osbuild-composer-101-3.el8_10.ML.1
エラータID: AXSA:2025-9957:03
リリース日:
2025/05/22 Thursday - 14:53
題名:
osbuild-composer-101-3.el8_10.ML.1
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- golang-jwt の parse.ParseUnverified() 関数には、指定された
引数を制限なくピリオド文字で分割してしまう問題があるため、
リモートの攻撃者により、多数のピリオド文字が続く Bearer
が設定されるように細工された Authorization ヘッダーの処理
を介して、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-30204)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-30204
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
追加情報:
N/A
ダウンロード:
SRPMS
- osbuild-composer-101-3.el8_10.ML.1.src.rpm
MD5: 14107684c70e604d1eb784f62b7d33ab
SHA-256: e5b697c751c4089211f069d5f4f71f3297b9c7b341ac4a993daf0611a4d5c421
Size: 130.10 MB
Asianux Server 8 for x86_64
- osbuild-composer-101-3.el8_10.ML.1.x86_64.rpm
MD5: 141ad70e86d7bb5c56bd89701b21a627
SHA-256: 8338af6a7005776f49dcc7e3de0e25b496917104a6939ba423df27e5257d4e2e
Size: 23.07 kB - osbuild-composer-core-101-3.el8_10.ML.1.x86_64.rpm
MD5: 7eb44792781ba55cfdd438b16bfc564d
SHA-256: 4a4bcb9cb0ad5364981d496aa2992babde640a8b0ba3554f5ba24e26d052e538
Size: 10.72 MB - osbuild-composer-worker-101-3.el8_10.ML.1.x86_64.rpm
MD5: 363f63cfeec86807d4290b62aa6affba
SHA-256: eadc9ead977f43c74feca2f4767e42d8c79ee8ac3e703e8334a7470d255ebf0c
Size: 18.92 MB