From 392aeaf66bd4a9ad35df6aba56054b63cf0bb75f Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sat, 14 Mar 2026 09:21:59 -0700 Subject: [PATCH 1/2] Bump zot registry to v2.1.15 Upgrade from v2.1.13 to v2.1.15 for two security fixes: - CVE-2025-30204 (golang-jwt excessive memory allocation) - Open redirect via callback_ui Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/changelog.d/bump-zot-v2.1.15.infra.md | 1 + docs/reference/services/zot.md | 2 +- service-versions.yaml | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 docs/changelog.d/bump-zot-v2.1.15.infra.md diff --git a/docs/changelog.d/bump-zot-v2.1.15.infra.md b/docs/changelog.d/bump-zot-v2.1.15.infra.md new file mode 100644 index 0000000..f20e2d5 --- /dev/null +++ b/docs/changelog.d/bump-zot-v2.1.15.infra.md @@ -0,0 +1 @@ +Upgrade zot container registry from v2.1.13 to v2.1.15 (CVE-2025-30204, open redirect fix) diff --git a/docs/reference/services/zot.md b/docs/reference/services/zot.md index c113695..c309557 100644 --- a/docs/reference/services/zot.md +++ b/docs/reference/services/zot.md @@ -1,6 +1,6 @@ --- title: Zot -modified: 2026-02-21 +modified: 2026-03-14 tags: - service - registry diff --git a/service-versions.yaml b/service-versions.yaml index f060499..7d03295 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -269,8 +269,8 @@ services: - name: zot type: ansible - last-reviewed: null - current-version: null + last-reviewed: 2026-03-14 + current-version: "v2.1.15" upstream-source: https://github.com/project-zot/zot/releases notes: Built from source on indri From 3725d0873f79efc344cff8877f696ae0dfe2da7a Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sat, 14 Mar 2026 09:54:10 -0700 Subject: [PATCH 2/2] Fix trivy CVE DB downloads in zot LaunchAgent The LaunchAgent's default PATH (/usr/bin:/bin:/usr/sbin:/sbin) doesn't include /usr/local/bin where docker-credential-desktop lives. Trivy's OCI client reads ~/.docker/config.json which specifies credsStore:desktop, then fails to find the credential helper. Add /usr/local/bin to PATH. Co-Authored-By: Claude Opus 4.6 (1M context) --- ansible/roles/zot/templates/zot.plist.j2 | 5 +++++ docs/changelog.d/bump-zot-v2.1.15.infra.md | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ansible/roles/zot/templates/zot.plist.j2 b/ansible/roles/zot/templates/zot.plist.j2 index 25b7da1..b777fb8 100644 --- a/ansible/roles/zot/templates/zot.plist.j2 +++ b/ansible/roles/zot/templates/zot.plist.j2 @@ -16,6 +16,11 @@ KeepAlive + EnvironmentVariables + + PATH + /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin + StandardOutPath {{ zot_log_dir }}/mcquack.zot.out.log StandardErrorPath diff --git a/docs/changelog.d/bump-zot-v2.1.15.infra.md b/docs/changelog.d/bump-zot-v2.1.15.infra.md index f20e2d5..67e5ccd 100644 --- a/docs/changelog.d/bump-zot-v2.1.15.infra.md +++ b/docs/changelog.d/bump-zot-v2.1.15.infra.md @@ -1 +1 @@ -Upgrade zot container registry from v2.1.13 to v2.1.15 (CVE-2025-30204, open redirect fix) +Upgrade zot container registry from v2.1.13 to v2.1.15 (CVE-2025-30204, open redirect fix). Fix trivy CVE DB downloads by adding /usr/local/bin to LaunchAgent PATH.