah build
Update to version 1.26.3:
- define.downloadToDirectory: fail early if bad HTTP response
- add: fail on bad http response instead of writing to container
- squash: never use build cache when computing last step of last stage
- run: allow resuing secret twice in different RUN steps
- integration tests: update expected error messages
- integration tests: quote '?' in shell scripts
- Use errors.Is() to check for storage errors
- lint: inspectable is never nil
- chroot: use ActKillThread instead of ActKill
- chroot: honor DefaultErrnoRet
- Set user namespace defaults correctly for the library
- contrib/rpm/buildah.spec: fix
rpm
parser warnings
Drop requires on apparmor pattern, should be moved elsewhere
for systems which want AppArmor instead of SELinux.
- Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build.
Update to version 1.26.2:
- buildah: add support for renaming a device in rootless setups
Update to version 1.26.1:
- Make
buildah build --label foo
create an empty 'foo' label again - imagebuildah,build: move deepcopy of args before we spawn goroutine
- Vendor in containers/storage v1.40.2
- buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
- help output: get more consistent about option usage text
- Handle OS version and features flags
- buildah build: --annotation and --label should remove values
- buildah build: add a --env
- buildah: deep copy options.Args before performing concurrent build/stage
- test: inline platform and builtinargs behaviour
- vendor: bump imagebuilder to master/009dbc6
- build: automatically set correct TARGETPLATFORM where expected
- Vendor in containers/(common, storage, image)
- imagebuildah, executor: process arg variables while populating baseMap
- buildkit: add support for custom build output with --output
- Cirrus: Update CI VMs to F36
- fix staticcheck linter warning for deprecated function
- Fix docs build on FreeBSD
- copier.unwrapError(): update for Go 1.16
- copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
- copier.Put(): write to read-only directories
- Ed's periodic test cleanup
- using consistent lowercase 'invalid' word in returned err msg
- use etchosts package from c/common
- run: set actual hostname in /etc/hostname to match docker parity
- Update vendor of containers/(common,storage,image)
- manifest-create: allow creating manifest list from local image
- Update vendor of storage,common,image
- Initialize network backend before first pull
- oci spec: change special mount points for namespaces
- tests/helpers.bash: assert handle corner cases correctly
- buildah: actually use containers.conf settings
- integration tests: learn to start a dummy registry
- Fix error check to work on Podman
- buildah build should accept at most one arg
- tests: reduce concurrency for flaky bud-multiple-platform-no-run
- vendor in latest containers/common,image,storage
- manifest-add: allow override arch,variant while adding image
- Remove a stray
\
from .containerenv - Vendor in latest opencontainers/selinux v1.10.1
- build, commit: allow removing default identity labels
- Create shorter names for containers based on image IDs
- test: skip rootless on cgroupv2 in root env
- fix hang when oci runtime fails
- Set permissions for GitHub actions
- copier test: use correct UID/GID in test archives
- run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM
- ID
- SUSE-SU-2022:3766-1
- Severity
- important
- URL
- https://www.suse.com/support/update/announcement/2022/suse-su-20223766-1/
- Published
-
2022-10-26T09:38:08
(23 months ago) - Modified
-
2022-10-26T09:38:08
(23 months ago) - Rights
- Copyright 2024 SUSE LLC. All rights reserved.
- Other Advisories
-
- ALPINE:CVE-2020-10696
- ALPINE:CVE-2021-20206
- ALPINE:CVE-2022-2990
- ALSA-2020:1926
- ALSA-2020:1931
- ALSA-2020:1932
- ALSA-2022:7822
- ALSA-2022:8008
- ALSA-2022:8431
- ELSA-2020-1926
- ELSA-2020-1931
- ELSA-2020-1932
- ELSA-2022-7457
- ELSA-2022-7822
- ELSA-2022-8008
- ELSA-2022-8431
- FEDORA-2021-fb466fb623
- GO-2022-0230
- GO-2022-1008
- openSUSE-SU-2020:2106-1
- openSUSE-SU-2021:0310-1
- openSUSE-SU-2022:0770-1
- RHSA-2020:1926
- RHSA-2020:1931
- RHSA-2020:1932
- RHSA-2022:7457
- RHSA-2022:7822
- RHSA-2022:8008
- RHSA-2022:8431
- RLSA-2020:1926
- RLSA-2020:1931
- RLSA-2020:1932
