Описание
Security update for distribution
This update for distribution fixes the following issues:
Update to verison 2.8.2:
- Revert registry/client: set
Accept: identityheader when getting layers - Parse
httpforbidden as denied - Fix CVE-2023-2253 runaway allocation on /v2/_catalog (bsc#1207705)
- Fix panic in inmemory driver
- update to go1.19.9
- Add code to handle pagination of parts. Fixes max layer size of 10GB bug
- Dockerfile: fix filenames of artifacts
Список пакетов
Container suse/registry:latest
distribution-registry-2.8.2-150400.9.21.1
SUSE Linux Enterprise Module for Containers 15 SP4
distribution-registry-2.8.2-150400.9.21.1
openSUSE Leap 15.4
distribution-registry-2.8.2-150400.9.21.1
Ссылки
- Link for SUSE-SU-2023:2298-1
- E-Mail link for SUSE-SU-2023:2298-1
- SUSE Security Ratings
- SUSE Bug 1207705
- SUSE Bug 1210428
- SUSE CVE CVE-2023-2253 page
Описание
A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Затронутые продукты
Container suse/registry:latest:distribution-registry-2.8.2-150400.9.21.1
SUSE Linux Enterprise Module for Containers 15 SP4:distribution-registry-2.8.2-150400.9.21.1
openSUSE Leap 15.4:distribution-registry-2.8.2-150400.9.21.1
Ссылки
- CVE-2023-2253
- SUSE Bug 1207705