2.9.25¶
Release date: 2025-APR-22
Enhancements¶
The list of the enhancements in MSR 2.9.25 includes:
[FIELD-7548] Improved error handling and API behavior for artifact references¶
MSR improved error handling by adding:
ARTIFACT_SCANNER_REPORT_UNAVAILABLEerror, to indicate that a report export failed due to missing layer details for the specified artifact. This replaces the previously used genericNO_SUCH_TAGerror.NO_DIGEST_PERMITTEDerror, to indicate that digest-based references are not supported for report exports.
Addressed issues:¶
The list of the addressed issues in MSR 2.9.25 includes:
[ENGDTR-4359] Fixed an issue wherein the PostgreSQL NOTICE logs were incorrectly labelled as errors during vulnerability database synchronisation.
[FIELD-7515] Fixed an issue wherein the Show/Hide button for layer vulnerabilities displayed as enabled for non-admin users in scanning results. The button is now disabled and features a tooltip that explains the restriction.
Major component versions¶
The following table provides the versioning information for the major middleware components that comprise the MSR 2.9 patch release.
Security information¶
Updated the following middleware component versions to resolve vulnerabilities in MSR:
[ENGDTR-4405] Golang 1.23.8
Resolved CVEs, as detailed:
CVE |
Status |
Problem details from upstream |
|---|---|---|
Resolved |
musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8. |
|
Resolved |
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. |
|
Resolved |
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. |