Bug 32017

Summary: docker-registry new security issue CVE-2023-2253
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: docker-registry-2.8.1-4.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-06-15 23:34:28 CEST 
Debian has issued an advisory on May 27:
https://www.debian.org/security/2023/dsa-5414

The issue is fixed upstream in 2.8.2.

Mageia 8 is also affected.
David Walser 2023-06-15 23:34:38 CEST

Status comment: (none) => Fixed upstream in 2.8.2
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-06-16 20:27:16 CEST 
Bruno has done the last two docker-registry version updates, so assigning this to you.
Bruno Cornec 2023-06-17 02:32:37 CEST

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2023-06-17 18:20:13 CEST 
docker-registry-2.8.2-1.mga8.x86_64.rpm pushed to updates_testing of mga8 and docker-registry-2.8.2-1.mga9.x86_64.rpm pushed to updates_testing of cauldron

Assignee: bruno => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 2.8.2 => (none)

David Walser 2023-06-17 18:54:48 CEST

CC: (none) => bruno

Comment 3 Len Lawrence 2023-06-17 19:14:09 CEST 
mga8, x64

CVE-2023-2253 points to a PoC at https://www.openwall.com/lists/oss-security/2023/05/09/1 which involves setting up a registry of docker images (AFAICS) and modifying a configuration file to show the vulnerability while accessing the registry.  This requires a seasoned docker user and is so specific that simply running any old docker image will miss the mark.  Knock-on effects from the patch seem unlikely when there is no registry set up so a clean update is about all we can do.

Installed docker-registry and then updated it from testing.  No problems.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2023-06-19 16:38:40 CEST 
No responses to comment 3 so this can go out.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2023-06-20 16:32:32 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-06-27 22:22:55 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2023-06-28 07:23:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0207.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED