Debian alert DLA-3473-1 (docker-registry)
| From: | Bastien Roucaries <rouca@debian.org> | |
| To: | <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 3473-1] docker-registry security update | |
| Date: | Thu, 29 Jun 2023 13:43:52 +0000 | |
| Message-ID: | <8e9585c465fa83abb5528786aa4e095a.rouca@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3473-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès June 29, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : docker-registry Version : 2.6.2~ds1-2+deb10u1 CVE ID : CVE-2023-2253 Debian Bug : 1035956 A flaw was found in the '/v2/_catalog' endpoint in 'distribution/distribution', which accepts a parameter to control the maximum number of records returned (query string: 'n'). This vulnerability allows a malicious user to submit an unreasonably large value for 'n', causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory. For Debian 10 buster, this problem has been fixed in version 2.6.2~ds1-2+deb10u1. We recommend that you upgrade your docker-registry packages. For the detailed security status of docker-registry please refer to its security tracker page at: https://security-tracker.debian.org/tracker/docker-registry Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmSdipgACgkQADoaLapB CF9S1w//cuFxhQuGFMZ55dMA5aVr4rpPgVManZ9zWoGaJ3a/YNP9qXw8La207n+K FI0bU9BsRJgiQBNUvrEzMAOLM8XqVf+SU4YhEEnWnVf+Fkd5oJ3icq93eugs6g9S soGkh/Aa2PndIz6xT1UUc84+0fhI5E+IePn2IsL3kGHs5m8Kz3Kflih6K0wwr/Pk 0O8HhLzHVaF0RkleljDjw7NIn2UigijfC+uI+x1ZlJDjIt1K1dCu3lk0S4HRTspp dXmAoBLBvNfXiMO1+7GPkOBmqyQJJk9Y72d2fXSC7N6G39sPuNz2lpPEllAzGfiK hXZRypxNbsmG0/tWN6zyJQtKgGTFy/QKsMjfWxoT1Sh4OH8AVvGVybKxAutagTY5 8oqEY51/Q1mBUrgrAwtmOt+sRWgwOLjJ0urcThz3K15/dmcdImGIfmkqecAjLRPv npA/+AJRvsmaIEUGcke17B+AdroSzbJYpqilvpb6Pdp2Aa8ffoa3iVj0+1/2ZpsX TXnThi2IOcmVtM4TvKYSsycpth2GSFBBYdwBuXlYuByONrGFxqCwHczkuwVBcmU8 lUFCfc2yAoVtunyYhOtkAKQuXEbeZESYPZX0+cKPcE0InsHjc4wdIokjAuoRx7Yk LABZWQ+RZE5BRijzQLJ7Oe9eUYvHB3qrT9wtDnIvp6UVP1FlXvc= =/Yo3 -----END PGP SIGNATURE-----