Security update for skopeo SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20019-1 Final 1 1 2025-02-03T08:48:38Z current 2025-02-03T08:48:38Z 2025-02-03T08:48:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for skopeo This update for skopeo fixes the following issues: - Update to version 1.14.4: * CVE-2024-3727: digest type does not guarantee valid type (bsc#1224123) * Packit: update packit targets * Bump gopkg.in/go-jose to v2.6.3 * Bump ocicrypt and go-jose CVE-2024-28180 * Freeze the fedora-minimal image reference at Fedora 38 * Bump c/common to v0.57.4 * Bump google.golang.org/protobuf to v1.33.0 * Bump Skopeo to v1.14.3-dev - Update to version 1.14.2: * Bump c/image to v5.29.2, c/common to v0.57.3 (fixes bsc#1219563) - Update to version 1.14.1: * fix(deps): update module github.com/containers/common to v0.57.2 * fix(deps): update module github.com/containers/image/v5 to v5.29.1 * chore(deps): update dependency containers/automation_images to v20240102 * Fix libsubid detection * fix(deps): update module golang.org/x/term to v0.16.0 * fix(deps): update golang.org/x/exp digest to 02704c9 * chore(deps): update dependency containers/automation_images to v20231208 * [skip-ci] Update actions/stale action to v9 * fix(deps): update module github.com/containers/common to v0.57.1 * fix(deps): update golang.org/x/exp digest to 6522937 * fix(deps): update module golang.org/x/term to v0.15.0 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-21 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520019-1/ Link for SUSE-SU-2025:20019-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021351.html E-Mail link for SUSE-SU-2025:20019-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219563 SUSE Bug 1219563 https://bugzilla.suse.com/1224123 SUSE Bug 1224123 https://www.suse.com/security/cve/CVE-2024-28180/ SUSE CVE CVE-2024-28180 page https://www.suse.com/security/cve/CVE-2024-3727/ SUSE CVE CVE-2024-3727 page SUSE Linux Micro 6.0 skopeo-1.14.4-1.1 skopeo-1.14.4-1.1 as a component of SUSE Linux Micro 6.0 Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. CVE-2024-28180 SUSE Linux Micro 6.0:skopeo-1.14.4-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520019-1/ https://www.suse.com/security/cve/CVE-2024-28180.html CVE-2024-28180 https://bugzilla.suse.com/1234984 SUSE Bug 1234984 A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. CVE-2024-3727 SUSE Linux Micro 6.0:skopeo-1.14.4-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520019-1/ https://www.suse.com/security/cve/CVE-2024-3727.html CVE-2024-3727 https://bugzilla.suse.com/1224112 SUSE Bug 1224112