osbuild-composer-132-1.el9.ML.1, osbuild-141-1.el9.ML.1
エラータID: AXSA:2025-10326:01
リリース日:
2025/07/01 Tuesday - 16:08
題名:
osbuild-composer-132-1.el9.ML.1, osbuild-141-1.el9.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の RSA 暗号化 / 復号化の処理には、メモリリークの問題が
あるため、リモートの攻撃者により、サービス拒否攻撃 (メモリ枯渇)
を可能とする脆弱性が存在します。(CVE-2024-1394)
- Go の Parse() 関数には、深くネストされた式を含む "// +build"
ビルドタグ行を処理する際にスタック領域を枯渇させてしまう問題が
あるため、リモートの攻撃者により、サービス拒否攻撃 (パニックの
発生) を可能とする脆弱性が存在します。(CVE-2024-34158)
- Go の FIPS モードには、初期化されていないサイズが設定された
バッファーを返してしまう不備に起因して、ハッシュ値を誤って比較して
しまう問題があるため、ローカルの攻撃者により、不正な認証、および
情報の漏洩などを可能とする脆弱性が存在します。(CVE-2024-9355)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-1394
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
CVE-2024-34158
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-9355
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
追加情報:
N/A
ダウンロード:
SRPMS
- osbuild-composer-132-1.el9.ML.1.src.rpm
MD5: 3ad129ccb03367079978c39455c99237
SHA-256: 1900600f34ec5f95b1c134d8af74a7774e65732a61214495a5485dd2755e748e
Size: 62.86 MB - osbuild-141-1.el9.ML.1.src.rpm
MD5: d83eed45c54479b224d9cec9fbd3968d
SHA-256: 14f0dfa0165df11ed136e0ef838206c0c5775006bec99d6abb7ed95a8a9b189d
Size: 20.59 MB
Asianux Server 9 for x86_64
- osbuild-141-1.el9.ML.1.noarch.rpm
MD5: bea7f7b8def94eee224143d848a152c7
SHA-256: 7557e4b7d2ac0ef68cff1afc3e4cfed4ce2df99fd767266b5b645cf6b2c457b5
Size: 272.15 kB - osbuild-composer-132-1.el9.ML.1.x86_64.rpm
MD5: 369f84c56990ced7277c867b82028b19
SHA-256: 0132faa971078d87b2efe090ff66810bd26ea24e2d38f182591e3bae58c9cfe7
Size: 21.76 kB - osbuild-composer-core-132-1.el9.ML.1.x86_64.rpm
MD5: 0cd56f5b92148dbfaa517f9e30bb56d6
SHA-256: c6a34dee76d1c8edefbccfaecf484a216f588a65e495f9314e105a0871aebaa7
Size: 14.64 MB - osbuild-composer-worker-132-1.el9.ML.1.x86_64.rpm
MD5: e70d3e10e560c1af7fbf80b98ae2ad1e
SHA-256: 11ece0fe4c47152f735d5e6742c1f684010227a01cf74c82b5b3b9c2165b735f
Size: 26.18 MB - osbuild-depsolve-dnf-141-1.el9.ML.1.noarch.rpm
MD5: 471d99f31ff3904b00f6beb517a2ead6
SHA-256: e93e6077439f7e66d9efab047d917e1235bbccdbca9f4f8f569c5a354c8ed6f0
Size: 13.68 kB - osbuild-luks2-141-1.el9.ML.1.noarch.rpm
MD5: 7fea54221dd4ff0ca6744e4522c6ce26
SHA-256: d24c759cfdcc5a9bde06ee4e0625934a55ed29f2801d01e351685276073469bd
Size: 15.38 kB - osbuild-lvm2-141-1.el9.ML.1.noarch.rpm
MD5: ad7a630db0eb801011cb77a49bfa563d
SHA-256: 21d92ca189030c5c0ddcbb0faaa3a491ebe14a205de57293255c202319ce606f
Size: 15.74 kB - osbuild-ostree-141-1.el9.ML.1.noarch.rpm
MD5: 1ef4f283ccd4815f85eba4898886b4a0
SHA-256: e6705f3d827e06280587d5857f301aa8646db85bb5b6e99f492593e71fff2100
Size: 45.37 kB - osbuild-selinux-141-1.el9.ML.1.noarch.rpm
MD5: 24bdc81247f9f5b4b4c0db8c0802a1a0
SHA-256: 196c2f00651d48166787a367501656eb603d8abec814812989d35dd65c33fbed
Size: 28.55 kB - python3-osbuild-141-1.el9.ML.1.noarch.rpm
MD5: a9d014be774e9e2f602480cec68f8006
SHA-256: 89eb58b7ebf43876c7a93bc9e8cadf8ee0af1faa38c294724f96881b4dfef628
Size: 285.66 kB