buildah-1.37.2-1.el9
エラータID: AXSA:2024-9390:11
リリース日:
2024/12/16 Monday - 17:50
題名:
buildah-1.37.2-1.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Go の net/http モジュールの HTTP/1.1 クライアント機能
には、情報レスポンス以外のステータスで応答する際の処理
に問題があるため、リモートの攻撃者により、
「Expect: 100-continue」のヘッダーが付与されるように細工
した HTTP リクエストパケットの送信を介して、サービス
拒否攻撃 (クライアント接続の無効化) を可能とする脆弱性が
存在します。(CVE-2024-24791)
- containers/image ライブラリには、認証されたレジストリ
へのアクセスを許容してしまう問題があるため、リモートの
攻撃者により、パストラバーサル攻撃、サービス拒否攻撃
(リソース枯渇)、およびその他の特定できない影響を及ぼす
攻撃を可能とする脆弱性が存在します。(CVE-2024-3727)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-24791
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
CVE-2024-3727
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
追加情報:
N/A
ダウンロード:
SRPMS
- buildah-1.37.2-1.el9.src.rpm
MD5: 945124dfa2fb8cf1e64f4edfced93071
SHA-256: 5725994067e00bdc3c8d6694080eade939c3a3fdfb9a8fc95d712ae7066bbf81
Size: 18.12 MB
Asianux Server 9 for x86_64
- buildah-1.37.2-1.el9.x86_64.rpm
MD5: 810f9906ea19f9053939150d4f630260
SHA-256: 02f3544fda6bcdcb0a3e6eb77dc071c88929be3a0e64476857366e48ce72a12e
Size: 10.81 MB - buildah-tests-1.37.2-1.el9.x86_64.rpm
MD5: 26053eb82c2e90a73f0bda3ae929a06d
SHA-256: 7b55db5ea282865343fd09c38734d984b09d25d97043e201283dce46a29832a2
Size: 33.45 MB
English