Описание
Moderate: buildah security and bug fix update
The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images.
Security Fix(es):
-
golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)
-
jose-go: improper handling of highly compressed data (CVE-2024-28180)
-
buildah: jose: resource exhaustion (CVE-2024-28176)
Затронутые продукты
Rocky Linux 9
Связанные CVE
Исправления
- Red Hat - 2268017
- Red Hat - 2268820
- Red Hat - 2268854
Связанные уязвимости
ELSA-2024-3827: buildah security and bug fix update (MODERATE)
ELSA-2024-3826: podman security and bug fix update (MODERATE)
ELSA-2024-3968: container-tools:ol8 bug fix and enhancement update (MODERATE)
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.