|
|
Subscribe / Log in / New account

openSUSE alert openSUSE-SU-2020:1433-1 (docker-distribution)



From:
              opensuse-security@opensuse.org


To:
              opensuse-updates@opensuse.org


Subject:
              openSUSE-SU-2020:1433-1: moderate: Security update for docker-distribution


Date:
              Fri, 18 Sep 2020 18:38:44 +0200


Message-ID:
              <20200918163844.A12A4FCE2@maintenance.suse.de>


   openSUSE Security Update: Security update for docker-distribution
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2020:1433-1
Rating:             moderate
References:         #1033172 #1049850 
Cross-References:   CVE-2017-11468
Affected Products:
                    openSUSE Backports SLE-15-SP2
______________________________________________________________________________

   An update that solves one vulnerability and has one errata
   is now available.

Description:

   This update for docker-distribution fixes the following issues:

   - Enable build on %arm (which include armv6), not only on armv7

   - Enable ppc64le

   - Use correct URL to project
   - Remove fillup, we don't ship a sysconfig file
   - Correct systemd requires
   - Enable build on ARM

   - Upgraded to 2.7.1
     - Support for OCI images added
     - Fix upgrade issues from 2.6.x
     - Update Go version to 1.11
     - Switch to multi-stage Dockerfile
     - Validations enabled by default with new disabled config option
     - Optimize health check performance
     - Create separate permission for deleting objects in a repo
     - Fix storage driver error propagation for manifest GETs
     - Fix forwarded header resolution
     - Add prometheus metrics
     - Disable schema1 manifest by default
     - Graceful shutdown
     - TLS: remove ciphers that do not support perfect forward secrecy
     - Fix registry stripping newlines from manifests
     - Add bugsnag logrus hook
     - Support ARM builds

     This release is a special security release to address an issue allowing
   an attacker to force arbitrarily-sized memory allocations in a registry
   instance through the manifest endpoint. The problem has been mitigated by
   limiting the size of reads for image manifest content. Details for
   mitigation are in 29fa466 Fixes boo#1049850 (CVE-2017-11468) Fixes
   boo#1033172


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2020-1433=1



Package List:

   - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):

      docker-distribution-registry-2.7.1-bp152.4.3.1


References:

   https://www.suse.com/security/cve/CVE-2017-11468.html
   https://bugzilla.suse.com/1033172
   https://bugzilla.suse.com/1049850
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds