| Summary: | <app-containers/docker-registry-2.8.1: multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tomáš Mózes <hydrapolic> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | minor | CC: | ajak, zmedico |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B3 [glsa?] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 872437 | ||
|
Description
Tomáš Mózes
2022-09-22 18:25:58 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2320916136f52a9f3089f60b21ac3fd87a32ab7 commit c2320916136f52a9f3089f60b21ac3fd87a32ab7 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-09-22 20:49:17 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-09-22 20:49:23 +0000 app-containers/docker-registry: add 2.8.1 Bug: https://bugs.gentoo.org/872410 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-containers/docker-registry/Manifest | 1 + .../docker-registry/docker-registry-2.8.1.ebuild | 55 ++++++++++++++++++++++ 2 files changed, 56 insertions(+) Thanks for reporting and bumping!
CVE-2020-26160:
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
|
