skopeo-1.11.2-0.1.el9

エラータID: AXSA:2023-5634:02

Release date: 
Tuesday, May 30, 2023 - 02:37
Subject: 
skopeo-1.11.2-0.1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The skopeo command lets you inspect images from container image registries, get
images and image layers, and use signatures to create and verify files.

Security Fix(es):

* golang: net/http: excessive memory growth in a Go server accepting HTTP/2
requests (CVE-2022-41717)
* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2022-30629
Non-random values for ticket_age_add in session tickets in crypto/tls before Go
1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to
correlate successive connections by comparing ticket ages during session
resumption.
CVE-2022-41717
An attacker can cause excessive memory growth in a Go server accepting HTTP/2
requests. HTTP/2 server connections contain a cache of HTTP header keys sent by
the client. While the total number of entries in this cache is capped, an
attacker sending very large keys can cause the server to allocate approximately
64 MiB per open connection.

Solution: 

Update packages.

CVEs: 
CVE-2022-30629
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVE-2022-41717
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Additional Info: 

N/A

Download: 

SRPMS
  1. skopeo-1.11.2-0.1.el9.src.rpm
    MD5: d89ee6ae5f48c874e2af3c4ab198998d
    SHA-256: be41e79bc86766386c82b767449d0edba099886f0f1bcf4d5fccc6cd4c8669f8
    Size: 7.62 MB

Asianux Server 9 for x86_64
  1. skopeo-1.11.2-0.1.el9.x86_64.rpm
    MD5: 95c11d62a7afa0e46bca400347025ef4
    SHA-256: 110eeb7601d7fb15a542adb51b4789862332a19a4cdbd0d04f4b83f3f61a9097
    Size: 7.88 MB
  2. skopeo-tests-1.11.2-0.1.el9.x86_64.rpm
    MD5: 5dcc72b66ec1354617be8677fd5eed5b
    SHA-256: e3f68b756da2afae3993bee426ba2fb1120421333092ca0bea54137436b7badb
    Size: 766.76 kB