grafana-9.2.10-21.el8_10
エラータID: AXSA:2025-9576:01
リリース日:
2025/01/24 Friday - 19:38
題名:
grafana-9.2.10-21.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- go-git には、git-upload-pack フラグへ任意の値の設定を
許容してしまう問題があるため、リモートの攻撃者により、
データ破壊、情報の漏洩、およびサービス拒否攻撃などを
可能とする脆弱性が存在します。(CVE-2025-21613)
- go-git には、意図せずリソースを消費してしまう問題が
あるため、リモートの攻撃者により、巧妙に細工された
Git サーバーからの応答を介して、サービス拒否攻撃
(リソースの枯渇) を可能とする脆弱性が存在します。
(CVE-2025-21614)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-21613
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
CVE-2025-21614
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
追加情報:
N/A
ダウンロード:
SRPMS
- grafana-9.2.10-21.el8_10.src.rpm
MD5: 15795d0d710dc71b93a1f3af474a975f
SHA-256: fb6a9de8a3f4fbb0184825011c987fefe78991bd3a7ddad668e5b27a1386a104
Size: 327.50 MB
Asianux Server 8 for x86_64
- grafana-9.2.10-21.el8_10.x86_64.rpm
MD5: be914e96557f8352129d4b1367649988
SHA-256: 4ff4573d62a76e87a5e67da585dc70a2fd3b0cf1e69f53d84fe6709d011967d0
Size: 76.18 MB - grafana-selinux-9.2.10-21.el8_10.x86_64.rpm
MD5: 2715f978a9ec1a2210385b413f8d150d
SHA-256: 1b983c238d67d2d540e5351d17c686220b6fd1aa39dd0343d321705c74890f03
Size: 34.58 kB
English