| Beschreibung: | Summary:
The remote host is missing an update for the 'buildah, podman, skopeo' package(s) announced via the MGASA-2024-0343 advisory.
Vulnerability Insight:
A flaw was found in Buildah (and subsequently Podman Build) which allows
containers to mount arbitrary locations on the host filesystem into
build containers. A malicious Containerfile can use a dummy image with a
symbolic link to the root filesystem as a mount source and cause the
mount operation to mount the host root filesystem inside the RUN step.
The commands inside the RUN step will then have read-write access to the
host filesystem, allowing for full container escape at build time.
(CVE-2024-1753)
A flaw was found in the github.com/containers/image library. This flaw
allows attackers to trigger unexpected authenticated registry accesses
on behalf of a victim user, causing resource exhaustion, local path
traversal, and other attacks. (CVE-2024-3727)
When parsing a multipart form (either explicitly with
Request.ParseMultipartForm or implicitly with Request.FormValue,
Request.PostFormValue, or Request.FormFile), limits on the total size of
the parsed form were not applied to the memory consumed while reading a
single form line. This permits a maliciously crafted input containing
very long lines to cause allocation of arbitrarily large amounts of
memory, potentially leading to memory exhaustion. With fix, the
ParseMultipartForm function now correctly limits the maximum size of
form lines. (CVE-2023-45290)
Package jose aims to provide an implementation of the Javascript Object
Signing and Encryption set of standards. An attacker could send a JWE
containing compressed data that used large amounts of memory and CPU
when decompressed by Decrypt or DecryptMulti. Those functions now return
an error if the decompressed data would exceed 250kB or 10x the
compressed size (whichever is larger). This vulnerability has been
patched in versions 4.0.1, 3.0.3 and 2.6.3. (CVE-2024-28180)
jose is JavaScript module for JSON Object Signing and Encryption,
providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS),
JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS),
and more. A vulnerability has been identified in the JSON Web Encryption
(JWE) decryption interfaces, specifically related to the support for
decompressing plaintext after its decryption. Under certain conditions
it is possible to have the user's environment consume unreasonable
amount of CPU time or memory during JWE Decryption operations. This
issue has been patched in versions 2.0.7 and 4.15.5. (CVE-2024-28176)
A flaw was found in Go. When FIPS mode is enabled on a system, container
runtimes may incorrectly handle certain file paths due to improper
validation in the containers/common Go library. This flaw allows an
attacker to exploit symbolic links and trick the system into mounting
sensitive host directories inside a container. This issue also allows
attackers to access critical host files, bypassing the intended
isolation between containers and the host system. ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'buildah, podman, skopeo' package(s) on Mageia 9.
Solution:
Please install the updated package(s).
CVSS Score:
7.2
CVSS Vector:
AV:L/AC:L/Au:N/C:C/I:C/A:C
|
