Security update for distribution
| Announcement ID: | SUSE-SU-2026:21560-1 |
|---|---|
| Release Date: | 2026-05-06T00:34:11Z |
| Rating: | important |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves four vulnerabilities, contains one feature and has one fix can now be installed.
Description:
This update for distribution fixes the following issues
Security issues:
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header (bsc#1260283).
- CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).
- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of service (bsc#1262951).
- CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).
Non security issues:
- add distribution-registry.tmpfiles (jsc#PED-14747).
- distribution builds against go1.24 EOL (bsc#1259718).
Changes for distribution:
-
update to 3.1.0
-
Adds support for tag pagination
- Fixes default credentials in Azure storage provider
- Drops support for go1.23 and go1.24 and updates to go1.25
- See the full changelog below for the full list of changes.
- docs: Update to refer to new image tag v3
- Fix default_credentials in azure storage provider
- chore: make function comment match function name
- build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group across 1 directory
- fix: implement JWK thumbprint for Ed25519 public keys
- fix: Annotate code block from validation.indexes configuration docs
- feat: extract redis config to separate struct
- Fix: resolve issue #4478 by using a temporary file for non- append writes
- build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2
- docs: Add note about
OTEL_TRACES_EXPORTER - fix: set OTEL traces to disabled by default
- Fix markdown syntax for OTEL traces link in docs
- Switch UUIDs to UUIDv7
- refactor: replace map iteration with maps.Copy/Clone
- s3-aws: fix build for 386
- docs: Add OpenTelemetry links to quickstart docs
- Fix S3 driver loglevel param
- Fixed data race in TestSchedule test
- Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of ecdsa keys
- build(deps): bump actions/checkout from 4 to 5
- Fix broken link to Docker Hub fair use policy
- fix(registry/handlers/app): redis CAs
- build(deps): bump actions/labeler from 5 to 6
- build(deps): bump actions/setup-go from 5 to 6
- build(deps): bump actions/upload-pages-artifact from 3 to 4
- build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3
- build(deps): bump github/codeql-action from 3.26.5 to 4.30.7
- build(deps): bump github/codeql-action from 4.30.7 to 4.30.8
- chore: labeler: add area/client mapping for internal/client/**
- client: add Accept headers to Exists() HEAD
- feat(registry): Make graceful shutdown test robust
- fix(registry): Correct log formatting for upstream challenge
- build(deps): bump github/codeql-action from 4.30.8 to 4.30.9
- build(deps): bump github/codeql-action from 4.30.9 to 4.31.3
- refactor: remove redundant variable declarations in for loops
- "should" -> "must" regarding redis eviction policy
- build(deps): bump actions/checkout from 5 to 6
- Incorrect warning hint
- Add return error when list object
- build(deps): bump actions/checkout from 5.0.1 to 6.0.0
- build(deps): bump peter-evans/dockerhub-description from 4 to 5
- fix: Logging regression for manifest HEAD requests
- Add boolean parsing util
- Expose
useFIPSEndpointfor S3 - Add Cloudfleet Container Registry to adopters
- fix(ci): Fix broken Azure e2e storage tests
- BUG: Fix notification filtering to work with actions when mediatypes is empty
- build(deps): bump actions/checkout from 6.0.0 to 6.0.1
- build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0
- build(deps): bump github/codeql-action from 4.31.3 to 4.31.10
- build(deps): bump github/codeql-action from 4.31.10 to 4.32.2
- build(deps): bump actions/checkout from 6.0.1 to 6.0.2
- update golangci-lint to v2.9 and fix linting issues
- update to go1.25.7, alpine 3.23, xx v1.9.0
- vendor: github.com/sirupsen/logrus v1.9.4
- vendor: update golang.org/x/* dependencies
- vendor: github.com/docker/docker-credential-helpers v0.9.5
- vendor: github.com/opencontainers/image-spec v1.1.1
- vendor: github.com/klauspost/compress v1.18.4
- fix: prefer otel variables over hard coded service name
- vendor: github.com/spf13/cobra v1.10.2
- vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0
- fix: sync parent dir to ensure data is reliably stored
- modernize code
- vendor: github.com/docker/go-events 605354379745
- vendor: github.com/go-jose/go-jose/v4 v4.1.3
- build(deps): bump github/codeql-action from 4.32.2 to 4.32.5
- build(deps): bump docker/login-action from 3 to 4
- build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
- build(deps): bump docker/setup-buildx-action from 3 to 4
- build(deps): bump docker/bake-action from 6 to 7
- build(deps): bump docker/metadata-action from 5 to 6
- fix: nil-check scheduler in
proxyingRegistry.Close() - fix: set MD5 on GCS writer before first
Writecall inputContent - docs: pull through cache will pull from remote multiple times
- Update s3.md regionendpoint option
- chore(deps): Bump Go to latest 1.25 in CI workflows and go.mod
- fix: correct Ed25519 JWK thumbprint
ktyfrom"OTP"to"OKP" - Update vacuum.go
- Opt: refector tag list pagination support (stage 1)
- Correctly match environment variables to YAML-inlined structs in configuration
- Enable Redis TLS without client certificates
- build(deps): bump actions/deploy-pages from 4 to 5
- build(deps): bump github/codeql-action from 4.32.5 to 4.34.1
- fix(registry/proxy): use detached context when flushing write buffer
- ci: pin actions and apply zizmor auto-fixes
- build(deps): bump actions/setup-go from 6.3.0 to 6.4.0
- build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in the go_modules group across 1 directory
- chore(app): warn when partial TLS config is used in Redis
- feat(registry): enhance authentication checks in htpasswd implementation
- Opt: refactor tag list pagination support
- build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0
- build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0
- fix(vendor): fix broke vendor validation
- chore(ci): Prep for v3.1 release
- Update to version 3.1.0:
- fix(vendor): fix broke vendpor validation
- fix redis repo-scoped blob descriptor revocation
- proxy: bind bearer realms to upstream trust boundary
- restore directory ownership after last change
- Move config files in systemd tmpfiles dir for immutable mode
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-703=1 -
SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-703=1
Package List:
-
SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
- distribution-registry-3.1.0-160000.1.1
-
SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
- distribution-registry-3.1.0-160000.1.1
References:
- https://www.suse.com/security/cve/CVE-2026-33186.html
- https://www.suse.com/security/cve/CVE-2026-33540.html
- https://www.suse.com/security/cve/CVE-2026-34986.html
- https://www.suse.com/security/cve/CVE-2026-35172.html
- https://bugzilla.suse.com/show_bug.cgi?id=1259718
- https://bugzilla.suse.com/show_bug.cgi?id=1260283
- https://bugzilla.suse.com/show_bug.cgi?id=1261793
- https://bugzilla.suse.com/show_bug.cgi?id=1262096
- https://bugzilla.suse.com/show_bug.cgi?id=1262951
- https://jira.suse.com/browse/PED-14747