Debian has issued an advisory on May 27: https://www.debian.org/security/2023/dsa-5414 The issue is fixed upstream in 2.8.2. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.8.2Whiteboard: (none) => MGA8TOO
Bruno has done the last two docker-registry version updates, so assigning this to you.
Status: NEW => ASSIGNED
docker-registry-2.8.2-1.mga8.x86_64.rpm pushed to updates_testing of mga8 and docker-registry-2.8.2-1.mga9.x86_64.rpm pushed to updates_testing of cauldron
Assignee: bruno => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 2.8.2 => (none)
CC: (none) => bruno
mga8, x64 CVE-2023-2253 points to a PoC at https://www.openwall.com/lists/oss-security/2023/05/09/1 which involves setting up a registry of docker images (AFAICS) and modifying a configuration file to show the vulnerability while accessing the registry. This requires a seasoned docker user and is so specific that simply running any old docker image will miss the mark. Knock-on effects from the patch seem unlikely when there is no registry set up so a clean update is about all we can do. Installed docker-registry and then updated it from testing. No problems.
CC: (none) => tarazed25
No responses to comment 3 so this can go out.
Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0207.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED