Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

rocky логотип

RLSA-2024:7262

Опубликовано: 30 сент. 2024
Источник: rocky
Оценка: Important

Описание

Important: osbuild-composer security update

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.

Security Fix(es):

  • golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)

  • encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Затронутые продукты

  • Rocky Linux 8

НаименованиеАрхитектураРелизRPM
osbuild-composerx86_642.el8_10.rocky.0.6osbuild-composer-101-2.el8_10.rocky.0.6.x86_64.rpm
osbuild-composer-corex86_642.el8_10.rocky.0.6osbuild-composer-core-101-2.el8_10.rocky.0.6.x86_64.rpm
osbuild-composer-workerx86_642.el8_10.rocky.0.6osbuild-composer-worker-101-2.el8_10.rocky.0.6.x86_64.rpm

Показывать по

Связанные CVE

CVE-2024-1394
CVE-2024-34156

Ссылки на источники

Исправления

Связанные уязвимости

oracle-oval логотип

ELSA-2024-7262

oracle-oval
9 месяцев назад

ELSA-2024-7262: osbuild-composer security update (IMPORTANT)

redhat логотип

CVE-2024-1394

CVSS3: 7.5
redhat
около 1 года назад

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.

nvd логотип

CVE-2024-1394

CVSS3: 7.5
nvd
около 1 года назад

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.

ubuntu логотип

CVE-2024-34156

CVSS3: 7.5
ubuntu
10 месяцев назад

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

redhat логотип

CVE-2024-34156

CVSS3: 7.5
redhat
10 месяцев назад

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.