Overview

File _patchinfo of Package patchinfo.13638

<patchinfo incident="13638">
  <issue tracker="bnc" id="1115165">update skopeo to introduce sync command</issue>
  <issue tracker="bnc" id="1159530">Update skopeo to v0.1.39 in SLE15/12</issue>
  <issue tracker="bnc" id="1066210">VUL-0: CVE-2017-14992: docker: Lack of content verification allows a remote attacker to cause DoS via crafted tar archive</issue>
  <issue tracker="cve" id="2017-14992"/>
  <packager>sgrunert</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for skopeo</summary>
  <description>This update for skopeo fixes the following issues:

Update to skopeo v0.1.39 (bsc#1159530):

- inspect: add a --config flag
- Add --no-creds flag to skopeo inspect
- Add --quiet option to skopeo copy
- New progress bars
- Parallel Pulls and Pushes for major speed improvements
- containers/image moved to a new progress-bar library to fix various
  issues related to overlapping bars and redundant entries.
- enforce blocking of registries
- Allow storage-multiple-manifests
- When copying images and the output is not a tty (e.g., when piping to a
  file) print single lines instead of using progress bars. This avoids
  long and hard to parse output
- man pages: add --dest-oci-accept-uncompressed-layers
- completions: 
  - Introduce transports completions
  - Fix bash completions when a option requires a argument
  - Use only spaces in indent
   - Fix completions with a global option
  - add --dest-oci-accept-uncompressed-layers

- Disable ostree repository types for SLE, as this feature requires libostree
  that is not yet available in the Server Application module where skopeo is 
  located.

Update to skopeo v0.1.32:

* Add command time out support
* Updates to vendored libraries

- Implemented the `skopeo sync` command. (bsc#1115165)

Update to skopeo v0.1.30:

* skopeo-copy: docker-archive: multitag support
* Updates to vendored libraries

Update to skopeo v0.1.28:

* vendor: bump containers/image and containers/image
* Cleanup skopeo man page and README.md
* Use credentials from authfile for skopeo commands
* Update to a newer containers/storage master
* Add global --override-arch and --override-os options

Update to skopeo v0.1.26. This includes a fix for CVE-2017-14992.

Disable containers/storage integration by default (through containers_image_storage_stub), as it is very dodgy and not widely used.

Update to skopeo v0.1.24. Upstream changelog:

* Improvements to macOS builds: A make binary-local should work without extra options.
* make install on macOS now installs to /usr/local
* The destination in docker-archive: now can be a pipe.
* When building with containers_image_openpgp, signatures with PGP v3 signature packets are accepted.
* Unreadable /etc/docker/certs.d now only logs a warning instead of aborting the operation.
* oci-layout: naming semantics changes:
  * A full range of org.opencontainers.image.ref.name values is now accepted
  * A name must be specified for oci-layout: destinations (it does not default to latest any more).
  * For oci-layout: sources, a name is now optional if the image index contains exactly one image (instead of using the image with the latest name).
  * Policy configuration identities of oci-layout: images now consist only of the directory name, to avoid the ambiguity created by the unspecified annotation values above.
* ~/.docker/config.json credential helpers (configured in credHelpers) are now supported.
* Annotations are now preserved when copying and compressing OCI images.
* New transport oci-archive:, works exactly like oci-layout:, but works on tarballs instead of extracted directories.
* When copying images, skopeo always asks for the same image schema, and optionally converts the image itself to make it acceptable to the destination, instead of asking for a schema dependent on the destinations&#8217; capabilities (relying on the source to convert the image).
* Improved installation instructions.
* ostree: image names can now contain colons (e.g. port specifications)
* skopeo now does not declare support for manifest lists, so that the source registry provides a single image. This allows skopeo copy to copy various images recently published to Docker Hub. (More complete support for manifest lists will come in the future.)
* The containers-storage: backend has been updated, incl. support for the override_kernel_checks option.
* Improved the output of progress bars in skopeo copy.
* Fixed fetching blobs with external URLs in images served by docker/distribution registries.
* OCI images now support reading blobs with external URLs, ands storing information about such blobs without copying the contents.
* Writing ostree: images creates a docker.digest annotation.
* docker/distribution registry credentials are now read from $XDG_RUNTIME_DIR/containers/auth.json before trying ~/.docker/config.json and ~/.dockercfg.
* skopeo inspect no longer crashes on images where the config blob does not contain a container configuration.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places