Security update for distribution SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2298-1 Final 1 1 2023-05-25T10:41:36Z current 2023-05-25T10:41:36Z 2023-05-25T10:41:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for distribution This update for distribution fixes the following issues: Update to verison 2.8.2: - Revert registry/client: set `Accept: identity` header when getting layers - Parse `http` forbidden as denied - Fix CVE-2023-2253 runaway allocation on /v2/_catalog (bsc#1207705) - Fix panic in inmemory driver - update to go1.19.9 - Add code to handle pagination of parts. Fixes max layer size of 10GB bug - Dockerfile: fix filenames of artifacts The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/registry:2.8-2023-2298,Container suse/registry:latest-2023-2298,SUSE-2023-2298,SUSE-SLE-Module-Containers-15-SP4-2023-2298,openSUSE-SLE-15.4-2023-2298 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232298-1/ Link for SUSE-SU-2023:2298-1 https://lists.suse.com/pipermail/sle-updates/2023-May/029553.html E-Mail link for SUSE-SU-2023:2298-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1207705 SUSE Bug 1207705 https://bugzilla.suse.com/1210428 SUSE Bug 1210428 https://www.suse.com/security/cve/CVE-2023-2253/ SUSE CVE CVE-2023-2253 page Container suse/registry:2.8 Container suse/registry:latest SUSE Linux Enterprise Module for Containers 15 SP4 openSUSE Leap 15.4 distribution-registry-2.8.2-150400.9.21.1 distribution-registry-2.8.2-150400.9.21.1 as a component of Container suse/registry:2.8 distribution-registry-2.8.2-150400.9.21.1 as a component of Container suse/registry:latest distribution-registry-2.8.2-150400.9.21.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP4 distribution-registry-2.8.2-150400.9.21.1 as a component of openSUSE Leap 15.4 A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory. CVE-2023-2253 Container suse/registry:2.8:distribution-registry-2.8.2-150400.9.21.1 Container suse/registry:latest:distribution-registry-2.8.2-150400.9.21.1 SUSE Linux Enterprise Module for Containers 15 SP4:distribution-registry-2.8.2-150400.9.21.1 openSUSE Leap 15.4:distribution-registry-2.8.2-150400.9.21.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232298-1/ https://www.suse.com/security/cve/CVE-2023-2253.html CVE-2023-2253 https://bugzilla.suse.com/1207705 SUSE Bug 1207705