grafana-9.2.10-28.el8_10
エラータID: AXSA:2026-223:04
リリース日:
2026/03/03 Tuesday - 10:21
題名:
grafana-9.2.10-28.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の net/url パッケージの net/http.Request.ParseForm()
メソッドには、クエリ内のパラメーター数を制限を実施していないこと
に起因して意図せず大量のメモリを消費してしまう問題があるため、
リモートの攻撃者により、サービス拒否攻撃 (メモリ枯渇) を可能とする
脆弱性が存在します。(CVE-2025-61726)
- Go の archive/zip パッケージ内のファイル名のインデックス処理
には、CPU リソースを多く消費してしまうアルゴリズムが使用されている
問題があるため、リモートの攻撃者により、細工された ZIP アーカイブ
ファイルの処理を介して、サービス拒否攻撃 (CPU リソース枯渇) を可能
とする脆弱性が存在します。(CVE-2025-61728)
- Go の crypto/tls パッケージには、Config 内の ClientCAs
フィールドまたは RootCAs フィールドが最初のハンドシェイクと再開後
のハンドシェイクの間で変更されている場合、本来失敗するはずの再開後
のハンドシェイクが成功してしまう問題があるため、リモートの攻撃者に
より、不正な認証を可能とする脆弱性が存在します。(CVE-2025-68121)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-61726
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
CVE-2025-61728
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-68121
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
追加情報:
N/A
ダウンロード:
SRPMS
- grafana-9.2.10-28.el8_10.src.rpm
MD5: c1e5d353ec7476670bdaac8508650d52
SHA-256: f14f1db194bb544a1189eacc8a256a92d0ea1803edddea8ee8a08fb13e7c4f39
Size: 327.50 MB
Asianux Server 8 for x86_64
- grafana-9.2.10-28.el8_10.x86_64.rpm
MD5: 4f7788e96b784198cca8d65790afb37d
SHA-256: 69c7cf26d8081a7a394f6be5e59c56617acab7b9b929ddb3464371197080bbcb
Size: 77.06 MB - grafana-selinux-9.2.10-28.el8_10.x86_64.rpm
MD5: 9577f11a0f4867004b202033e803138b
SHA-256: 4abf83d38d057a4e63410801605a9169af277071e856a9aa9e6ea05b8ba3b34c
Size: 35.39 kB
English