Debian 9812 Published by

A docker-registry security update has been released for Debian GNU/Linux 10 LTS to address a denial of service issue.

[SECURITY] [DLA 3473-1] docker-registry security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3473-1 Bastien Roucariès
June 29, 2023
- -------------------------------------------------------------------------

Package : docker-registry
Version : 2.6.2~ds1-2+deb10u1
CVE ID : CVE-2023-2253
Debian Bug : 1035956

A flaw was found in the '/v2/_catalog' endpoint in
'distribution/distribution', which accepts a parameter to control
the maximum number of records returned (query string: 'n').
This vulnerability allows a malicious user to
submit an unreasonably large value for 'n',
causing the allocation of a massive string array,
possibly causing a denial of service through excessive use of memory.

For Debian 10 buster, this problem has been fixed in version

We recommend that you upgrade your docker-registry packages.

For the detailed security status of docker-registry please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: