Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 872410 (CVE-2020-26160)

Summary: <app-containers/docker-registry-2.8.1: multiple vulnerabilities
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ajak, zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 872437    

Description Tomáš Mózes 2022-09-22 18:25:58 UTC
Fixed in 2.8.0 (
    Added flag for user configurable cipher suites #3384
    Address CVE-2020-26160 by replacing vulnerable third-party depedency#3466
    Replace math rand with crypto rand #3531
    Address CVE-2021-41190 by validating document type before unmarshal GHSA-77vh-xpmg-72qh
Comment 1 Larry the Git Cow gentoo-dev 2022-09-22 20:49:45 UTC
The bug has been referenced in the following commit(s):

commit c2320916136f52a9f3089f60b21ac3fd87a32ab7
Author:     Zac Medico <>
AuthorDate: 2022-09-22 20:49:17 +0000
Commit:     Zac Medico <>
CommitDate: 2022-09-22 20:49:23 +0000

    app-containers/docker-registry: add 2.8.1
    Signed-off-by: Zac Medico <>

 app-containers/docker-registry/Manifest            |  1 +
 .../docker-registry/docker-registry-2.8.1.ebuild   | 55 ++++++++++++++++++++++
 2 files changed, 56 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-23 02:57:27 UTC
Thanks for reporting and bumping!


jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.