skopeo-1.20.0-3.el9_7
エラータID: AXSA:2026-230:01
リリース日:
2026/02/27 Friday - 15:59
題名:
skopeo-1.20.0-3.el9_7
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の net/url パッケージの net/http.Request.ParseForm()
メソッドには、クエリ内のパラメーター数を制限を実施していないこと
に起因して意図せず大量のメモリを消費してしまう問題があるため、
リモートの攻撃者により、サービス拒否攻撃 (メモリ枯渇) を可能と
する脆弱性が存在します。(CVE-2025-61726)
- Golang の crypto/x509 ライブラリには、ループ内で過剰にプラット
フォームリソースを消費してしまう問題があるため、リモートの攻撃者
により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-61729)
- Go の crypto/tls パッケージには、Config 内の ClientCAs
フィールドまたは RootCAs フィールドが最初のハンドシェイクと
再開後のハンドシェイクの間で変更されている場合、本来失敗するはず
の再開後のハンドシェイクが成功してしまう問題があるため、リモート
の攻撃者により、不正な認証を可能とする脆弱性が存在します。
(CVE-2025-68121)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-61726
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
CVE-2025-61729
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
CVE-2025-68121
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
追加情報:
N/A
ダウンロード:
SRPMS
- skopeo-1.20.0-3.el9_7.src.rpm
MD5: 6601a5a32f92bb9d540acc8687e67378
SHA-256: 890011c250e9ecbdd003b24c6eef4c4775f0fcc05d9df59d1427ebb6e717641a
Size: 9.86 MB
Asianux Server 9 for x86_64
- skopeo-1.20.0-3.el9_7.x86_64.rpm
MD5: e71a51e37f7270bfba188fc0fbfa8c8b
SHA-256: bcd8f1afb42b3ff26b87fe7bcd34f01b4ec72dc722f145a3ee35a669d70c4bae
Size: 8.20 MB - skopeo-tests-1.20.0-3.el9_7.x86_64.rpm
MD5: e787bf341474a795b37b9bd6b131a502
SHA-256: 607d9de20821def953c7e3fc8aeef1648cded8d40367f194ba28b4917cde02de
Size: 767.53 kB
English