Main Vulnerability Database SB2025032981

SB2025032981 - Anolis OS update for container-tools:an8 module

Published: March 29, 2025

Security Bulletin ID SB2025032981

Severity

Medium

Patch available

YES

Number of vulnerabilities 5

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2023-45290)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in net/http due to application does not properly control consumption of internal resources when parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Error Handling (CVE-ID: CVE-2024-24783)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in crypto/x509 due to improper validation of a certificate chain that contains an unknown public key. A remote attacker can pass a specially crafted certificate to the application and perform a denial of service attack.

3) Input validation error (CVE-ID: CVE-2024-24784)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of display names within the ParseAddressList function in net/mail. A remote attacker can pass specially crafted input to the application and perform a spoofing attack.

4) Infinite loop (CVE-ID: CVE-2024-24788)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing DNS responses. A remote attacker can send a specially crafted DNS response to the application and cause denial of service conditions.

5) Resource exhaustion (CVE-ID: CVE-2024-24791)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of "Expect: 100-continue" HTTP requests. A remote attacker can send multiple such requests and consume all available resources.

Remediation

Install update from vendor's website.

References

https://anas.openanolis.cn/errata/detail/ANSA-2024:0923

Vulnerable Software

Anolis OS: 8
podman-docker: before 4.9.4-13.0.1
podman-tests: before 4.9.4-13.0.1
podman-remote: before 4.9.4-13.0.1
podman-plugins: before 4.9.4-13.0.1
podman-gvproxy: before 4.9.4-13.0.1
podman-catatonit: before 4.9.4-13.0.1
podman: before 4.9.4-13.0.1
buildah-tests: before 1.33.8-4
buildah: before 1.33.8-4
runc: before 1.1.12-4.0.1
python3-podman: before 4.9.0-2
skopeo-tests: before 1.14.5-3.0.1
skopeo: before 1.14.5-3.0.1
containers-common: before 1-82.0.1
containernetworking-plugins: before 1.4.0-5.0.1
udica: before 0.2.6-21
container-selinux: before 2.229.0-2
cockpit-podman: before 84.1-1
toolbox-tests: before 0.0.99.5-2.0.1
toolbox: before 0.0.99.5-2.0.1
slirp4netns: before 1.2.3-1
python3-criu: before 3.18-5.0.1
oci-seccomp-bpf-hook: before 1.2.10-1
netavark: before 1.10.3-1.0.1
libslirp-devel: before 4.4.0-2
libslirp: before 4.4.0-2
fuse-overlayfs: before 1.13-1.0.1
crun: before 1.14.3-2
criu-libs: before 3.18-5.0.1
criu-devel: before 3.18-5.0.1
criu: before 3.18-5.0.1
crit: before 3.18-5.0.1
conmon: before 2.1.10-1
aardvark-dns: before 1.10.0-2.0.1

SB2025032981 - Anolis OS update for container-tools:an8 module

Breakdown by Severity

Description

Remediation

References

Please verify you're human