osbuild-composer-101.4-4.el8_10.ML.1
エラータID: AXSA:2026-304:05
リリース日:
2026/03/16 Monday - 09:31
題名:
osbuild-composer-101.4-4.el8_10.ML.1
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の net/url パッケージの net/http.Request.ParseForm()
メソッドには、クエリ内のパラメーター数を制限を実施していないこと
に起因して意図せず大量のメモリを消費してしまう問題があるため、
リモートの攻撃者により、サービス拒否攻撃 (メモリ枯渇) を可能とする
脆弱性が存在します。(CVE-2025-61726)
- Go の crypto/tls パッケージには、Config 内の ClientCAs
フィールドまたは RootCAs フィールドが最初のハンドシェイクと再開後
のハンドシェイクの間で変更されている場合、本来失敗するはずの再開後
のハンドシェイクが成功してしまう問題があるため、リモートの攻撃者に
より、不正な認証を可能とする脆弱性が存在します。(CVE-2025-68121)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-61726
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
CVE-2025-68121
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
追加情報:
N/A
ダウンロード:
SRPMS
- osbuild-composer-101.4-4.el8_10.ML.1.src.rpm
MD5: 4c247b5adb27ce6df9ef0e6049498f0c
SHA-256: 00b7d9faddb69c9ed9f34e1d5c8af96c8a5ebf4c48e436e9a5881c587ee5025f
Size: 130.08 MB
Asianux Server 8 for x86_64
- osbuild-composer-101.4-4.el8_10.ML.1.x86_64.rpm
MD5: 3b92748b8fdd570ca7eb68fea5e8ccdc
SHA-256: a6451f209835279bb6a1c231a55dccd062c74892f37e9264509dda8078da966a
Size: 23.68 kB - osbuild-composer-core-101.4-4.el8_10.ML.1.x86_64.rpm
MD5: deca4973fcd409ae29237fdbf075ada7
SHA-256: bd0ce3c16496a2da35e61e4f796bf62c730acdd3c2354df42e84da52ed46e87d
Size: 10.98 MB - osbuild-composer-worker-101.4-4.el8_10.ML.1.x86_64.rpm
MD5: 56e5d943a3f4dd706e99f816bfd630e9
SHA-256: ae177638a1626329007d7682bc714944cd4883f38568a46f7228fc7a392ebc0a
Size: 19.49 MB
English