podman-4.9.4-4.el9_4
エラータID: AXSA:2024-8285:05
リリース日:
2024/06/17 Monday - 15:40
題名:
podman-4.9.4-4.el9_4
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Go の net/http パッケージの ParseMultipartForm() 関数
には、すべてのフォームの解析時に適用するメモリサイズ
の制限値がそれぞれのフォームの解析処理時には適用
されない問題があるため、リモートの攻撃者により、
非常に長い行を含むように細工された入力を介して、
サービス拒否攻撃 (メモリ枯渇) を可能とする脆弱性が
存在します。(CVE-2023-45290)
- jose の JSON Web Encryption 復号化インターフェース
には、リモートの攻撃者により、細工された JSON Web
Encryption データを介して、サービス拒否攻撃 (CPU
リソースおよびメモリの枯渇) を可能とする脆弱性が存在
します。(CVE-2024-28176)
- jose の Decrypt() 関数および DecryptMulti() 関数には、
リモートの攻撃者により、細工された圧縮データを含む
JWE 形式のデータの送信を介して、サービス拒否攻撃
(CPU リソースおよびメモリの枯渇) を可能とする脆弱性
が存在します。(CVE-2024-28180)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-45290
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
CVE-2024-28180
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
追加情報:
N/A
ダウンロード:
SRPMS
- podman-4.9.4-4.el9_4.src.rpm
MD5: 335c7b479e8fe343e99fda83c4f609ae
SHA-256: 7dbdd6cb163423ba143d264e85039ef9c4b4f054ee8e9e2c17947bbf34819bab
Size: 22.75 MB
Asianux Server 9 for x86_64
- podman-4.9.4-4.el9_4.x86_64.rpm
MD5: 42c379c1fdd189cc87efa90c4aec7b1d
SHA-256: 39ad74e6c5a85b0a889c70dfec13d0fd715d068ef8707f335c3353987876f97e
Size: 15.54 MB - podman-docker-4.9.4-4.el9_4.noarch.rpm
MD5: 7cf2a71b5f16d3079ca15d2cc90b5633
SHA-256: adc8c46811300e99a4e9805cea8a23051e5bad93ea378bff32227025c59e708a
Size: 106.25 kB - podman-plugins-4.9.4-4.el9_4.x86_64.rpm
MD5: c3ef93409eca313cc4f341589690437b
SHA-256: cec8318064d73d1a523531d2aad3af263440f4be6b379b459c015aac8323fbe9
Size: 1.28 MB - podman-remote-4.9.4-4.el9_4.x86_64.rpm
MD5: 544e5068cb00bd456d0f54e3648fee9c
SHA-256: ac82b18d30dea79c4b95bee616ad1bbf0ddba0ca349d2b637b305d01419bf7c9
Size: 10.23 MB - podman-tests-4.9.4-4.el9_4.x86_64.rpm
MD5: 15ffeb76a64fa2574c8ec4e1a921b3b6
SHA-256: 82316d747f8f0f0d7fb30384581124bb512d9873a80a60abda7e3f3cedb7ec11
Size: 209.85 kB
English