alsa-2024:2549
Vulnerability from osv_almalinux
Published
2024-04-30 00:00
Modified
2024-05-07 14:54
Summary
Moderate: skopeo security and bug fix update
Details

The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.

Security Fix(es):

  • golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)

Bug Fix(es):

  • TRIAGE CVE-2024-24786 skopeo: golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON [almalinux-9] - AlmaLinux 9.4 0day (JIRA:AlmaLinux-28235)
  • skopeo: jose-go: improper handling of highly compressed data [almalinux-9] (JIRA:AlmaLinux-28736)
References
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "skopeo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2:1.14.3-2.el9_4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "skopeo-tests"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2:1.14.3-2.el9_4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files. \n\nSecurity Fix(es):\n\n* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)\n\nBug Fix(es):\n\n* TRIAGE CVE-2024-24786 skopeo: golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON [almalinux-9] - AlmaLinux 9.4 0day (JIRA:AlmaLinux-28235)\n* skopeo: jose-go: improper handling of highly compressed data [almalinux-9] (JIRA:AlmaLinux-28736)",
  "id": "ALSA-2024:2549",
  "modified": "2024-05-07T14:54:52Z",
  "published": "2024-04-30T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:2549"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-24786"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-28180"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2268046"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2268854"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-2549.html"
    }
  ],
  "related": [
    "CVE-2024-24786",
    "CVE-2024-24786"
  ],
  "summary": "Moderate: skopeo security and bug fix update"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.