GMS-2021-101: Clarify `mediaType` handling
(updated )
Impact
In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index.
Patches
The Image Specification will be updated to recommend that both manifest and index documents contain a mediaType field to identify the type of document.
References
- github.com/advisories/GHSA-77vh-xpmg-72qh
- github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
- github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c
- github.com/opencontainers/image-spec/releases/tag/v1.0.2
- github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
Code Behaviors & Features
Detect and mitigate GMS-2021-101 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →