runc-1.1.9-2.el9_3
エラータID: AXSA:2023-7057:04
リリース日:
2023/12/21 Thursday - 06:42
題名:
runc-1.1.9-2.el9_3
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Go には、証明書チェーン内に含まれる RSA キーの検証に大量
の CPU リソースを消費してしまう問題があるため、リモートの
攻撃者により、非常に大きなサイズの RSA キーを含むように
細工された証明書を介して、サービス拒否攻撃 (CPU リソース
枯渇) を可能とする脆弱性が存在します。(CVE-2023-29409)
- Go には、リモートの攻撃者により、不完全なポストハンド
シェイクメッセージを介して、サービス拒否攻撃 (クラッシュ
の発生) を可能とする脆弱性が存在します。(CVE-2023-39321)
- Go の QUIC プロトコルの処理には、接続後の受信メッセージ
のバッファリングデータ量に上限が設けられていない問題がある
ため、リモートの攻撃者により、サービス拒否攻撃 (メモリ枯渇)
を可能とする脆弱性が存在します。(CVE-2023-39322)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-29409
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.
CVE-2023-39321
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
CVE-2023-39322
QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.
QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.
追加情報:
N/A
ダウンロード:
SRPMS
- runc-1.1.9-2.el9_3.src.rpm
MD5: 6c193e468b1d128ed05b5d4d2a2283f3
SHA-256: c29612c04d93dc6e9546b6b0f84555d3b0b6bf9476364ffeac1a173ed1016dd2
Size: 2.36 MB
Asianux Server 9 for x86_64
- runc-1.1.9-2.el9_3.x86_64.rpm
MD5: e95bb91665ba352a6a8703c38c80276e
SHA-256: c117fec73d2664254a502f4f595f2ccf8c3867a332e91f5195dbf1ebc96edd69
Size: 3.07 MB