Описание
Security update for containerized-data-importer
This update for containerized-data-importer fixes the following issues:
Update to version 1.64.0.
Security issues fixed:
- CVE-2024-28180: improper handling of highly compressed data (bsc#1235204).
- CVE-2024-45338: denial of service due to non-linear parsing of case-insensitive content (bsc#1235365).
- CVE-2025-22868: unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239205).
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1235204
- SUSE Bug 1235365
- SUSE Bug 1239205
- SUSE CVE CVE-2024-28180 page
- SUSE CVE CVE-2024-45338 page
- SUSE CVE CVE-2025-22868 page
Описание
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Затронутые продукты
Ссылки
- CVE-2024-28180
- SUSE Bug 1234984
Описание
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Затронутые продукты
Ссылки
- CVE-2024-45338
- SUSE Bug 1234794
Описание
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
Затронутые продукты
Ссылки
- CVE-2025-22868
- SUSE Bug 1239185
- SUSE Bug 1239186