An update for cri-o is now available for openEuler-22.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1473 Final 1.0 1.0 2024-04-19 Initial 2024-04-19 2024-04-19 openEuler SA Tool V1.0 2024-04-19 cri-o security update An update for cri-o is now available for openEuler-22.03-LTS-SP2. Open Container Initiative-based implementation of Kubernetes Container Runtime Interface. Security Fix(es): Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. (CVE-2024-28180) An update for cri-o is now available for openEuler-22.03-LTS-SP2. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium cri-o https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1473 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-28180 https://nvd.nist.gov/vuln/detail/CVE-2024-28180 openEuler-22.03-LTS-SP2 cri-o-1.23.2-11.oe2203sp2.aarch64.rpm cri-o-debuginfo-1.23.2-11.oe2203sp2.aarch64.rpm cri-o-debugsource-1.23.2-11.oe2203sp2.aarch64.rpm cri-o-1.23.2-11.oe2203sp2.src.rpm cri-o-1.23.2-11.oe2203sp2.x86_64.rpm cri-o-debugsource-1.23.2-11.oe2203sp2.x86_64.rpm cri-o-debuginfo-1.23.2-11.oe2203sp2.x86_64.rpm Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. 2024-04-19 CVE-2024-28180 openEuler-22.03-LTS-SP2 Medium 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L cri-o security update 2024-04-19 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1473