SUSE-SU-2026:21881-1 Security update for helm

This update for helm fixes the following issues - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265758. - CVE-2026-41888: github.com/distribution/distribution/v3: tag deletion bypasses the storage.delete.enabled configuration...

Security update for helm

This update for helm fixes the following issues Security issues: CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265758. CVE-2026-41888: github.com/distribution/distribution/v3: tag deletion bypasses the storage.delete.enabled...

CVE-2026-41888

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has...

CVE-2026-41888

CVE-2026-41888 affects the Distribution toolkit (prior to v3.1.1). The issue is that DELETE /v2//manifests/ can bypass storage.delete.enabled: false, letting API clients remove tags from repositories even when deletion is disabled. Impact: unauthorized tag deletions. Remediation: upgrade to v3.1....

CVE-2026-41888 Distribution: Tag deletion bypasses `storage.delete.enabled` configuration

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has...

CVE-2026-45224

Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or crabbox.yaml file with...

Distribution's tag deletion bypasses `storage.delete.enabled` configuration

Summary Tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. Details When storage.delete.enabled is configured to false,...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through the DeleteManifest process. An attacker can remove tags from repositories by sending a DELETE request to the relevant API endpoint, even when deletion has been explicitly disabled in the configuration. Th...

GHSA-6PJF-3R9X-M592 Distribution's tag deletion bypasses `storage.delete.enabled` configuration

Summary Tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. Details When storage.delete.enabled is configured to false,...

PT-2026-37158

Name of the Vulnerable Software and Affected Versions Distribution versions prior to 3.1.1 Description An authorization bypass exists where tag deletion via the "/v2//manifests/" endpoint ignores the storage.delete.enabled: false configuration. This allows any API client to remove tags from...

SUSE CVE-2026-35172

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

CVE-2026-35172

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

DEBIAN-CVE-2026-35172

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

CVE-2026-35172

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the possibility to restore read access in repo a after an explicit delete when both storage.cache.blobdescriptor: redis and storage.delete.enabled: true are enabled. An attacker can regain unauthorized read...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the possibility to restore read access in repo a after an explicit delete when both storage.cache.blobdescriptor: redis and storage.delete.enabled: true are enabled. An attacker can regain unauthorized read...

CVE-2026-35172 Distribution has stale blob access resurrection via repo-scoped redis descriptor cache invalidation

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

CVE-2026-35172

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

GHSA-F2G3-HH2R-CWGC Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation

summary: distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. the delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get...

PT-2026-30710

Name of the Vulnerable Software and Affected Versions distribution versions 3.0.x and earlier, versions 2.8.x and earlier when redis blob descriptor cache and delete are both enabled Description distribution, a toolkit for managing container content, is susceptible to a confidentiality issue. Whe...