This release is a special security release to address an issue allowing an attacker to force arbitrarily-sized memory allocations in a registry instance through the manifest endpoint. The problem has been mitigated by limiting the size of reads for image manifest content.

Details for mitigation are in 58d239d7.

CVE-2017-11468 has been assigned for this issue.

Changelog

0bae7512 Merge pull request #2344 from stevvooe/prepare-2.5.2 48cb60af release: prepare for 2.5.2 release 2b0952dc Merge pull request #2342 from stevvooe/limit-payload-size-25 58d239d7 registry/{storage,handlers}: limit content sizes 9bc9d212 Merge pull request #2122 from mstanleyjones/configuration_changes_backport fcbea606 Improve formatting of configuration.md 6b114e6d Merge pull request #2081 from Windfarer/release/2.5 6c985f7f Update main.go 2c3b616f Merge pull request #2054 from mstanleyjones/2.5_metadata_fixes 5adfbe34 Remove newlines from end of error strings cfe70793 Satisfy the latest go lint rules abd2d765 Metadata and formatting fixes needed for Jekyll build 6b3ccf96 Convert Markdown frontmatter to YAML a8402a22 Merge pull request #1985 from johndmulhausen/master 0a22649f Update to fix lint errors

This release is a special security release to address an issue allowing an attacker to force arbitrarily-sized memory allocations in a registry instance through the manifest endpoint. The problem has been mitigated by limiting the size of reads for image manifest content.

Details for mitigation are in 29fa466d

CVE-2017-11468 has been assigned for this issue.

Changelog

48294d92 Merge pull request #2343 from stevvooe/prepare-2.6.2 04ce6865 release: prepare for 2.6.2 release c829241c Merge pull request #2341 from stevvooe/limit-payload-size-26 29fa466d registry/{storage,handlers}: limit content sizes 42ea75ca Merge pull request #2284 from mstanleyjones/release/2.6 ed2b6867 Put architecture.md back into distribution repo

Changelog

Registry

• Fix Forwarded header handling, revert use of X-Forwarded-Port
• Use driver Stat for registry health check

Changelog

Registry

• Fix Forwarded header handling, revert use of X-Forwarded-Port
• Use driver Stat for registry health check

Changelog

Registry

• Fix Forwarded header handling, revert use of X-Forwarded-Port

2.6.0 (2017-01-18)

Storage

• S3: fixed bug in delete due to read-after-write inconsistency
• S3: allow EC2 IAM roles to be used when authorizing region endpoints
• S3: add Object ACL Support
• S3: fix delete method's notion of subpaths
• S3: use multipart upload API in Move method for performance
• S3: add v2 signature signing for legacy S3 clones
• Swift: add simple heuristic to detect incomplete DLOs during read ops
• Swift: support different user and tenant domains
• Swift: bulk deletes in chunks
• Aliyun OSS: fix delete method's notion of subpaths
• Aliyun OSS: optimize data copy after upload finishes
• Azure: close leaking response body
• Fix storage drivers dropping non-EOF errors when listing repositories
• Compare path properly when listing repositories in catalog
• Add a foreign layer URL host whitelist
• Improve catalog enumerate runtime

Registry

• Export storage.CreateOptions in top-level package
• Enable notifications to endpoints that use self-signed certificates
• Properly validate multi-URL foreign layers
• Add control over validation of URLs in pushed manifests
• Proxy mode: fix socket leak when pull is cancelled
• Tag service: properly handle error responses on HEAD request
• Support for custom authentication URL in proxying registry
• Add configuration option to disable access logging
• Add notification filtering by target media type
• Manifest: References() returns all children
• Honor X-Forwarded-Port and Forwarded headers
• Reference: Preserve tag and digest in With* functions
• Add policy configuration for enforcing repository classes

Client

• Changes the client Tags All() method to follow links
• Allow registry clients to connect via HTTP2
• Better handling of OAuth errors in client

Spec

• Manifest: clarify relationship between urls and foreign layers
• Authorization: add support for repository classes

Manifest

• Override media type returned from Stat() for existing manifests
• Add plugin mediatype to distribution manifest

Docs

• Document TOOMANYREQUESTS error code
• Document required Let's Encrypt port
• Improve documentation around implementation of OAuth2
• Improve documentation for configuration

Auth

• Add support for registry type in scope
• Add support for using v2 ping challenges for v1
• Add leeway to JWT nbf and exp checking
• htpasswd: dynamically parse htpasswd file
• Fix missing auth headers with PATCH HTTP request when pushing to default port

Dockerfile

• Update to go1.7
• Reorder Dockerfile steps for better layer caching

Notes

Documentation has moved to the documentation repository at github.com/docker/docker.github.io/tree/master/registry

The registry is go 1.7 compliant, and passes newer, more restrictive lint and vet ing.

Changelog

Spec

• Authorization: add support for repository classes

Registry

• Add policy configuration for enforcing repository classes

Changelog

Storage

• S3: fixed bug in delete due to read-after-write inconsistency
• S3: allow EC2 IAM roles to be used when authorizing region endpoints
• S3: add Object ACL Support
• S3: fix delete method's notion of subpaths
• S3: use multipart upload API in Move method for performance
• S3: add v2 signature signing for legacy S3 clones
• Swift: add simple heuristic to detect incomplete DLOs during read ops
• Swift: support different user and tenant domains
• Swift: bulk deletes in chunks
• Aliyun OSS: fix delete method's notion of subpaths
• Aliyun OSS: optimize data copy after upload finishes
• Azure: close leaking response body
• Fix storage drivers dropping non-EOF errors when listing repositories
• Compare path properly when listing repositories in catalog
• Add a foreign layer URL host whitelist
• Improve catalog enumerate runtime

Registry

• Override media type returned from Stat() for existing manifests
• Export storage.CreateOptions in top-level package
• Enable notifications to endpoints that use self-signed certificates
• Properly validate multi-URL foreign layers
• Add control over validation of URLs in pushed manifests
• Proxy mode: fix socket leak when pull is cancelled
• Tag service: properly handle error responses on HEAD request
• Support for custom authentication URL in proxying registry
• Add configuration option to disable access logging
• Add notification filtering by target media type
• Manifest: References() returns all children
• Honor X-Forwarded-Port and Forwarded headers
• Reference: Preserve tag and digest in With* functions

Client

• Changes the client Tags All() method to follow links
• Allow registry clients to connect via HTTP2
• Better handling of OAuth errors in client

Spec

• Manifest: clarify relationship between urls and foreign layers

Manifest

• Add plugin mediatype to distribution manifest

Docs

• Document TOOMANYREQUESTS error code
• Document required Let's Encrypt port
• Improve documentation around implementation of OAuth2

Auth

• Add support for registry type in scope
• Add support for using v2 ping challenges for v1
• Add leeway to JWT nbf and exp checking
• htpasswd: dynamically parse htpasswd file
• Fix missing auth headers with PATCH HTTP request when pushing to default port

Dockerfile

• Update to go1.7
• Reorder Dockerfile steps for better layer caching

Notes

Documentation has moved to the documentation repository at github.com/docker/docker.github.io/tree/master/registry

The registry is go 1.7 compliant, and passes newer, more restrictive lint and vet ing.

Catalog endpoint improvements.