Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 872410 (CVE-2020-26160) - <app-containers/docker-registry-2.8.1: multiple vulnerabilities
Summary: <app-containers/docker-registry-2.8.1: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2020-26160
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Zac Medico
URL:
Whiteboard: B3 [stable]
Keywords:
Depends on:
Blocks: 872437
  Show dependency tree
 
Reported: 2022-09-22 18:25 UTC by Tomáš Mózes
Modified: 2022-09-23 02:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2022-09-22 18:25:58 UTC
Fixed in 2.8.0 (https://github.com/distribution/distribution/releases/tag/v2.8.0):
Security
    Added flag for user configurable cipher suites #3384
    Address CVE-2020-26160 by replacing vulnerable third-party depedency#3466
    Replace math rand with crypto rand #3531
    Address CVE-2021-41190 by validating document type before unmarshal GHSA-77vh-xpmg-72qh
Comment 1 Larry the Git Cow gentoo-dev 2022-09-22 20:49:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2320916136f52a9f3089f60b21ac3fd87a32ab7

commit c2320916136f52a9f3089f60b21ac3fd87a32ab7
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-09-22 20:49:17 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-09-22 20:49:23 +0000

    app-containers/docker-registry: add 2.8.1
    
    Bug: https://bugs.gentoo.org/872410
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/docker-registry/Manifest            |  1 +
 .../docker-registry/docker-registry-2.8.1.ebuild   | 55 ++++++++++++++++++++++
 2 files changed, 56 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-23 02:57:27 UTC
Thanks for reporting and bumping!

CVE-2020-26160:

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.