Debian 9812 Published by

A docker-registry security update has been released for Debian GNU/Linux 10 LTS to address a denial of service issue.



[SECURITY] [DLA 3473-1] docker-registry security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3473-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
June 29, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : docker-registry
Version : 2.6.2~ds1-2+deb10u1
CVE ID : CVE-2023-2253
Debian Bug : 1035956

A flaw was found in the '/v2/_catalog' endpoint in
'distribution/distribution', which accepts a parameter to control
the maximum number of records returned (query string: 'n').
This vulnerability allows a malicious user to
submit an unreasonably large value for 'n',
causing the allocation of a massive string array,
possibly causing a denial of service through excessive use of memory.

For Debian 10 buster, this problem has been fixed in version
2.6.2~ds1-2+deb10u1.

We recommend that you upgrade your docker-registry packages.

For the detailed security status of docker-registry please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/docker-registry

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS