[release-1.14] Bump c/image v5.29.3, c/common v0.57.5, CVE-2024-3727

containers / skopeo

Work with remote images registries - retrieving information, images, signing content

Apache License 2.0

7.75k stars 756 forks source link

[release-1.14] Bump c/image v5.29.3, c/common v0.57.5, CVE-2024-3727 #2331

Closed TomSweeneyRedHat closed 1 month ago

TomSweeneyRedHat commented 1 month ago

Bump c/image to v5.29.3 and c/common to v0.57.3, and then Skopeo to v1.14.4

Addresses: CVE-2024-3727

https://issues.redhat.com/browse/RHEL-35914

and RHEL 8.10/9.4 cards once they are spun up.

TomSweeneyRedHat commented 1 month ago

I just realized I never made a v1.14.3 release, will do so now.

packit-as-a-service[bot] commented 1 month ago

Ephemeral COPR build failed. @containers/packit-build please check.

mtrmac commented 1 month ago

@TomSweeneyRedHat This is now a strict subset of #2337, so I think this PR can be closed in favor of the other one — but the two refer to different Jira bugs, I’m not sure if anything needs updating Jira-side.

TomSweeneyRedHat commented 1 month ago

I messed this one up entirely. The Jira card this was meant to tend to is https://issues.redhat.com/browse/RHEL-35443. That was fixed by a renovate PR in upstream with https://github.com/containers/skopeo/pull/2334. We still need a change in the release-1.14 branch, we will continue on with that with #2337, which is in a happier state.