x/vulndb: potential Go vuln in github.com/opencontainers/image-spec: GHSA-77vh-xpmg-72qh

[GoVulnBot]

In GitHub Security Advisory GHSA-77vh-xpmg-72qh, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/opencontainers/image-spec	1.0.2	< 1.0.2

See doc/triage.md for instructions on how to triage this report.

package: github.com/opencontainers/image-spec
versions:
  - introduced: v0.0.0
    fixed: v1.0.2
description: |
    ### Impact
    In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index.

    ### Patches
    The Image Specification will be updated to recommend that both manifest and index documents contain a `mediaType` field to identify the type of document.
    Release [v1.0.2](https://github.com/opencontainers/image-spec/releases/tag/v1.0.2) includes these updates.

    ### Workarounds
    Software attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields.

    ### References
    https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m

    ### For more information
    If you have any questions or comments about this advisory:
    * Open an issue in https://github.com/opencontainers/image-spec
    * Email us at [[email protected]](mailto:[email protected])
    * https://github.com/opencontainers/image-spec/commits/v1.0.2
published: 2021-11-18T16:02:41Z
last_modified: 2021-11-24T19:43:36Z
ghsas:
  - GHSA-77vh-xpmg-72qh

[neild]

Vulnerability in specification, not code. See #379 for associated package vulnerability.