Описание
Security update for distribution
This update for distribution fixes the following issues
Security issues:
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header (bsc#1260283).
- CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).
- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of service (bsc#1262951).
- CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).
Non security issues:
- add distribution-registry.tmpfiles (jsc#PED-14747).
- distribution builds against go1.24 EOL (bsc#1259718).
Changes for distribution:
- update to 3.1.0
- Adds support for tag pagination
- Fixes default credentials in Azure storage provider
- Drops support for go1.23 and go1.24 and updates to go1.25
- See the full changelog below for the full list of changes.
- docs: Update to refer to new image tag v3
- Fix default_credentials in azure storage provider
- chore: make function comment match function name
- build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group across 1 directory
- fix: implement JWK thumbprint for Ed25519 public keys
- fix: Annotate code block from validation.indexes configuration docs
- feat: extract redis config to separate struct
- Fix: resolve issue #4478 by using a temporary file for non- append writes
- build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2
- docs: Add note about
OTEL_TRACES_EXPORTER - fix: set OTEL traces to disabled by default
- Fix markdown syntax for OTEL traces link in docs
- Switch UUIDs to UUIDv7
- refactor: replace map iteration with maps.Copy/Clone
- s3-aws: fix build for 386
- docs: Add OpenTelemetry links to quickstart docs
- Fix S3 driver loglevel param
- Fixed data race in TestSchedule test
- Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of ecdsa keys
- build(deps): bump actions/checkout from 4 to 5
- Fix broken link to Docker Hub fair use policy
- fix(registry/handlers/app): redis CAs
- build(deps): bump actions/labeler from 5 to 6
- build(deps): bump actions/setup-go from 5 to 6
- build(deps): bump actions/upload-pages-artifact from 3 to 4
- build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3
- build(deps): bump github/codeql-action from 3.26.5 to 4.30.7
- build(deps): bump github/codeql-action from 4.30.7 to 4.30.8
- chore: labeler: add area/client mapping for internal/client/**
- client: add Accept headers to Exists() HEAD
- feat(registry): Make graceful shutdown test robust
- fix(registry): Correct log formatting for upstream challenge
- build(deps): bump github/codeql-action from 4.30.8 to 4.30.9
- build(deps): bump github/codeql-action from 4.30.9 to 4.31.3
- refactor: remove redundant variable declarations in for loops
- "should" -> "must" regarding redis eviction policy
- build(deps): bump actions/checkout from 5 to 6
- Incorrect warning hint
- Add return error when list object
- build(deps): bump actions/checkout from 5.0.1 to 6.0.0
- build(deps): bump peter-evans/dockerhub-description from 4 to 5
- fix: Logging regression for manifest HEAD requests
- Add boolean parsing util
- Expose
useFIPSEndpointfor S3 - Add Cloudfleet Container Registry to adopters
- fix(ci): Fix broken Azure e2e storage tests
- BUG: Fix notification filtering to work with actions when mediatypes is empty
- build(deps): bump actions/checkout from 6.0.0 to 6.0.1
- build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0
- build(deps): bump github/codeql-action from 4.31.3 to 4.31.10
- build(deps): bump github/codeql-action from 4.31.10 to 4.32.2
- build(deps): bump actions/checkout from 6.0.1 to 6.0.2
- update golangci-lint to v2.9 and fix linting issues
- update to go1.25.7, alpine 3.23, xx v1.9.0
- vendor: github.com/sirupsen/logrus v1.9.4
- vendor: update golang.org/x/* dependencies
- vendor: github.com/docker/docker-credential-helpers v0.9.5
- vendor: github.com/opencontainers/image-spec v1.1.1
- vendor: github.com/klauspost/compress v1.18.4
- fix: prefer otel variables over hard coded service name
- vendor: github.com/spf13/cobra v1.10.2
- vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0
- fix: sync parent dir to ensure data is reliably stored
- modernize code
- vendor: github.com/docker/go-events 605354379745
- vendor: github.com/go-jose/go-jose/v4 v4.1.3
- build(deps): bump github/codeql-action from 4.32.2 to 4.32.5
- build(deps): bump docker/login-action from 3 to 4
- build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
- build(deps): bump docker/setup-buildx-action from 3 to 4
- build(deps): bump docker/bake-action from 6 to 7
- build(deps): bump docker/metadata-action from 5 to 6
- fix: nil-check scheduler in
proxyingRegistry.Close() - fix: set MD5 on GCS writer before first
Writecall inputContent - docs: pull through cache will pull from remote multiple times
- Update s3.md regionendpoint option
- chore(deps): Bump Go to latest 1.25 in CI workflows and go.mod
- fix: correct Ed25519 JWK thumbprint
ktyfrom"OTP"to"OKP" - Update vacuum.go
- Opt: refector tag list pagination support (stage 1)
- Correctly match environment variables to YAML-inlined structs in configuration
- Enable Redis TLS without client certificates
- build(deps): bump actions/deploy-pages from 4 to 5
- build(deps): bump github/codeql-action from 4.32.5 to 4.34.1
- fix(registry/proxy): use detached context when flushing write buffer
- ci: pin actions and apply zizmor auto-fixes
- build(deps): bump actions/setup-go from 6.3.0 to 6.4.0
- build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in the go_modules group across 1 directory
- chore(app): warn when partial TLS config is used in Redis
- feat(registry): enhance authentication checks in htpasswd implementation
- Opt: refactor tag list pagination support
- build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0
- build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0
- fix(vendor): fix broke vendor validation
- chore(ci): Prep for v3.1 release
- Update to version 3.1.0:
- fix(vendor): fix broke vendpor validation
- fix redis repo-scoped blob descriptor revocation
- proxy: bind bearer realms to upstream trust boundary
- restore directory ownership after last change
- Move config files in systemd tmpfiles dir for immutable mode
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1259718
- SUSE Bug 1260283
- SUSE Bug 1261793
- SUSE Bug 1262096
- SUSE Bug 1262951
- SUSE CVE CVE-2026-33186 page
- SUSE CVE CVE-2026-33540 page
- SUSE CVE CVE-2026-34986 page
- SUSE CVE CVE-2026-35172 page
Описание
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Затронутые продукты
Ссылки
- CVE-2026-33186
- SUSE Bug 1260085
Описание
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.
Затронутые продукты
Ссылки
- CVE-2026-33540
- SUSE Bug 1261793
Описание
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
Затронутые продукты
Ссылки
- CVE-2026-34986
- SUSE Bug 1262805
Описание
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again. This vulnerability is fixed in 3.1.0.
Затронутые продукты
Ссылки
- CVE-2026-35172
- SUSE Bug 1262096