podman-5.4.0-9.el9_6
エラータID: AXSA:2025-10548:06
リリース日:
2025/07/22 Tuesday - 18:18
題名:
podman-5.4.0-9.el9_6
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の golang.org/x/crypto/ssh パッケージには、意図せずリソース
を消費してしまう問題があるため、リモートの攻撃者により、キー交換
を意図的に遅くする、もしくは意図的に実施しないクライアントからの
通信を介して、サービス拒否攻撃 (リソースの枯渇) を可能とする脆弱性
が存在します。(CVE-2025-22869)
- Go の JOSE モジュールには、意図しない量のメモリを消費してしまう
問題があるため、リモートの攻撃者により、細工された JSON Web
Signature (JWS) 形式のデータ、もしくは JSON Web Encryption (JWE)
形式のデータの解析を介して、サービス拒否攻撃 (メモリ枯渇) を可能
とする脆弱性が存在します。(CVE-2025-27144)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-22869
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-27144
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.
追加情報:
N/A
ダウンロード:
SRPMS
- podman-5.4.0-9.el9_6.src.rpm
MD5: 0a774c06b2e228c4c7c3f36c95b6792b
SHA-256: b2da64dd1eacd7409c9d5dc3748ed0b454d7c3c4b12b70b39e560cd0c4c3a394
Size: 26.25 MB
Asianux Server 9 for x86_64
- podman-5.4.0-9.el9_6.x86_64.rpm
MD5: f8309b3e817e2a2b0a6d966fe43e506b
SHA-256: 86187a14acd0c40446396e4ce012e60b11ed402104758ef066f2525ca05ccb76
Size: 16.78 MB - podman-docker-5.4.0-9.el9_6.noarch.rpm
MD5: 931b611d59a2fee9e3cbc6faff8874ed
SHA-256: 3e989bc4abeb0641135765f60be7b15e6790302ed0a720a11873816d54eef2c6
Size: 108.60 kB - podman-plugins-5.4.0-9.el9_6.x86_64.rpm
MD5: 5a518e2630134906905d0a035ecad255
SHA-256: d84cb01e8195a420a32127af3b783e0df4df4d9dbaa3b6d388eb27160d77f311
Size: 1.39 MB - podman-remote-5.4.0-9.el9_6.x86_64.rpm
MD5: 3a060305385e1e5d4d5b7a0dac3cf4a1
SHA-256: 9dae0f55bcd54502534f331e11d4495717b1865f4fbec9f27d8f600c81a63c42
Size: 10.98 MB - podman-tests-5.4.0-9.el9_6.x86_64.rpm
MD5: 31636723cd732dd94e58eaae8337fb2c
SHA-256: f4a779d3709fa66082c45610da9dc0cff174c2e104f6fa719605ab7278304707
Size: 12.13 MB
English