buildah-1.33.7-2.el9_4
エラータID: AXSA:2024-8286:05
リリース日:
2024/06/17 Monday - 15:43
題名:
buildah-1.33.7-2.el9_4
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Go の net/http パッケージの ParseMultipartForm() 関数
には、すべてのフォームの解析時に適用するメモリサイズ
の制限値がそれぞれのフォームの解析処理時には適用
されない問題があるため、リモートの攻撃者により、
非常に長い行を含むように細工された入力を介して、
サービス拒否攻撃 (メモリ枯渇) を可能とする脆弱性が
存在します。(CVE-2023-45290)
- jose の JSON Web Encryption 復号化インターフェース
には、リモートの攻撃者により、細工された JSON Web
Encryption データを介して、サービス拒否攻撃 (CPU
リソースおよびメモリの枯渇) を可能とする脆弱性が存在
します。(CVE-2024-28176)
- jose の Decrypt() 関数および DecryptMulti() 関数には、
リモートの攻撃者により、細工された圧縮データを含む
JWE 形式のデータの送信を介して、サービス拒否攻撃
(CPU リソースおよびメモリの枯渇) を可能とする脆弱性
が存在します。(CVE-2024-28180)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-45290
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
CVE-2024-28180
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
追加情報:
N/A
ダウンロード:
SRPMS
- buildah-1.33.7-2.el9_4.src.rpm
MD5: 373e18b7b1a3065734051a6249514a75
SHA-256: 3a052d6d6458ed9a1d1a32795b2bbd3b9711da7a7b7f65004981c2b308490b66
Size: 17.46 MB
Asianux Server 9 for x86_64
- buildah-1.33.7-2.el9_4.x86_64.rpm
MD5: c2c30ac4fe3649cc2c6e49ff0477682c
SHA-256: 105e0526ed5cb70ab9e3957dcf23af2b71c29d3b0cf8dc5606c1333d3077b89f
Size: 9.42 MB - buildah-tests-1.33.7-2.el9_4.x86_64.rpm
MD5: f48c99941b9eae769518d9739817f2e9
SHA-256: 3b1084b392d3815d2125640c7363d1695228a8713ea1130609870368d1cbb910
Size: 30.29 MB
English