1 |
type: security |
2 |
subject: Updated docker-containerd packages fix security vulnerability |
3 |
CVE: |
4 |
- CVE-2021-41190 |
5 |
src: |
6 |
8: |
7 |
core: |
8 |
- docker-containerd-1.5.8-1.mga8 |
9 |
description: | |
10 |
The OCI Distribution Spec project defines an API protocol to facilitate |
11 |
and standardize the distribution of content. In the OCI Distribution |
12 |
Specification version 1.0.0 and prior, the Content-Type header alone was |
13 |
used to determine the type of document during push and pull operations. |
14 |
Documents that contain both "manifests" and "layers" fields could be |
15 |
interpreted as either a manifest or an index in the absence of an |
16 |
accompanying Content-Type header. If a Content-Type header changed between |
17 |
two pulls of the same digest, a client may interpret the resulting content |
18 |
differently. The OCI Distribution Specification has been updated to require |
19 |
that a mediaType value present in a manifest or index match the |
20 |
Content-Type header used during the push and pull operations. Clients |
21 |
pulling from a registry may distrust the Content-Type header and reject an |
22 |
ambiguous document that contains both "manifests" and "layers" fields or |
23 |
"manifests" and "config" fields if they are unable to update to version |
24 |
1.0.1 of the spec. |
25 |
references: |
26 |
- https://bugs.mageia.org/show_bug.cgi?id=29669 |
27 |
- https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42 |
28 |
ID: MGASA-2021-0531 |