podman-5.6.0-14.el9_7

エラータID: AXSA:2026-238:04

リリース日: 
2026/02/27 Friday - 18:17
題名: 
podman-5.6.0-14.el9_7
影響のあるチャネル: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

Security Fix(es):

* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
* golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-61726
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
CVE-2025-61728
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-61729
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
CVE-2025-68121
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

解決策: 

Update packages.

CVE: 
CVE-2025-61726
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
CVE-2025-61728
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-61729
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
CVE-2025-68121
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. podman-5.6.0-14.el9_7.src.rpm
    MD5: 099c25c45a03424fdeff06a2a4346397
    SHA-256: 31d32eeaca8cc610175ef4791bf48269af0429afee94518d77ba5907103f6ea0
    Size: 21.94 MB

Asianux Server 9 for x86_64
  1. podman-5.6.0-14.el9_7.x86_64.rpm
    MD5: 72b8cbf4b6d1a42d7076a203a7c14cee
    SHA-256: d7dc44be7fd10c7f6ec561139d83a6e3c9ed825f0ee7787982b314bec05d7ca4
    Size: 16.02 MB
  2. podman-docker-5.6.0-14.el9_7.noarch.rpm
    MD5: 855cc14b0f940cc5f6bc82228e73556c
    SHA-256: 608c142251b61bbf9dea9e972480622f213263aa515448cc39a2cf8bdb158042
    Size: 109.71 kB
  3. podman-plugins-5.6.0-14.el9_7.x86_64.rpm
    MD5: 994ab40062253dcbaf327115a99b992e
    SHA-256: d4459aabea4badf2fb0119ee707f21eb539a83fa01a65189a874b0684ff3c2a8
    Size: 1.46 MB
  4. podman-remote-5.6.0-14.el9_7.x86_64.rpm
    MD5: afc20d6b277fdfa334bc4d9b3b0fcdc6
    SHA-256: f155fec4f0d4c8a6b654e4d0e4d3219bf393214f1e76e4aca0eac3ac60017f39
    Size: 9.92 MB
  5. podman-tests-5.6.0-14.el9_7.x86_64.rpm
    MD5: c5e05118bd6f74b691775287d4490103
    SHA-256: 036235318a6791ab20fbf6113f3bd5a251a4626b7d4f27ebab1d09b89f95cf93
    Size: 11.46 MB