podman-4.9.4-0.1.el9
エラータID: AXSA:2024-7787:03
リリース日:
2024/05/29 Wednesday - 19:59
題名:
podman-4.9.4-0.1.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Go の net/http エンコーディングリーダーのチャンク拡張
機能の処理には、最大 1 GiByte の本文のよりも大きいデータ
の読み取りを許容してしまう問題があるため、リモートの
攻撃者により、細工された大量のデータの送信を介して、
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-39326)
- Go の crypto/tls ライブラリには、RSA を利用した TLS キー
交換処理の処理時間が一定にならない math/big ライブラリが
使用されている問題があるため、リモートの攻撃者により、
タイミングサイドチャネル攻撃を可能とする脆弱性が存在
します。(CVE-2023-45287)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
CVE-2023-45287
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
追加情報:
N/A
ダウンロード:
SRPMS
- podman-4.9.4-0.1.el9.src.rpm
MD5: 329076186138b530869ca63a2059751c
SHA-256: 80af074596a620ddef0a732f2718dd1994499372d663785d08a831cdeefd4ff2
Size: 22.70 MB
Asianux Server 9 for x86_64
- podman-4.9.4-0.1.el9.x86_64.rpm
MD5: 7e6ed51b9e9adc10f7de370d5e105c52
SHA-256: 7434deb457d7bf7b7260b345746eaa86eb3975a681b564ef2c9ad50fe05d8a21
Size: 15.55 MB - podman-docker-4.9.4-0.1.el9.noarch.rpm
MD5: f7b4f9c9d3479dc24f82c9dbd8ebbcda
SHA-256: 1f5e811441163a6cee6526cfd5d5f39059d13d5c9bd34fe43d933bf00f7491d8
Size: 106.09 kB - podman-plugins-4.9.4-0.1.el9.x86_64.rpm
MD5: 53993363d6d2399bf2924910e76dcea5
SHA-256: f936fd7992a179c96d7e5a07f1f4e1466cc36e6c253d3363acf42ce5148b238c
Size: 1.28 MB - podman-remote-4.9.4-0.1.el9.x86_64.rpm
MD5: 793a5daa1e156ec605f1ac3821cf1eb9
SHA-256: eb42de5c5a15fe71aed4561bed36dc93f6ca6b8a40e6cbb8d70c4771f1ab9614
Size: 10.23 MB - podman-tests-4.9.4-0.1.el9.x86_64.rpm
MD5: 808828d3d8ced17858feba5b4708bd6a
SHA-256: e5de0db51e79bca986cb3c55bd2bf860253e6157ed4c9fe19b9b2327dc8fbc07
Size: 209.37 kB
English