Security update for skopeo SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2754-1 Final 1 1 2024-08-05T19:03:58Z current 2024-08-05T19:03:58Z 2024-08-05T19:03:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for skopeo This update for skopeo fixes the following issues: Update to version 1.14.4: - CVE-2024-3727: Fixed a vulnerability that allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, resource exhaustion, local path traversal and other attacks. (bsc#1224123) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sle15:15.2-2024-2754,SUSE-2024-2754,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-2754,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-2754,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-2754 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242754-1/ Link for SUSE-SU-2024:2754-1 https://lists.suse.com/pipermail/sle-updates/2024-August/036292.html E-Mail link for SUSE-SU-2024:2754-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1224123 SUSE Bug 1224123 https://www.suse.com/security/cve/CVE-2024-28180/ SUSE CVE CVE-2024-28180 page Container suse/sle15:15.2 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 libgpg-error0-1.29-150000.3.3.1 gpgme-1.10.0-150000.4.12.2 libgpg-error-devel-1.29-150000.3.3.1 libgpg-error-devel-32bit-1.29-150000.3.3.1 libgpg-error-devel-64bit-1.29-150000.3.3.1 libgpg-error0-32bit-1.29-150000.3.3.1 libgpg-error0-64bit-1.29-150000.3.3.1 libgpgme-devel-1.10.0-150000.4.12.2 libgpgme11-1.10.0-150000.4.12.2 libgpgme11-32bit-1.10.0-150000.4.12.2 libgpgme11-64bit-1.10.0-150000.4.12.2 libgpgmepp-devel-1.10.0-150000.4.12.2 libgpgmepp6-1.10.0-150000.4.12.2 libgpgmepp6-32bit-1.10.0-150000.4.12.2 libgpgmepp6-64bit-1.10.0-150000.4.12.2 libqgpgme-devel-1.10.0-150000.4.12.2 libqgpgme7-1.10.0-150000.4.12.2 libqgpgme7-32bit-1.10.0-150000.4.12.2 libqgpgme7-64bit-1.10.0-150000.4.12.2 python2-gpg-1.10.0-150000.4.12.2 python3-gpg-1.10.0-150000.4.12.2 skopeo-1.14.4-150000.4.26.1 skopeo-bash-completion-1.14.4-150000.4.26.1 skopeo-fish-completion-1.14.4-150000.4.26.1 skopeo-zsh-completion-1.14.4-150000.4.26.1 libgpg-error0-1.29-150000.3.3.1 as a component of Container suse/sle15:15.2 libgpg-error-devel-1.29-150000.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS libgpg-error0-1.29-150000.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS libgpg-error0-32bit-1.29-150000.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS skopeo-1.14.4-150000.4.26.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS libgpg-error-devel-1.29-150000.3.3.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS libgpg-error0-1.29-150000.3.3.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS libgpg-error0-32bit-1.29-150000.3.3.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS skopeo-1.14.4-150000.4.26.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS libgpg-error-devel-1.29-150000.3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 libgpg-error0-1.29-150000.3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 libgpg-error0-32bit-1.29-150000.3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 skopeo-1.14.4-150000.4.26.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. CVE-2024-28180 Container suse/sle15:15.2:libgpg-error0-1.29-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libgpg-error-devel-1.29-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libgpg-error0-1.29-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libgpg-error0-32bit-1.29-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:skopeo-1.14.4-150000.4.26.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libgpg-error-devel-1.29-150000.3.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libgpg-error0-1.29-150000.3.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libgpg-error0-32bit-1.29-150000.3.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:skopeo-1.14.4-150000.4.26.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libgpg-error-devel-1.29-150000.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libgpg-error0-1.29-150000.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libgpg-error0-32bit-1.29-150000.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:skopeo-1.14.4-150000.4.26.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242754-1/ https://www.suse.com/security/cve/CVE-2024-28180.html CVE-2024-28180 https://bugzilla.suse.com/1234984 SUSE Bug 1234984