Security update for skopeo SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1987-1 Final 1 1 2024-06-11T11:48:30Z current 2024-06-11T11:48:30Z 2024-06-11T11:48:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for skopeo This update for skopeo fixes the following issues: - Update to version 1.14.4: - CVE-2024-3727: Fixed a vulnerability that allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, resource exhaustion, local path traversal and other attacks. (bsc#1224123) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1987,SUSE-SLE-Micro-5.5-2024-1987,SUSE-SLE-Module-Basesystem-15-SP5-2024-1987,SUSE-SLE-Module-Basesystem-15-SP6-2024-1987,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-1987,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-1987,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-1987,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-1987,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-1987,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-1987,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-1987,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-1987,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-1987,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-1987,SUSE-Storage-7.1-2024-1987,openSUSE-SLE-15.5-2024-1987,openSUSE-SLE-15.6-2024-1987 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241987-1/ Link for SUSE-SU-2024:1987-1 https://lists.suse.com/pipermail/sle-updates/2024-June/035548.html E-Mail link for SUSE-SU-2024:1987-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1224123 SUSE Bug 1224123 https://www.suse.com/security/cve/CVE-2024-28180/ SUSE CVE CVE-2024-28180 page https://www.suse.com/security/cve/CVE-2024-3727/ SUSE CVE CVE-2024-3727 page SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Server 4.3 openSUSE Leap 15.5 openSUSE Leap 15.6 skopeo-1.14.4-150300.11.11.1 skopeo-bash-completion-1.14.4-150300.11.11.1 skopeo-fish-completion-1.14.4-150300.11.11.1 skopeo-zsh-completion-1.14.4-150300.11.11.1 skopeo-1.14.4-150300.11.11.1 as a component of SUSE Enterprise Storage 7.1 skopeo-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS skopeo-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS skopeo-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS skopeo-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise Micro 5.5 skopeo-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 skopeo-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 skopeo-bash-completion-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 skopeo-zsh-completion-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 skopeo-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS skopeo-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS skopeo-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 skopeo-1.14.4-150300.11.11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 skopeo-1.14.4-150300.11.11.1 as a component of SUSE Manager Proxy 4.3 skopeo-1.14.4-150300.11.11.1 as a component of SUSE Manager Server 4.3 skopeo-1.14.4-150300.11.11.1 as a component of openSUSE Leap 15.5 skopeo-1.14.4-150300.11.11.1 as a component of openSUSE Leap 15.6 skopeo-bash-completion-1.14.4-150300.11.11.1 as a component of openSUSE Leap 15.6 skopeo-fish-completion-1.14.4-150300.11.11.1 as a component of openSUSE Leap 15.6 skopeo-zsh-completion-1.14.4-150300.11.11.1 as a component of openSUSE Leap 15.6 Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. CVE-2024-28180 SUSE Enterprise Storage 7.1:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Micro 5.5:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:skopeo-bash-completion-1.14.4-150300.11.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:skopeo-zsh-completion-1.14.4-150300.11.11.1 SUSE Linux Enterprise Server 15 SP3-LTSS:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Server 15 SP4-LTSS:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:skopeo-1.14.4-150300.11.11.1 SUSE Manager Proxy 4.3:skopeo-1.14.4-150300.11.11.1 SUSE Manager Server 4.3:skopeo-1.14.4-150300.11.11.1 openSUSE Leap 15.5:skopeo-1.14.4-150300.11.11.1 openSUSE Leap 15.6:skopeo-1.14.4-150300.11.11.1 openSUSE Leap 15.6:skopeo-bash-completion-1.14.4-150300.11.11.1 openSUSE Leap 15.6:skopeo-fish-completion-1.14.4-150300.11.11.1 openSUSE Leap 15.6:skopeo-zsh-completion-1.14.4-150300.11.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241987-1/ https://www.suse.com/security/cve/CVE-2024-28180.html CVE-2024-28180 https://bugzilla.suse.com/1234984 SUSE Bug 1234984 A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. CVE-2024-3727 SUSE Enterprise Storage 7.1:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Micro 5.5:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:skopeo-bash-completion-1.14.4-150300.11.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:skopeo-zsh-completion-1.14.4-150300.11.11.1 SUSE Linux Enterprise Server 15 SP3-LTSS:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Server 15 SP4-LTSS:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:skopeo-1.14.4-150300.11.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:skopeo-1.14.4-150300.11.11.1 SUSE Manager Proxy 4.3:skopeo-1.14.4-150300.11.11.1 SUSE Manager Server 4.3:skopeo-1.14.4-150300.11.11.1 openSUSE Leap 15.5:skopeo-1.14.4-150300.11.11.1 openSUSE Leap 15.6:skopeo-1.14.4-150300.11.11.1 openSUSE Leap 15.6:skopeo-bash-completion-1.14.4-150300.11.11.1 openSUSE Leap 15.6:skopeo-fish-completion-1.14.4-150300.11.11.1 openSUSE Leap 15.6:skopeo-zsh-completion-1.14.4-150300.11.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241987-1/ https://www.suse.com/security/cve/CVE-2024-3727.html CVE-2024-3727 https://bugzilla.suse.com/1224112 SUSE Bug 1224112