[SECURITY] [DLA 3473-1] docker-registry security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3473-1] docker-registry security update
From: Bastien Roucaries <rouca@debian.org>
Date: Thu, 29 Jun 2023 13:43:52 +0000
Message-id: <[🔎] 8e9585c465fa83abb5528786aa4e095a.rouca@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3473-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
June 29, 2023                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : docker-registry
Version        : 2.6.2~ds1-2+deb10u1
CVE ID         : CVE-2023-2253
Debian Bug     : 1035956

A flaw was found in the '/v2/_catalog' endpoint in 
'distribution/distribution', which accepts a parameter to control
the maximum number of records returned (query string: 'n').
This vulnerability allows a malicious user to
submit an unreasonably large value for 'n',
causing the allocation of a massive string array,
possibly causing a denial of service through excessive use of memory.

For Debian 10 buster, this problem has been fixed in version
2.6.2~ds1-2+deb10u1.

We recommend that you upgrade your docker-registry packages.

For the detailed security status of docker-registry please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/docker-registry

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmSdipgACgkQADoaLapB
CF9S1w//cuFxhQuGFMZ55dMA5aVr4rpPgVManZ9zWoGaJ3a/YNP9qXw8La207n+K
FI0bU9BsRJgiQBNUvrEzMAOLM8XqVf+SU4YhEEnWnVf+Fkd5oJ3icq93eugs6g9S
soGkh/Aa2PndIz6xT1UUc84+0fhI5E+IePn2IsL3kGHs5m8Kz3Kflih6K0wwr/Pk
0O8HhLzHVaF0RkleljDjw7NIn2UigijfC+uI+x1ZlJDjIt1K1dCu3lk0S4HRTspp
dXmAoBLBvNfXiMO1+7GPkOBmqyQJJk9Y72d2fXSC7N6G39sPuNz2lpPEllAzGfiK
hXZRypxNbsmG0/tWN6zyJQtKgGTFy/QKsMjfWxoT1Sh4OH8AVvGVybKxAutagTY5
8oqEY51/Q1mBUrgrAwtmOt+sRWgwOLjJ0urcThz3K15/dmcdImGIfmkqecAjLRPv
npA/+AJRvsmaIEUGcke17B+AdroSzbJYpqilvpb6Pdp2Aa8ffoa3iVj0+1/2ZpsX
TXnThi2IOcmVtM4TvKYSsycpth2GSFBBYdwBuXlYuByONrGFxqCwHczkuwVBcmU8
lUFCfc2yAoVtunyYhOtkAKQuXEbeZESYPZX0+cKPcE0InsHjc4wdIokjAuoRx7Yk
LABZWQ+RZE5BRijzQLJ7Oe9eUYvHB3qrT9wtDnIvp6UVP1FlXvc=
=/Yo3
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3471-1] c-ares security update
Next by Date: [SECURITY] [DLA 3474-1] systemd security update
Previous by thread: [SECURITY] [DLA 3471-1] c-ares security update
Next by thread: [SECURITY] [DLA 3474-1] systemd security update
Index(es):
- Date
- Thread