- RLSA-2022:7457
- RLSA-2022:7822
- SUSE-SU-2020:3423-1
- SUSE-SU-2022:0770-1
- SUSE-SU-2022:3480-1
- SUSE-SU-2022:3655-1
- SUSE-SU-2022:4150-1
- SUSE-SU-2022:4151-1
- SUSE-SU-2022:4349-1
- SUSE-SU-2022:4350-1
- SUSE-SU-2022:4592-1
- SUSE-SU-2022:4593-1
- SUSE-SU-2023:0187-1
- SUSE-SU-2023:0326-1
- SUSE-SU-2023:4099-1
Source | # ID | Name | URL |
---|---|---|---|
Suse | SUSE ratings | https://www.suse.com/support/security/rating/ | |
Suse | URL of this CSAF notice | https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3766-1.json | |
Suse | URL for SUSE-SU-2022:3766-1 | https://www.suse.com/support/update/announcement/2022/suse-su-20223766-1/ | |
Suse | E-Mail link for SUSE-SU-2022:3766-1 | https://lists.suse.com/pipermail/sle-security-updates/2022-October/012703.html | |
Bugzilla | SUSE Bug 1167864 | https://bugzilla.suse.com/1167864 | |
Bugzilla | SUSE Bug 1181961 | https://bugzilla.suse.com/1181961 | |
Bugzilla | SUSE Bug 1202812 | https://bugzilla.suse.com/1202812 | |
CVE | SUSE CVE CVE-2020-10696 page | https://www.suse.com/security/cve/CVE-2020-10696/ | |
CVE | SUSE CVE CVE-2021-20206 page | https://www.suse.com/security/cve/CVE-2021-20206/ | |
CVE | SUSE CVE CVE-2022-2990 page | https://www.suse.com/security/cve/CVE-2022-2990/ |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/suse/libgpg-error0?arch=x86_64&distro=slem-5 | suse | libgpg-error0 | < 1.42-150300.9.3.1 | slem-5 | x86_64 | |
Affected | pkg:rpm/suse/libgpg-error0?arch=x86_64&distro=opensuse-leap-micro-5.2 | suse | libgpg-error0 | < 1.42-150300.9.3.1 | opensuse-leap-micro-5.2 | x86_64 | |
Affected | pkg:rpm/suse/libgpg-error0?arch=x86_64&distro=opensuse-leap-15.3 | suse | libgpg-error0 | < 1.42-150300.9.3.1 | opensuse-leap-15.3 | x86_64 | |
Affected | pkg:rpm/suse/libgpg-error0?arch=s390x&distro=slem-5 | suse | libgpg-error0 | < 1.42-150300.9.3.1 | slem-5 | s390x | |
Affected | pkg:rpm/suse/libgpg-error0?arch=s390x&distro=opensuse-leap-15.3 | suse | libgpg-error0 | < 1.42-150300.9.3.1 | opensuse-leap-15.3 | s390x | |
Affected | pkg:rpm/suse/libgpg-error0?arch=ppc64le&distro=opensuse-leap-15.3 | suse | libgpg-error0 | < 1.42-150300.9.3.1 | opensuse-leap-15.3 | ppc64le | |
Affected | pkg:rpm/suse/libgpg-error0?arch=aarch64&distro=slem-5 | suse | libgpg-error0 | < 1.42-150300.9.3.1 | slem-5 | aarch64 | |
Affected | pkg:rpm/suse/libgpg-error0?arch=aarch64&distro=opensuse-leap-micro-5.2 | suse | libgpg-error0 | < 1.42-150300.9.3.1 | opensuse-leap-micro-5.2 | aarch64 | |
Affected | pkg:rpm/suse/libgpg-error0?arch=aarch64&distro=opensuse-leap-15.3 | suse | libgpg-error0 | < 1.42-150300.9.3.1 | opensuse-leap-15.3 | aarch64 | |
Affected | pkg:rpm/suse/libgpg-error0-32bit?arch=x86_64&distro=opensuse-leap-15.3 | suse | libgpg-error0-32bit | < 1.42-150300.9.3.1 | opensuse-leap-15.3 | x86_64 | |
Affected | pkg:rpm/suse/libgpg-error-devel?arch=x86_64&distro=opensuse-leap-15.3 | suse | libgpg-error-devel | < 1.42-150300.9.3.1 | opensuse-leap-15.3 | x86_64 | |
Affected | pkg:rpm/suse/libgpg-error-devel?arch=s390x&distro=opensuse-leap-15.3 | suse | libgpg-error-devel | < 1.42-150300.9.3.1 | opensuse-leap-15.3 | s390x | |
Affected | pkg:rpm/suse/libgpg-error-devel?arch=ppc64le&distro=opensuse-leap-15.3 | suse | libgpg-error-devel | < 1.42-150300.9.3.1 | opensuse-leap-15.3 | ppc64le | |
Affected | pkg:rpm/suse/libgpg-error-devel?arch=aarch64&distro=opensuse-leap-15.3 | suse | libgpg-error-devel | < 1.42-150300.9.3.1 | opensuse-leap-15.3 | aarch64 | |
Affected | pkg:rpm/suse/libgpg-error-devel-32bit?arch=x86_64&distro=opensuse-leap-15.3 | suse | libgpg-error-devel-32bit | < 1.42-150300.9.3.1 | opensuse-leap-15.3 | x86_64 | |
Affected | pkg:rpm/suse/buildah?arch=x86_64&distro=opensuse-leap-15.3 | suse | buildah | < 1.27.1-150300.8.11.1 | opensuse-leap-15.3 | x86_64 | |
Affected | pkg:rpm/suse/buildah?arch=s390x&distro=opensuse-leap-15.3 | suse | buildah | < 1.27.1-150300.8.11.1 | opensuse-leap-15.3 | s390x | |
Affected | pkg:rpm/suse/buildah?arch=ppc64le&distro=opensuse-leap-15.3 | suse | buildah | < 1.27.1-150300.8.11.1 | opensuse-leap-15.3 | ppc64le | |
Affected | pkg:rpm/suse/buildah?arch=aarch64&distro=opensuse-leap-15.3 | suse | buildah | < 1.27.1-150300.8.11.1 | opensuse-leap-15.3 | aarch64 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |