podman-4.9.4-4.el9_4

エラータID: AXSA:2024-8285:05

Release date: 
Monday, June 17, 2024 - 15:40
Subject: 
podman-4.9.4-4.el9_4
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

Security Fixes:

* podman: jose-go: improper handling of highly compressed data (CVE-2024-28180)
* podman: golang: net/[http:](http:) memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)
* podman: jose: resource exhaustion (CVE-2024-28176)

CVE-2023-45290
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
CVE-2024-28180
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

Solution: 

Update packages.

CVEs: 
CVE-2023-45290
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
CVE-2024-28180
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Additional Info: 

N/A

Download: 

SRPMS
  1. podman-4.9.4-4.el9_4.src.rpm
    MD5: 335c7b479e8fe343e99fda83c4f609ae
    SHA-256: 7dbdd6cb163423ba143d264e85039ef9c4b4f054ee8e9e2c17947bbf34819bab
    Size: 22.75 MB

Asianux Server 9 for x86_64
  1. podman-4.9.4-4.el9_4.x86_64.rpm
    MD5: 42c379c1fdd189cc87efa90c4aec7b1d
    SHA-256: 39ad74e6c5a85b0a889c70dfec13d0fd715d068ef8707f335c3353987876f97e
    Size: 15.54 MB
  2. podman-docker-4.9.4-4.el9_4.noarch.rpm
    MD5: 7cf2a71b5f16d3079ca15d2cc90b5633
    SHA-256: adc8c46811300e99a4e9805cea8a23051e5bad93ea378bff32227025c59e708a
    Size: 106.25 kB
  3. podman-plugins-4.9.4-4.el9_4.x86_64.rpm
    MD5: c3ef93409eca313cc4f341589690437b
    SHA-256: cec8318064d73d1a523531d2aad3af263440f4be6b379b459c015aac8323fbe9
    Size: 1.28 MB
  4. podman-remote-4.9.4-4.el9_4.x86_64.rpm
    MD5: 544e5068cb00bd456d0f54e3648fee9c
    SHA-256: ac82b18d30dea79c4b95bee616ad1bbf0ddba0ca349d2b637b305d01419bf7c9
    Size: 10.23 MB
  5. podman-tests-4.9.4-4.el9_4.x86_64.rpm
    MD5: 15ffeb76a64fa2574c8ec4e1a921b3b6
    SHA-256: 82316d747f8f0f0d7fb30384581124bb512d9873a80a60abda7e3f3cedb7ec11
    Size: 209.85 kB