SUSE-SU-2016:1146-1

Source
https://www.suse.com/support/update/announcement/2016/suse-su-20161146-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1146-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2016:1146-1
Related
Published
2016-04-25T14:28:51Z
Modified
2016-04-25T14:28:51Z
Summary
Security update for portus
Details

Portus was updated to version 2.0.3, which brings several fixes and enhancements:

  • Fixed crono job when a repository could not be found.
  • Fixed compatibility issues with Docker 1.10 and Distribution 2.3.
  • Handle multiple scopes in token requests.
  • Add optional fields to token response.
  • Fixed notification events for Distribution v2.3.
  • Paginate through the catalog properly.
  • Do not remove all the repositories if fetching one fails.
  • Fixed SMTP setup.
  • Don't let crono overflow the 'log' column on the DB.
  • Show the actual LDAP error on invalid login.
  • Fixed the location of crono logs.
  • Always use relative paths.
  • Set RUBYLIB when using portusctl.
  • Don't count hidden teams on the admin panel.
  • Warn developers on unsupported docker-compose versions.
  • Directly invalidate LDAP logins without name and password.
  • Don't show the 'I forgot my password' link on LDAP.

The following Rubygems bundled within Portus have been updated to fix security issues:

  • CVE-2016-2098: rubygem-actionpack (bsc#969943).
  • CVE-2015-7578: rails-html-sanitizer (bsc#963326).
  • CVE-2015-7579: rails-html-sanitizer (bsc#963327).
  • CVE-2015-7580: rails-html-sanitizer (bsc#963328).
  • CVE-2015-7576: rubygem-actionpack, rubygem-activesupport (bsc#963563).
  • CVE-2015-7577: rubygem-activerecord (bsc#963604).
  • CVE-2016-0751: rugygem-actionpack (bsc#963627).
  • CVE-2016-0752: rubygem-actionpack, rubygem-actionview (bsc#963608).
  • CVE-2016-0753: rubygem-activemodel, rubygem-activesupport, rubygem-activerecord (bsc#963617).
  • CVE-2015-7581: rubygem-actionpack (bsc#963625).
References

Affected packages

SUSE:Linux Enterprise Module for Containers 12 / portus

Package

Name
portus
Purl
purl:rpm/suse/portus&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.3-2.4

Ecosystem specific

{
    "binaries": [
        {
            "portus": "2.0.3-2.4"
        }
    ]
}