Overview

File _patchinfo of Package patchinfo.39200

<patchinfo incident="39200">
  <issue tracker="bnc" id="1243388">[trackerbug] umoci 0.5.0 update</issue>
  <issue tracker="cve" id="2021-41190"/>
  <packager>cyphar</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for umoci</summary>
  <description>This update for umoci fixes the following issues:

Update to umoci v0.5.0. Upstream changelog is available from

  &lt;https://github.com/opencontainers/umoci/releases/tag/v0.5.0&gt; bsc#1243388

A security flaw was found in the OCI image-spec, where it is possible to
cause a blob with one media-type to be interpreted as a different media-type.
As umoci is not a registry nor does it handle signatures, this vulnerability
had no real impact on umoci but for safety we implemented the now-recommended
media-type embedding and verification. CVE-2021-41190

Other changes in this release:

  * Several large reworks and API-related changes to the umoci's overlayfs
	support. This is only available to Go API users.
  * The runtime-spec config.json generated by umoci is updated to be more
	modern and work properly with modern runc versions.
  * The default gzip compression blocksize has been adjusted to match Docker.
  * zstd-compressed images are now fully supported. Users can explcitily
    request the compression algorithm for newly-generated layers with the
    --compress option.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places