Security update for docker-distribution SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1433-1 Final 1 1 2020-09-14T22:22:08Z current 2020-09-14T22:22:08Z 2020-09-14T22:22:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for docker-distribution This update for docker-distribution fixes the following issues: - Enable build on %arm (which include armv6), not only on armv7 - Enable ppc64le - Use correct URL to project - Remove fillup, we don't ship a sysconfig file - Correct systemd requires - Enable build on ARM - Upgraded to 2.7.1 - Support for OCI images added - Fix upgrade issues from 2.6.x - Update Go version to 1.11 - Switch to multi-stage Dockerfile - Validations enabled by default with new disabled config option - Optimize health check performance - Create separate permission for deleting objects in a repo - Fix storage driver error propagation for manifest GETs - Fix forwarded header resolution - Add prometheus metrics - Disable schema1 manifest by default - Graceful shutdown - TLS: remove ciphers that do not support perfect forward secrecy - Fix registry stripping newlines from manifests - Add bugsnag logrus hook - Support ARM builds This release is a special security release to address an issue allowing an attacker to force arbitrarily-sized memory allocations in a registry instance through the manifest endpoint. The problem has been mitigated by limiting the size of reads for image manifest content. Details for mitigation are in 29fa466 Fixes boo#1049850 (CVE-2017-11468) Fixes boo#1033172 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1433 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MY76ZZYS6OXIXX3XVR5TNDLWGWIO22UJ/ E-Mail link for openSUSE-SU-2020:1433-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1033172 SUSE Bug 1033172 https://bugzilla.suse.com/1049850 SUSE Bug 1049850 https://www.suse.com/security/cve/CVE-2017-11468/ SUSE CVE CVE-2017-11468 page SUSE Package Hub 15 SP2 docker-distribution-registry-2.7.1-bp152.4.3.1 docker-distribution-registry-2.7.1-bp152.4.3.1 as a component of SUSE Package Hub 15 SP2 Docker Registry before 2.6.2 in Docker Distribution does not properly restrict the amount of content accepted from a user, which allows remote attackers to cause a denial of service (memory consumption) via the manifest endpoint. CVE-2017-11468 SUSE Package Hub 15 SP2:docker-distribution-registry-2.7.1-bp152.4.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MY76ZZYS6OXIXX3XVR5TNDLWGWIO22UJ/ https://www.suse.com/security/cve/CVE-2017-11468.html CVE-2017-11468 https://bugzilla.suse.com/1049850 SUSE Bug 1049850