VYPR

rpm package

almalinux/skopeo

pkg:rpm/almalinux/skopeo

Vulnerabilities (105)

  • CVE-2026-32283HigApr 8, 2026
    affected < 2:1.22.2-6.el9_8fixed 2:1.22.2-6.el9_8

    If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

  • CVE-2026-32281HigApr 8, 2026
    affected < 2:1.22.2-6.el9_8fixed 2:1.22.2-6.el9_8

    Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C

  • CVE-2026-32280HigApr 8, 2026
    affected < 2:1.22.2-6.el9_8fixed 2:1.22.2-6.el9_8

    During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls

  • CVE-2026-34986HigApr 6, 2026
    affected < 2:1.14.6-2.module_el8.10.0+4211+49ea0979fixed 2:1.14.6-2.module_el8.10.0+4211+49ea0979

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-25679HigMar 6, 2026
    affected < 2:1.22.2-1.el10_2fixed 2:1.22.2-1.el10_2

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2025-68121CriFeb 5, 2026
    affected < 2:1.20.0-3.el9_7fixed 2:1.20.0-3.el9_7

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61728Jan 28, 2026
    affected < 2:1.14.5-7.module_el8.10.0+4136+16425343fixed 2:1.14.5-7.module_el8.10.0+4136+16425343

    archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

  • CVE-2025-61726Jan 28, 2026
    affected < 2:1.20.0-3.el9_7fixed 2:1.20.0-3.el9_7

    The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la

  • CVE-2025-65637HigDec 4, 2025
    affected < 2:1.14.5-6.module_el8.10.0+4120+03ad4b47fixed 2:1.14.5-6.module_el8.10.0+4120+03ad4b47

    A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is

  • CVE-2025-61729HigDec 2, 2025
    affected < 2:1.20.0-3.el9_7fixed 2:1.20.0-3.el9_7

    Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a

  • CVE-2025-47913HigNov 13, 2025
    affected < 2:1.14.5-5.module_el8.10.0+4082+f7f0c95efixed 2:1.14.5-5.module_el8.10.0+4082+f7f0c95e

    SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

  • CVE-2025-52881HigNov 6, 2025
    affected < 2:1.14.5-4.module_el8.10.0+4047+545787c4fixed 2:1.14.5-4.module_el8.10.0+4047+545787c4

    runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have

  • CVE-2025-52565HigNov 6, 2025
    affected < 2:1.14.5-4.module_el8.10.0+4047+545787c4fixed 2:1.14.5-4.module_el8.10.0+4047+545787c4

    runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the conta

  • CVE-2025-31133HigNov 6, 2025
    affected < 2:1.14.5-4.module_el8.10.0+4047+545787c4fixed 2:1.14.5-4.module_el8.10.0+4047+545787c4

    runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container

  • CVE-2025-58183MedOct 29, 2025
    affected < 2:1.20.0-2.el10_1fixed 2:1.20.0-2.el10_1

    tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r

  • CVE-2025-9566HigSep 5, 2025
    affected < 2:1.14.5-4.module_el8.10.0+4047+545787c4fixed 2:1.14.5-4.module_el8.10.0+4047+545787c4

    There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only

  • CVE-2025-6032HigJun 24, 2025
    affected < 2:1.14.5-4.module_el8.10.0+4023+db236c53fixed 2:1.14.5-4.module_el8.10.0+4023+db236c53

    A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

  • CVE-2025-22871CriApr 8, 2025
    affected < 2:1.14.5-4.module_el8.10.0+4016+efd18bf8fixed 2:1.14.5-4.module_el8.10.0+4016+efd18bf8

    The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

  • CVE-2025-22869HigFeb 26, 2025
    affected < 2:1.14.5-3.module_el8.10.0+3926+f12484f5fixed 2:1.14.5-3.module_el8.10.0+3926+f12484f5

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-27144MedFeb 24, 2025
    affected < 2:1.18.1-1.el9_6fixed 2:1.18.1-1.el9_6

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

Page 1 of 6