===================================================================== CERT-Renater Note d'Information No. 2021/VULN618 _____________________________________________________________________ DATE : 24/11/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running OCI Distribution Specification versions up to and including 1.0.0, OCI Image Specification version up to and including 1.0.1. ===================================================================== https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh _____________________________________________________________________ Clarify Content-Type handling moderate vbatts published GHSA-mc8v-mgrf-8f4m Nov 17, 2021 Package No package listed Affected versions <= 1.0.0 Patched versions None Description Impact In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. Patches The OCI Distribution Specification will be updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Workarounds Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields. References GHSA-77vh-xpmg-72qh For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/opencontainers/distribution-spec/ Email us at security@opencontainers.org CVE ID CVE-2021-41190 Credits @jonjohnsonjr jonjohnsonjr _____________________________________________________________________ Clarify `mediaType` handling moderate vbatts published GHSA-77vh-xpmg-72qh Nov 17, 2021 Package No package listed Affected versions <= 1.0.1 Patched versions None Description Impact In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index. Patches The Image Specification will be updated to recommend that both manifest and index documents contain a mediaType field to identify the type of document. Workarounds Software attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields. References GHSA-mc8v-mgrf-8f4m For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/opencontainers/image-spec Email us at security@opencontainers.org CVE ID CVE-2021-41190 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================