Clarify Content-Type handling in OCI spec
Description
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/opencontainers/distribution-specGo | < 1.0.1 | 1.0.1 |
Affected products
78- ghsa-coords77 versionspkg:golang/github.com/opencontainers/distribution-specpkg:rpm/opensuse/conmon&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/containerd&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/docker&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/docker-kubic&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/docker-stable&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/docker-stable&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/libcontainers-common&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/libseccomp&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/podman&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/singularity&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/singularity&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/umoci&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/umoci&distro=openSUSE%20Tumbleweedpkg:rpm/suse/conmon&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/conmon&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/docker-stable&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP6pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP7pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/libcontainers-common&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/libcontainers-common&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/libseccomp&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/libseccomp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/podman&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/singularity&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/umoci&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/umoci&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/umoci&distro=SUSE%20Manager%20Server%204.3
< 1.0.1+ 76 more
- (no CPE)range: < 1.0.1
- (no CPE)range: < 2.0.30-150300.8.3.1
- (no CPE)range: < 1.4.12-60.1
- (no CPE)range: < 1.4.12-1.1
- (no CPE)range: < 20.10.12_ce-159.1
- (no CPE)range: < 20.10.11_ce-1.1
- (no CPE)range: < 20.10.12_ce-159.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-15.1
- (no CPE)range: < 20210626-150300.8.3.1
- (no CPE)range: < 2.5.3-150300.10.5.1
- (no CPE)range: < 3.4.4-150300.9.3.2
- (no CPE)range: < 4.3.1-150400.4.11.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 4.3.1-150400.4.11.1
- (no CPE)range: < 3.4.4-1.1
- (no CPE)range: < 3.8.5-bp153.2.10.1
- (no CPE)range: < 3.8.5-1.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-1.1
- (no CPE)range: < 2.0.30-150300.8.3.1
- (no CPE)range: < 2.0.30-150300.8.3.1
- (no CPE)range: < 1.4.12-60.1
- (no CPE)range: < 1.4.12-60.1
- (no CPE)range: < 1.4.12-16.49.1
- (no CPE)range: < 1.4.12-60.1
- (no CPE)range: < 20.10.12_ce-159.1
- (no CPE)range: < 20.10.12_ce-159.1
- (no CPE)range: < 20.10.12_ce-98.75.1
- (no CPE)range: < 20.10.12_ce-159.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-1.20.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-1.20.1
- (no CPE)range: < 20210626-150300.8.3.1
- (no CPE)range: < 20210626-150300.8.3.1
- (no CPE)range: < 2.5.3-150300.10.5.1
- (no CPE)range: < 2.5.3-150300.10.5.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 4.3.1-150400.4.11.1
- (no CPE)range: < 3.4.4-150300.9.3.2
- (no CPE)range: < 4.3.1-150400.4.11.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 3.8.5-bp153.2.10.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- (no CPE)range: < 0.5.0-150000.3.15.1
- Range: < 1.0.1
Patches
Vulnerability mechanics
References
21- github.com/advisories/GHSA-mc8v-mgrf-8f4mghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-41190ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/11/19/10ghsamailing-listx_refsource_MLISTWEB
- github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923ghsax_refsource_MISCWEB
- github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4mghsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGXghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZNghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJMLghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERMghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRXghsaWEB
News mentions
0No linked articles in our index yet.