Skip to content

v2.6.2

Latest

Choose a tag to compare

@github-actions github-actions released this 10 Jul 16:30
105715e

This is a security patch release addressing advisories in the content and remote layers, plus additional hardening and bug fixes since v2.6.1.

Security Fixes

  • Resolve the hardlink (TypeLink) target before passing it to os.Link, preventing a crafted OCI artifact from hardlinking a file outside the extraction directory via the process CWD (#1232, GHSA-fxhp-mv3v-67qp / CVE-2026-50163)
  • Bound tag and referrer list pagination to prevent a malicious or misbehaving registry from advertising an endless page chain and forcing unbounded client requests (client-side DoS) (#1215)

Bug Fixes

  • Bound content.ReadAll allocation by actual content read rather than the descriptor size, correcting the over-broad 32 MiB cap introduced for GHSA-f36w-mj3v-6jqv so legitimate in-memory Push/FetchAll/FetchBytes are not rejected (#1223)

Other Changes

  • Bump golang.org/x/sync from 0.20.0 to 0.21.0 (#1208)