OESA-2024-1473

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1473

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2024-1473.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2024-1473

Upstream

CVE-2024-28180

Published

2024-04-19T11:07:47Z

Modified

2025-08-12T05:42:55.240987Z

Summary

cri-o security update

Details

Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.

Security Fix(es):

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. (CVE-2024-28180)

Database specific

{
    "severity": "Medium"
}

References

Affected packages

openEuler:22.03-LTS-SP2 / cri-o

Package

Name: cri-o
Purl: pkg:rpm/openEuler/cri-o&distro=openEuler-22.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.23.2-11.oe2203sp2

Ecosystem specific

{
    "aarch64": [
        "cri-o-1.23.2-11.oe2203sp2.aarch64.rpm",
        "cri-o-debuginfo-1.23.2-11.oe2203sp2.aarch64.rpm",
        "cri-o-debugsource-1.23.2-11.oe2203sp2.aarch64.rpm"
    ],
    "x86_64": [
        "cri-o-1.23.2-11.oe2203sp2.x86_64.rpm",
        "cri-o-debugsource-1.23.2-11.oe2203sp2.x86_64.rpm",
        "cri-o-debuginfo-1.23.2-11.oe2203sp2.x86_64.rpm"
    ],
    "src": [
        "cri-o-1.23.2-11.oe2203sp2.src.rpm"
    ]
}