Skip to content
v2.8.2
default avatar
milosthegajdos@gmail.com
7c354a4b · Merge pull request #3915 from distribution/2.8.2-release-notes · 
registry 2.8.2

Welcome to the v2.8.2 release of registry!

Welcome to the 2.8.2 release of registry!

The 2.8.2 registry release fixes several security vulnerabilities.
The Go runtime has been bumped to 1.19.

See the changelog below for full list of changes.

### CI

* Dockerfile: fix filenames of artifacts ([#3911](https://github.com/distribution/distribution/pull/3911))

### Bugfixes

* Fix panic in inmemory driver ([#3815](https://github.com/distribution/distribution/pull/3815))
* Add code to handle pagination of parts. Fixes max layer size of 10GB bug ([#3893](https://github.com/distribution/distribution/pull/3893))

### Runtime

* Update to go1.19.9 ([#3908](https://github.com/distribution/distribution/pull/3908))
* Dockerfile: update xx to v1.2.1 ([#3907](https://github.com/distribution/distribution/pull/3907))

### Security

* Fix [CVE-2022-28391](https://www.cve.org/CVERecord?id=CVE-2022-28391) by bumping alpine from 3.14 to 3.16 ([#3650](https://github.com/distribution/distribution/pull/3650))
* Fix [CVE-2023-2253](https://www.cve.org/CVERecord?id=CVE-2023-2253) runaway allocation on /v2/_catalog [`521ea3d9`](https://github.com/distribution/distribution/commit/521ea3d973cb0c7089ebbcdd4ccadc34be941f54)

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v2.8.1](https://github.com/distribution/distribution/releases/tag/v2.8.1)

Please try out the release binaries and report any issues at
https://github.com/distribution/distribution/issues.

### Contributors

* Milos Gajdos
* Sebastiaan van Stijn
* CrazyMax
* Milos Gajdos
* Wang Yan
* David van der Spek
* Derek McGowan
* Hayley Swimelar
* Jose D. Gomez R
* Nicolas De Loof
* Paweł Gronowski
* Shengjing Zhu
* Silvin Lubecki

### Changes
<details><summary>33 commits</summary>
<p>

* [release/2.8 backport] registry/errors: Parse http forbidden as denied ([#3914](https://github.com/distribution/distribution/pull/3914))
  * [`483ad69d`](https://github.com/distribution/distribution/commit/483ad69da3e3fb9ac885962d50834ff8619733a2) registry/errors: Parse http forbidden as denied
* [release/2.8 backport] revert "registry/client: set Accept: identity header when getting layers ([#3783](https://github.com/distribution/distribution/pull/3783))
  * [`2b0f84df`](https://github.com/distribution/distribution/commit/2b0f84df21e062bd0cc3676557c6bee4cbb9e9bc) Revert "registry/client: set Accept: identity header when getting layers"
* Add 2.8.2 beta.2 release notes ([#3912](https://github.com/distribution/distribution/pull/3912))
  * [`5f3ca1b2`](https://github.com/distribution/distribution/commit/5f3ca1b2fb6109705d729816e7260a6966d2b42d) Add release notes for 2.8.2-beta.2 release
* [release/2.8 backport] Dockerfile: fix filenames of artifacts ([#3911](https://github.com/distribution/distribution/pull/3911))
  * [`e884644f`](https://github.com/distribution/distribution/commit/e884644fff38a5bf601a2272f434ee2b01dd2b17) Dockerfile: fix filenames of artifacts
* Add 2.8.2-beta.1 release notes ([#3909](https://github.com/distribution/distribution/pull/3909))
  * [`ac6c72b2`](https://github.com/distribution/distribution/commit/ac6c72b25fd258449f166acd3bc5961479c8072f) Add 2.8.2-beta.1 release notes
  * [`dcb637d6`](https://github.com/distribution/distribution/commit/dcb637d6ea8e31e219dfab6ee5c27f09b7441667) Merge pull request from GHSA-hqxw-f8mx-cpmw
  * [`521ea3d9`](https://github.com/distribution/distribution/commit/521ea3d973cb0c7089ebbcdd4ccadc34be941f54) Fix runaway allocation on /v2/_catalog
* [release/2.8] Add code to handle pagination of parts. Fixes max layer size of 10GB bug ([#3893](https://github.com/distribution/distribution/pull/3893))
  * [`22a80503`](https://github.com/distribution/distribution/commit/22a805033aa861ad171f4a0b560d241a7c57ac86) fix(ci): use go install instead of go get
* Add code to handle pagination of parts. Fixes max layer size of 10GB bug ([#2815](https://github.com/distribution/distribution/pull/2815))
* [release/2.8 backport] update to go1.19.9 ([#3908](https://github.com/distribution/distribution/pull/3908))
  * [`ae58bde9`](https://github.com/distribution/distribution/commit/ae58bde9853c94e482333a4a2734c7ade5b3e344) Fix gofmt warnings
  * [`3f2a4e24`](https://github.com/distribution/distribution/commit/3f2a4e24a73c69087735b741ee197482d8fda41b) update to go1.19.9
  * [`9c04409f`](https://github.com/distribution/distribution/commit/9c04409fdba2219c216b2d14a3f1dd65d4dcdd74) [release/2.8] ignore deprecation of io/ioutil
* [release/2.8 backport] Dockerfile: update xx to v1.2.1 ([#3907](https://github.com/distribution/distribution/pull/3907))
  * [`3d8f3cc4`](https://github.com/distribution/distribution/commit/3d8f3cc4a5d903a983f33b8b8b2f5713930902fd) Dockerfile: update xx to v1.2.1
* [release/2.8] bump up golang version (alternative) ([#3903](https://github.com/distribution/distribution/pull/3903))
  * [`70db3a46`](https://github.com/distribution/distribution/commit/70db3a46d9badbde6a1533e799e292d2ff10b430) bump up golang version
  * [`db1389e0`](https://github.com/distribution/distribution/commit/db1389e0432ccd16c37c580c95ff2dd1853b8345) dockerfiles: formatting
  * [`018472de`](https://github.com/distribution/distribution/commit/018472de2d95025485d3e5429ea92dd18ce2665d) dockerfiles: set ALPINE_VERSION
  * [`19b3feb5`](https://github.com/distribution/distribution/commit/19b3feb5dfeac86148971785ca36190091a4803e) Update to xx 1.1.1
  * [`14bd72bc`](https://github.com/distribution/distribution/commit/14bd72bcf8b8a2759e765d3a766b53c9141b677b) Dockerfile: switch to xx
  * [`2392893b`](https://github.com/distribution/distribution/commit/2392893bcfe7de3010c66626db46f59ab520c9a0) bump up golang v1.17
  * [`092a2197`](https://github.com/distribution/distribution/commit/092a2197ff64d4a4b33fbe9d1080f37e9319d346) [release/2.8] fix package name in Dockerfile
* [release/2.8] Fix panic in inmemory driver ([#3815](https://github.com/distribution/distribution/pull/3815))
  * [`ad5991de`](https://github.com/distribution/distribution/commit/ad5991de09d424fe71ea795463533aa46bc7e74e) Fix panic in inmemory driver
* [release/2.8 backport] Fix CVE-2022-28391 by bumping alpine from 3.14 to 3.16 ([#3650](https://github.com/distribution/distribution/pull/3650))
  * [`38018aeb`](https://github.com/distribution/distribution/commit/38018aeb5d50b08baec9b7c1ee9b2130349aa47a) Fix CVE-2022-28391 by bumping alpine from 3.15 to 3.16
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v2.8.1](https://github.com/distribution/distribution/releases/tag/v2.8.1)