An update for skopeo is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1701 Final 1.0 1.0 2024-06-07 Initial 2024-06-07 2024-06-07 openEuler SA Tool V1.0 2024-06-07 skopeo security update An update for skopeo is now available for openEuler-22.03-LTS-SP3. A command line utility that performs various operations on container images and image repositories Security Fix(es): Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. (CVE-2024-28180) An update for skopeo is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium skopeo https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1701 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-28180 https://nvd.nist.gov/vuln/detail/CVE-2024-28180 openEuler-22.03-LTS-SP3 skopeo-1.8.0-5.oe2203sp3.aarch64.rpm skopeo-debuginfo-1.8.0-5.oe2203sp3.aarch64.rpm skopeo-debugsource-1.8.0-5.oe2203sp3.aarch64.rpm skopeo-1.8.0-5.oe2203sp3.src.rpm skopeo-debuginfo-1.8.0-5.oe2203sp3.x86_64.rpm skopeo-1.8.0-5.oe2203sp3.x86_64.rpm skopeo-debugsource-1.8.0-5.oe2203sp3.x86_64.rpm Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. 2024-06-07 CVE-2024-28180 openEuler-22.03-LTS-SP3 Medium 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L skopeo security update 2024-06-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1701