osbuild-composer-101-2.el8_10.ML.1
エラータID: AXSA:2024-8868:03
リリース日:
2024/10/01 Tuesday - 10:23
題名:
osbuild-composer-101-2.el8_10.ML.1
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の RSA 暗号化 / 復号化の処理には、メモリリークの問題
があるため、リモートの攻撃者により、サービス拒否攻撃
(メモリ枯渇) を可能とする脆弱性が存在します。
(CVE-2024-1394)
- Go の Decoder.Decode() 関数には、深くネストされた構造
を含むメッセージを処理する際、スタック領域を枯渇させて
しまう問題があるため、リモートの攻撃者により、サービス
拒否攻撃 (パニックの発生) を可能とする脆弱性が存在します。
(CVE-2024-34156)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-1394
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
CVE-2024-34156
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
追加情報:
N/A
ダウンロード:
SRPMS
- osbuild-composer-101-2.el8_10.ML.1.src.rpm
MD5: aaf2544ac419775009814f6e386ceda6
SHA-256: 765c0d54bacb819f8a91ca273fb235171dc0825ce390006e7e0ccac673fb1f03
Size: 130.09 MB
Asianux Server 8 for x86_64
- osbuild-composer-101-2.el8_10.ML.1.x86_64.rpm
MD5: 3bff768f3e60da8c80fffc502715a28c
SHA-256: d23e981d5e39e37500bbeaf062b703914fff545150145a86a0229490943bcf88
Size: 22.94 kB - osbuild-composer-core-101-2.el8_10.ML.1.x86_64.rpm
MD5: 07cde431db2f9fe9291e112b70effa7d
SHA-256: f2fa4cb68d1094e342b00f399dee7d6bf5028c405000ebfba5c5862a8071429a
Size: 10.45 MB - osbuild-composer-worker-101-2.el8_10.ML.1.x86_64.rpm
MD5: 486196eb211f2d811ab67768475f1774
SHA-256: 440478185d538ac7182cb525600b4fa0d0250466afe9efb8d4e8a46630414619
Size: 18.23 MB