OESA-2025-1687

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1687

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2025-1687.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2025-1687

Upstream

CVE-2024-28180

Published

2025-06-27T13:16:43Z

Modified

2025-08-12T05:42:57.635007Z

Summary

skopeo security update

Details

A command line utility that performs various operations on container images and image repositories

Security Fix(es):

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.(CVE-2024-28180)

Database specific

{
    "severity": "Medium"
}

References

Affected packages

openEuler:20.03-LTS-SP4 / skopeo

Package

Name: skopeo
Purl: pkg:rpm/openEuler/skopeo&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.0-12.oe2003sp4

Ecosystem specific

{
    "aarch64": [
        "containers-common-1.1.0-12.oe2003sp4.aarch64.rpm",
        "skopeo-1.1.0-12.oe2003sp4.aarch64.rpm",
        "skopeo-debuginfo-1.1.0-12.oe2003sp4.aarch64.rpm",
        "skopeo-debugsource-1.1.0-12.oe2003sp4.aarch64.rpm"
    ],
    "x86_64": [
        "containers-common-1.1.0-12.oe2003sp4.x86_64.rpm",
        "skopeo-1.1.0-12.oe2003sp4.x86_64.rpm",
        "skopeo-debuginfo-1.1.0-12.oe2003sp4.x86_64.rpm",
        "skopeo-debugsource-1.1.0-12.oe2003sp4.x86_64.rpm"
    ],
    "src": [
        "skopeo-1.1.0-12.oe2003sp4.src.rpm"
    ]
}