Harbor
v2.15.1Storage & DataHarbor v2.15.1 is a patch release focused on CVE fixes, security hardening, and several behavioral bug fixes including proxy cache, session management, and GC credential leak.
securityRedeploy now to stop Redis credentials leaking from GC job metadata
Before this fix, the GC job stored the Redis URL (including credentials) in its extra attributes, which are accessible via the Harbor API and potentially logged. If you run GC jobs and have Redis auth configured, treat any previously captured GC job metadata as potentially containing plaintext credentials. Rotate Redis passwords and upgrade to v2.15.1 promptly.
securityCVE patches in base image — upgrade before your next scan cycle
The Photon base image was updated specifically to address CVEs, then stabilized on photon:5.0. If you're running v2.15.0 in a security-conscious environment, your vulnerability scanner will likely flag the older image. Upgrade to v2.15.1 to clear those findings before they become audit issues.
enhancementSession behavior change: idle timeouts will now work as configured
Background polling in the UI was silently keeping sessions alive indefinitely by resetting the TTL on every poll cycle. After this fix, sessions will actually expire when users are idle. If your org relies on session timeouts for compliance, this fix makes them effective. Warn users they may now be logged out after inactivity — this is correct behavior, not a regression.
主な変更 (5)
- Photon base image updated to fix CVEs; base image reverted to goharbor/photon:5.0
- GC job now redacts Redis URL credentials from extra attributes — previously these could be exposed in logs or API responses
- Background UI polling no longer renews session TTL, preventing phantom session extensions
- DockerHub adapter now correctly calls /v2/auth/token for bearer token acquisition
- go-jose and OpenTelemetry SDK dependencies bumped; Go runtime updated to 1.23.9