- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3473-1                [email protected]
https://www.debian.org/lts/security/                   Bastien Roucariès
June 29, 2023                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : docker-registry
Version        : 2.6.2~ds1-2+deb10u1
CVE ID         : CVE-2023-2253
Debian Bug     : 1035956

A flaw was found in the '/v2/_catalog' endpoint in 
'distribution/distribution', which accepts a parameter to control
the maximum number of records returned (query string: 'n').
This vulnerability allows a malicious user to
submit an unreasonably large value for 'n',
causing the allocation of a massive string array,
possibly causing a denial of service through excessive use of memory.

For Debian 10 buster, this problem has been fixed in version
2.6.2~ds1-2+deb10u1.

We recommend that you upgrade your docker-registry packages.

For the detailed security status of docker-registry please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/docker-registry

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS