2.9.1

(2021-05-17)

Enhancements

• Added 5-star rating form to web UI (ENGDTR-2541, ENGDTR-2540).

  Learn more

  MSR Operations Guide: Customer feedback

• MSR now applies a 56-character limit on “namespace/repository” length at creation, and thus eliminates a situation wherein attempts to push tags to repos with too-long names return a 500 Internal Server Error (ENGDTR-2525).

• MSR now alerts administrators if the storage backend contents do not match the metadata, or if a new install of MSR uses a storage backend that contains data from a different MSR installation (ENGDTR-2501).

• Updated golang to 1.16.3 and kube-linter to 0.2.1 (ENGDTR-2561).

• Added activity log type DELETE for TagLimit pruning (ENGDTR-2497).

• The MSR UI now includes a horizontal scrollbar (in addition to the existing vertical scrollbar), thus allowing users to better adjust the window dimensions.

• The enableManifestLists setting is no longer needed and has been removed due to breaking Docker Content Trust (FIELD-2642, FIELD-2644).

• Updated the MSR web UI Last updated at trigger for the promotion and mirror policies to include the option to specify before a particular time (after already exists) (FIELD-2180).

• The mirantis/dtr --help documentation no longer recommends using the --rm option when invoking commands. Leaving it out preserves containers after they have finished running, thus allowing users to retrieve logs at a later time (FIELD-2204).

Addressed issues

• Fixed broken links to MSR documentation in the MSR web UI (FIELD-3822).

• Fixed “nasa bootstrap” integration test (and emergency repair procedure) (ENGDTR-2433).

• Fixed an issue wherein pushing images with previously-pushed layer data that has been deleted from storage caused unknown blob errors. Pushing such images now replaces missing layer data. Sweeping image layers with image layer data missing from storage no longer causes garbage collection to error out (FIELD-1836).

Security information

• MSR is not vulnerable to the following CVEs as a result of the update of mirantiseng/rethinkdb to Alpine 3.13.5:

  • CVE-2021-30139

  • CVE-2021-28831

  • CVE-2021-3450

  • CVE-2021-3449

  • CVE-2021-22876

  • CVE-2021-22890

  (ENGDTR-2580)

• Though the version of busybox within the container is not vulnerable, dtr-rethink vulnerability scans may present false positives for CVE-2018-1000500 and CVE-2021-28831 in the busybox component (ENGDTR-2571).

• Though the jvm-hotspot-openjdk component is not present in the dtr-jobrunner container, dtr-jobrunner vulnerability scans may detect CVE-2021-2161 and CVE-2021-2163 in the component (ENGDTR-2571).

• Vulnerability scans no longer report CVE-2016-4074 as a result of the 2021.03 scanner update.

• A self scan of MSR 2.9.1 reveals five vulnerabilities, however these CVEs are not a threat to MSR:

  • CVE-2018-1000500

  • CVE-2021-28831

  • CVE-2021-28363

  • CVE-2021-2161

  • CVE-2021-2163

  (ENGDTR-2543)

• urllib3 version 1.26.4 and later fixes CVE-2021-28363, however the dtr-jobrunner container uses Alpine which has yet to release urllib3 1.26.4 in a stable repository.

  The dtr-jobrunner container does not make any outgoing HTTP requests to containers external to MSR and therefore is not susceptible to CVE-2021-28363 (ENGDTR-2581).

• A self-scan can report a false positive for CVE-2021-29482 (ENGDTR-2608).