skopeo-1.16.1-1.el9
エラータID: AXSA:2024-9102:06
The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.
Security Fix(es):
* containers/image: digest type does not guarantee valid type (CVE-2024-3727)
* golang: net: malformed DNS message can cause infinite loop (CVE-2024-24788)
* go-retryable[http:](http:) url might write sensitive information to log file (CVE-2024-6104)
* net/[http:](http:) Denial of service due to improper 100-continue handling in net/http (CVE-2024-24791)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the MIRACLE LINUX 9.5 Release Notes linked from the References section.
CVE-2024-24788
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
CVE-2024-24791
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
CVE-2024-3727
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
CVE-2024-6104
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Update packages.
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
N/A
SRPMS
- skopeo-1.16.1-1.el9.src.rpm
MD5: 028a6fa30144eca70a9a7b560aa033b8
SHA-256: b7afbe5f8471d8d45f54f81c891b2090a6c4e079c4ab71fe80feae2bee499f09
Size: 9.91 MB
Asianux Server 9 for x86_64
- skopeo-1.16.1-1.el9.x86_64.rpm
MD5: e23b6e40be1541ad59346f46d4e3f9ee
SHA-256: 9c4fa712ba8e551b279811e7660256818a5b863f3aebe2c98b47a1da3a7c400e
Size: 8.78 MB - skopeo-tests-1.16.1-1.el9.x86_64.rpm
MD5: f035fa9490f85932ab73a2129d12099a
SHA-256: c880de1d880fab86c24cfe2061deab868251609b95de67be2a34d233d1dc6b0b
Size: 764.32 kB
日本語