eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Bump zot registry to v2.1.15 #293

Merged
eblume merged 2 commits from bump/zot-v2.1.15 into main 2026-03-14 10:00:40 -07:00
Conversation 0 Commits 2 Files changed 4 +9 -3
eblume commented 2026-03-14 09:22:46 -07:00
Owner
Copy link

Summary

  • Upgrade zot OCI registry from v2.1.13 to v2.1.15 on indri
  • Addresses CVE-2025-30204 (golang-jwt memory) and open redirect via callback_ui
  • No config template changes needed (externalUrl is auto-allowlisted)
  • Requires Go 1.25.7 (bump from 1.25.6 via mise)

Data Safety

  • Data directory ~/erichblume/zot is NOT touched during build or deploy
  • No schema migrations in v2.1.14 or v2.1.15
  • Storage format remains OCI spec 1.1.0

Deployment Steps

  • SSH to indri: bump Go to 1.25.7 via mise use go@1.25.7
  • Fetch and checkout v2.1.15 in ~/code/3rd/zot
  • Build: mise x -- make binary
  • Restart LaunchAgent
  • Verify: curl -s http://localhost:5050/v2/ returns 200
  • Verify: curl -s https://registry.ops.eblu.me/v2/_catalog lists repos
  • Verify: mise run services-check
## Summary - Upgrade zot OCI registry from v2.1.13 to v2.1.15 on indri - Addresses CVE-2025-30204 (golang-jwt memory) and open redirect via callback_ui - No config template changes needed (externalUrl is auto-allowlisted) - Requires Go 1.25.7 (bump from 1.25.6 via mise) ## Data Safety - Data directory ~/erichblume/zot is NOT touched during build or deploy - No schema migrations in v2.1.14 or v2.1.15 - Storage format remains OCI spec 1.1.0 ## Deployment Steps - [ ] SSH to indri: bump Go to 1.25.7 via `mise use go@1.25.7` - [ ] Fetch and checkout v2.1.15 in ~/code/3rd/zot - [ ] Build: `mise x -- make binary` - [ ] Restart LaunchAgent - [ ] Verify: `curl -s http://localhost:5050/v2/` returns 200 - [ ] Verify: `curl -s https://registry.ops.eblu.me/v2/_catalog` lists repos - [ ] Verify: `mise run services-check`
Upgrade from v2.1.13 to v2.1.15 for two security fixes:
- CVE-2025-30204 (golang-jwt excessive memory allocation)
- Open redirect via callback_ui

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The LaunchAgent's default PATH (/usr/bin:/bin:/usr/sbin:/sbin) doesn't
include /usr/local/bin where docker-credential-desktop lives. Trivy's
OCI client reads ~/.docker/config.json which specifies credsStore:desktop,
then fails to find the credential helper. Add /usr/local/bin to PATH.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
eblume merged commit 53d620365a into main 2026-03-14 10:00:40 -07:00
eblume referenced this pull request from a commit 2026-03-14 10:00:42 -07:00
Bump zot registry to v2.1.15 (#293)
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!293
No description provided.