|Index|Getting started with SUSE Private Registry|Release notes
Applies to SUSE Private Registry 1.0

Release notes

 

SUSE Private Registry is an on-premises container registry. It is designed for SUSE customers who need a container registry that works well with other SUSE services and products.

This document provides a high-level overview of the features, capabilities and limitations of SUSE Private Registry, and highlights important product updates.

1 Release 1.2.0

 

Security updates:

Component updates:

  • Updates k8s.io/client-go to 0.34.1.

  • Updates aws-sdk-go to 1.55.8.

  • Updates go-ldap to 3.4.11.

  • Updates Go to 1.25.9.

New features and performance:

  • Adds support for the Cosign v3 Bundle signature format.

  • Introduces an option to disable audit log recording to the database during initialization.

  • Enables pprof support and the ability to export the Harbor version via the Prometheus exporter binary.

  • Replaces the existing pull-through cache with a new proxy cache implementation.

  • Improves general performance through code refactoring (for example, by using strings.Builder and strings.CutPrefix).

Key fixes:

  • Implements a security fix to reject bearer tokens issued before project creation.

  • Fixes issues related to OpenID Connect (OIDC) integration for users with a single group.

  • Corrects errors in user and group search functionality.

  • Resolves various user interface (UI) issues, including an unwanted scrollbar in tag retention and issues with the "Copy Pull Button" when tags are undefined.

  • Adds support for both docker-compose v1 and docker-compose v2.

  • Calls the /v2/auth/token application programming interface (API) to get a bearer token for the Docker Hub adapter.

Container image updates:

  • private-registry/harbor-core:1.1.2 ➡ private-registry/1.2/harbor-core:1.2.0

  • private-registry/harbor-exporter:1.1.2 ➡ private-registry/1.2/harbor-exporter:1.2.0

  • private-registry/harbor-jobservice:1.1.2 ➡ private-registry/1.2/harbor-jobservice:1.2.0

  • private-registry/harbor-portal:1.1.2 ➡ private-registry/1.2/harbor-portal:1.2.0

  • private-registry/harbor-registry:1.1.2 ➡ private-registry/1.2/harbor-registry:1.2.0

  • private-registry/harbor-registryctl:1.1.2 ➡ private-registry/1.2/harbor-registryctl:1.2.0

  • private-registry/harbor-trivy-adapter:1.1.2 ➡ private-registry/1.2/harbor-trivy-adapter:1.2.0

Helm chart updates:

  • The chart is the version 1.2.x will be in oci://registry.suse.com/private-registry/1.2/private-registry-helm

  • Makes health probe timeoutSeconds and failureThreshold configurable via values.

  • Fixes extra environment variables for the exporter.

  • Installs PodDisruptionBudget resources when the replica count is greater than one.

Upgrade notes:

  • No breaking changes in this release.

2 Release 1.1.2

 

Security Updates:

  • CVE-2026-4404: Use of hard coded credentials allows attackers to use the default password and gain access to the Web UI, if not set during installation or upgrade.

Now if the HARBOR_ADMIN_PASSWORD is not set during the installation or upgrade, it will be generated randomly and stored in a Kubernetes secret. This change mitigates the risk of using a default password and enhances the security of the installation.

Upgrade Notes:

No breaking changes in this release.

3 Release 1.1.1

 

Security Updates:

Container Image Updates:

  • private-registry/harbor-core:1.1.0 ➡ private-registry/harbor-core:1.1.1

  • private-registry/harbor-exporter:1.1.0 ➡ private-registry/harbor-exporter:1.1.1

  • private-registry/harbor-jobservice:1.1.0 ➡ private-registry/harbor-jobservice:1.1.1

  • private-registry/harbor-portal:1.1.0 ➡ private-registry/harbor-portal:1.1.1

  • private-registry/harbor-registry:1.1.0 ➡ private-registry/harbor-registry:1.1.1

  • private-registry/harbor-registryctl:1.1.0 ➡ private-registry/harbor-registryctl:1.1.1

  • private-registry/harbor-trivy-adapter:1.1.0 ➡ private-registry/harbor-trivy-adapter:1.1.1

Upgrade Notes:

No breaking changes in this release.

