2.9.17¶
(2024-MAR-27)
Addressed issues¶
[ENGDTR-4158] Fixed an issue wherein the
initialEvaluation
flag of a created or updated tag pruning policy was set totrue
, which caused its evaluation to run in the API server. Instead, now the evaluation of the policy is executed in the JobRunner as a singletag_prune
job.[ENGDTR-4159] Fixed an issue wherein the tag pruning policy feature, responsible for the automated testing of tags and providing the count of affected tags, was preventing the creation of policies. To ensure the reliable creation of tag pruning policies, this feature has been removed. Consequently, users will not see the number of affected tags when creating new policies. For testing purposes before evaluation, Mirantis recommends that you use the
/pruningPolicies/test
API endpoint.
Security information¶
Updated the following middleware component versions to resolve vulnerabilities in MSR:
[ENGDTR-4167] Golang 1.21.8
[ENGDTR-4166] Synopsys Scanner 2023.12
Resolved CVEs, as detailed:
CVE
Status
Problem details from upstream
Resolved
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause
Certificate.Verify
to panic. This affects all crypto/tls clients, and servers that setConfig.ClientAuth
toVerifyClientCertIfGiven
orRequireAndVerifyClientCert
. The default behavior is for TLS servers to not verify client certificates.Resolved
When parsing a multipart form (either explicitly with
Request.ParseMultipartForm
or implicitly withRequest.FormValue
,Request.PostFormValue
, orRequest.FormFile
), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, theParseMultipartForm
function now correctly limits the maximum size of form lines.CVE-2023-45288
Resolved
CVE has been reserved by an organization or individual and is not currently available in the NVD.
Resolved
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an
http.Client
does not forward sensitive headers such as “Authorization” or “Cookie”. For example, a redirect fromfoo.com
towww.foo.com
will forward the Authorization header, but a redirect tobar.com
will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.Not Vulnerable
An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
Not Vulnerable
Pillow through 10.1.0 allows
PIL.ImageMath.eval
Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).