Lucene search

K
suseSuseSUSE-SU-2016:1146-1
HistoryApr 25, 2016 - 8:07 p.m.

Security update for portus (important)

2016-04-2520:07:56
lists.opensuse.org
21

0.974 High

EPSS

Percentile

99.9%

Portus was updated to version 2.0.3, which brings several fixes and
enhancements:

  • Fixed crono job when a repository could not be found.
  • Fixed compatibility issues with Docker 1.10 and Distribution 2.3.
  • Handle multiple scopes in token requests.
  • Add optional fields to token response.
  • Fixed notification events for Distribution v2.3.
  • Paginate through the catalog properly.
  • Do not remove all the repositories if fetching one fails.
  • Fixed SMTP setup.
  • Don’t let crono overflow the ‘log’ column on the DB.
  • Show the actual LDAP error on invalid login.
  • Fixed the location of crono logs.
  • Always use relative paths.
  • Set RUBYLIB when using portusctl.
  • Don’t count hidden teams on the admin panel.
  • Warn developers on unsupported docker-compose versions.
  • Directly invalidate LDAP logins without name and password.
  • Don’t show the "I forgot my password" link on LDAP.

The following Rubygems bundled within Portus have been updated to fix
security issues:

  • CVE-2016-2098: rubygem-actionpack (bsc#969943).
  • CVE-2015-7578: rails-html-sanitizer (bsc#963326).
  • CVE-2015-7579: rails-html-sanitizer (bsc#963327).
  • CVE-2015-7580: rails-html-sanitizer (bsc#963328).
  • CVE-2015-7576: rubygem-actionpack, rubygem-activesupport (bsc#963563).
  • CVE-2015-7577: rubygem-activerecord (bsc#963604).
  • CVE-2016-0751: rugygem-actionpack (bsc#963627).
  • CVE-2016-0752: rubygem-actionpack, rubygem-actionview (bsc#963608).
  • CVE-2016-0753: rubygem-activemodel, rubygem-activesupport,
    rubygem-activerecord (bsc#963617).
  • CVE-2015-7581: rubygem-actionpack (bsc#963625).