Security update for umoci SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1116-1 Final 1 1 2021-04-09T08:57:18Z current 2021-04-09T08:57:18Z 2021-04-09T08:57:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for umoci This update for umoci fixes the following issues: - Update to umoci v0.4.6. - CVE-2021-29136: malicious layer allows overwriting of host files (bsc#1184147) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-1116,SUSE-SLE-Module-Containers-15-SP2-2021-1116,SUSE-SLE-Module-Containers-15-SP3-2021-1116,SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1116,SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1116,SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1116,SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1116,SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1116,SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1116,SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1116,SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1116,SUSE-Storage-6-2021-1116 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211116-1/ Link for SUSE-SU-2021:1116-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008608.html E-Mail link for SUSE-SU-2021:1116-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1184147 SUSE Bug 1184147 https://www.suse.com/security/cve/CVE-2021-29136/ SUSE CVE CVE-2021-29136 page SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS SUSE Linux Enterprise Module for Containers 15 SP2 SUSE Linux Enterprise Server 15 SP1-BCL SUSE Linux Enterprise Server 15 SP1-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0 umoci-0.4.6-3.9.1 umoci-0.4.6-3.9.1 as a component of SUSE Enterprise Storage 6 umoci-0.4.6-3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS umoci-0.4.6-3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS umoci-0.4.6-3.9.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP2 umoci-0.4.6-3.9.1 as a component of SUSE Linux Enterprise Server 15 SP1-BCL umoci-0.4.6-3.9.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS umoci-0.4.6-3.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 umoci-0.4.6-3.9.1 as a component of SUSE Manager Proxy 4.0 umoci-0.4.6-3.9.1 as a component of SUSE Manager Retail Branch Server 4.0 umoci-0.4.6-3.9.1 as a component of SUSE Manager Server 4.0 Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used. CVE-2021-29136 SUSE Enterprise Storage 6:umoci-0.4.6-3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:umoci-0.4.6-3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:umoci-0.4.6-3.9.1 SUSE Linux Enterprise Module for Containers 15 SP2:umoci-0.4.6-3.9.1 SUSE Linux Enterprise Server 15 SP1-BCL:umoci-0.4.6-3.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:umoci-0.4.6-3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:umoci-0.4.6-3.9.1 SUSE Manager Proxy 4.0:umoci-0.4.6-3.9.1 SUSE Manager Retail Branch Server 4.0:umoci-0.4.6-3.9.1 SUSE Manager Server 4.0:umoci-0.4.6-3.9.1 important 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211116-1/ https://www.suse.com/security/cve/CVE-2021-29136.html CVE-2021-29136 https://bugzilla.suse.com/1184147 SUSE Bug 1184147