podman-5.4.0-9.el9_6
エラータID: AXSA:2025-10465:05
リリース日:
2025/07/14 Monday - 21:42
題名:
podman-5.4.0-9.el9_6
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の golang.org/x/crypto/ssh パッケージには、意図せずリソース
を消費してしまう問題があるため、リモートの攻撃者により、キー交換
を意図的に遅くする、もしくは意図的に実施しないクライアントからの
通信を介して、サービス拒否攻撃 (リソースの枯渇) を可能とする脆弱性
が存在します。(CVE-2025-22869)
- Go の JOSE モジュールには、意図しない量のメモリを消費してしまう
問題があるため、リモートの攻撃者により、細工された JSON Web
Signature (JWS) 形式のデータ、もしくは JSON Web Encryption (JWE)
形式のデータの解析を介して、サービス拒否攻撃 (メモリ枯渇) を可能
とする脆弱性が存在します。(CVE-2025-27144)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-22869
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-27144
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.
追加情報:
N/A
ダウンロード:
SRPMS
- podman-5.4.0-9.el9_6.src.rpm
MD5: 8d3abd1f6a80c89e14bac774e47c21f1
SHA-256: 0b82bfa289b77688fafa9c2556e60a233449576b93fe874516e2badf481bfe7f
Size: 26.25 MB
Asianux Server 9 for x86_64
- podman-5.4.0-9.el9_6.x86_64.rpm
MD5: 24f32036e85209f6629ef00edb54b995
SHA-256: 331f1f63fdeef772f7b522a4ab55be5baea771597d060433395933bdd9e4e0d1
Size: 16.77 MB - podman-docker-5.4.0-9.el9_6.noarch.rpm
MD5: f93d490f093d12441a3e60b0b649f838
SHA-256: 7e66f2ed21d65c0eeebc9bfb65c74ba85c7dd2c85eacafc8c9fa45a638ab5a37
Size: 108.62 kB - podman-plugins-5.4.0-9.el9_6.x86_64.rpm
MD5: 9ad5f32c56c3d5fd48dcd9af5c10fb7d
SHA-256: 1d38efb59d458525d7b4d5d27d40c6dbd63b8d14eb33197adc0dc2fbc1754ccc
Size: 1.39 MB - podman-remote-5.4.0-9.el9_6.x86_64.rpm
MD5: f465234d6fc520b7d357078df0845647
SHA-256: 5db503a6f045883bfb38c4d63655b81163bb8c191c6958b4cc6a5713c2203e7a
Size: 10.97 MB - podman-tests-5.4.0-9.el9_6.x86_64.rpm
MD5: 21920589ed0b59a88c65fd7f9eee4d90
SHA-256: 51218694401640ce83b3f74e45602057a8089298d0414abbd4b4c00fc2889a7a
Size: 12.14 MB
English