4 Release 1.1.0

 

Security Updates:

Container Image Updates:

  • Update the base image bci/bci-micro:15.6 to bci/bci-micro:15.7

  • Updated images:

    • private-registry/harbor-valkey:8.0.6 ➡ suse/valkey:8.0.6

    • private-registry/harbor-db:2.13.2 (postgres 17) ➡ suse/postgres:17.6

    • private-registry/harbor-nginx:1.21 ➡ suse/nginx:1.21

Upgrade Notes:

Images are now tagged with the SUSE Private Registry version instead of the corresponding Harbor version. The change in image versioning scheme is handled by Helm when upgrading the installation using the chart:

  • private-registry/harbor-core:1.1.0

  • private-registry/harbor-exporter:1.1.0

  • private-registry/harbor-jobservice:1.1.0

  • private-registry/harbor-portal:1.1.0

  • private-registry/harbor-registry:1.1.0

  • private-registry/harbor-registryctl:1.1.0

  • private-registry/harbor-registryctl:1.1.0

No breaking changes in this release.

5 Release 1.0.1

 

Security updates:

  • CVE-2025-55198: Helm may panic due to incorrect YAML content.

  • CVE-2025-55199: Helm charts with specific JSON schema values can cause memory exhaustion.

  • CVE-2025-54410: Moby versions before 25.0.13, when firewall reloads, Docker fails to re-create iptables rules isolating bridge networks. This allows any container to access all ports on any other container across different bridge networks on the same host and breaks network segmentation in multi-tenant environments (only --internal networks remain protected).

  • CVE-2025-29923: go-redis allows potential out of order responses when CLIENT SETINFO times out during connection establishment.

  • CVE-2025-54388: Moby versions 28.2.0–28.3.2 fails to re-create iptables rules after a firewall reloads. This exposes containers with localhost-published ports (e.g., 127.0.0.1:8080) to remote access via the Docker bridge, while unpublished ports remain protected; fixed in version 28.3.3.

  • GHSA-2464-8j7c-4cjm: go-viper’s map structure may leak sensitive information in logs when processing malformed data.

  • CVE-2025-8959: HashiCorp go-getter vulnerable to arbitrary read through a symlink attack.

  • CVE-2025-58058: github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives.

  • CVE-2025-53547: Helm chart dependency updating with malicious Chart.yaml content and symlink can lead to code execution.

Bugs fixed:

  • Trivy: the correct version is shown when calling trivy version.

Container image updates:

  • Valkey updated from 8.0.2 ➡ 8.0.6.

Upgrade notes:

  • No breaking changes in this release.

6 Release 1.0

 

Key features:

  • SUSE Private Registry is based on Harbor 2.13.2

    • Integration with Model Spec for first-class handling of AI models

    • Enhanced audit logging

  • Predictable release cycle aligned with SUSE Rancher Prime. SUSE Private Registry will be updated every 4 months

  • Each release is supported by SUSE for 18 months from the date of release

    • 6 months of security and bug fix maintenance, followed by

    • 12 months of security-only maintenance

  • Can be used to mirror SUSE Application Collection

  • Supports SUSE Security as an external scanner

SUSE Private Registry includes all the features of Harbor:

  • On-premises private container image and OCI artifact registry

  • Web interface for administration

  • Role-based Access Control

  • Fine-grained project configuration for image and artifact storage

  • Mirroring and pull-through caching of upstream registries' artifacts

  • Image retention and garbage collection controls

  • Scanning images for security vulnerabilities with the Trivy scanner

  • Generate SBOMs for stored images

  • Content trust with Cosign (Notary is not included)