podman-4.9.4-10.el9_4
エラータID: AXSA:2024-8754:08
リリース日:
2024/09/04 Wednesday - 16:15
題名:
podman-4.9.4-10.el9_4
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の crypto/x509 パッケージの Certificate.Verify()
関数には、不明な公開鍵アルゴリズムが設定された
証明書を含む証明書チェーンの検証処理に問題がある
ため、リモートの攻撃者により、巧妙に細工された
証明書の検証処理を介して、サービス拒否攻撃を可能
とする脆弱性が存在します。(CVE-2024-24783)
- gorilla/schema の schema.Decoder.Decode() 関数
には、[]struct{...} 型のフィールドを持つ構造体の
データをスパーススライス機能で処理する際に意図
しないメモリを確保してしまう問題があるため、
リモートの攻撃者により、サービス拒否攻撃 (メモリ
枯渇) を可能とする脆弱性が存在します。
(CVE-2024-37298)
- go-retryablehttp には、URL のサニタイズ処理が
欠落しているため、ローカルの攻撃者により、
ログファイルへの URL の書き込みを介して、情報
の漏洩を可能とする脆弱性が存在します。
(CVE-2024-6104)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-24783
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.
CVE-2024-37298
gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.
gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.
CVE-2024-6104
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
追加情報:
N/A
ダウンロード:
SRPMS
- podman-4.9.4-10.el9_4.src.rpm
MD5: 144a38f850533ec9a5724b8975356024
SHA-256: 5d09a6dd61aabbd03fd4bd5247daeaf74b9a1e9d188b0660b42b60b8f0188f30
Size: 22.77 MB
Asianux Server 9 for x86_64
- podman-4.9.4-10.el9_4.x86_64.rpm
MD5: 49d783a1c4e9b85a51c790ec2bae7c9b
SHA-256: 4dd50c6ddd93c982e11af10c3117bace221b788c64db6519bede53a984ea5c03
Size: 15.54 MB - podman-docker-4.9.4-10.el9_4.noarch.rpm
MD5: 51c1da9867b240325673e78f920ea30e
SHA-256: e27697b95b18fa17495cc4565e25619d8623371c3d29825a3b117233d902f0cb
Size: 105.73 kB - podman-plugins-4.9.4-10.el9_4.x86_64.rpm
MD5: daff49442062480ca3a7ed844226c6c4
SHA-256: 476962cecc38a3a8f669d79930ffdcbf9b0e1b51cc657a485a4438f9f1a62f13
Size: 1.28 MB - podman-remote-4.9.4-10.el9_4.x86_64.rpm
MD5: fec5a866821641c18349c5e82b6884b2
SHA-256: 37a77092d9946ae70cd25016e07cf031cbaa2aaa22a52fec9e244cd81664e660
Size: 10.22 MB - podman-tests-4.9.4-10.el9_4.x86_64.rpm
MD5: 1ae05b606ad4815ae8dd3bd99ebd1f75
SHA-256: b2c15dad87bb41e6f2b1c7ac8c73bc8886dfcdda0c6803878d11e3815a99d2a0
Size: 209.75 kB