rpm package
almalinux/skopeo
pkg:rpm/almalinux/skopeo
Vulnerabilities (105)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32283 | Hig | 7.5 | < 2:1.22.2-6.el9_8 | 2:1.22.2-6.el9_8 | Apr 8, 2026 | If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | |
| CVE-2026-32281 | Hig | 7.5 | < 2:1.22.2-6.el9_8 | 2:1.22.2-6.el9_8 | Apr 8, 2026 | Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C | |
| CVE-2026-32280 | Hig | 7.5 | < 2:1.22.2-6.el9_8 | 2:1.22.2-6.el9_8 | Apr 8, 2026 | During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls | |
| CVE-2026-34986 | Hig | 7.5 | < 2:1.14.6-2.module_el8.10.0+4211+49ea0979 | 2:1.14.6-2.module_el8.10.0+4211+49ea0979 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2026-25679 | Hig | 7.5 | < 2:1.22.2-1.el10_2 | 2:1.22.2-1.el10_2 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2025-68121 | Cri | 10.0 | < 2:1.20.0-3.el9_7 | 2:1.20.0-3.el9_7 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61728 | — | < 2:1.14.5-7.module_el8.10.0+4136+16425343 | 2:1.14.5-7.module_el8.10.0+4136+16425343 | Jan 28, 2026 | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | ||
| CVE-2025-61726 | — | < 2:1.20.0-3.el9_7 | 2:1.20.0-3.el9_7 | Jan 28, 2026 | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la | ||
| CVE-2025-65637 | Hig | 7.5 | < 2:1.14.5-6.module_el8.10.0+4120+03ad4b47 | 2:1.14.5-6.module_el8.10.0+4120+03ad4b47 | Dec 4, 2025 | A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is | |
| CVE-2025-61729 | Hig | 7.5 | < 2:1.20.0-3.el9_7 | 2:1.20.0-3.el9_7 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | |
| CVE-2025-47913 | Hig | 7.5 | < 2:1.14.5-5.module_el8.10.0+4082+f7f0c95e | 2:1.14.5-5.module_el8.10.0+4082+f7f0c95e | Nov 13, 2025 | SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. | |
| CVE-2025-52881 | Hig | 7.5 | < 2:1.14.5-4.module_el8.10.0+4047+545787c4 | 2:1.14.5-4.module_el8.10.0+4047+545787c4 | Nov 6, 2025 | runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have | |
| CVE-2025-52565 | Hig | 7.5 | < 2:1.14.5-4.module_el8.10.0+4047+545787c4 | 2:1.14.5-4.module_el8.10.0+4047+545787c4 | Nov 6, 2025 | runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the conta | |
| CVE-2025-31133 | Hig | 7.8 | < 2:1.14.5-4.module_el8.10.0+4047+545787c4 | 2:1.14.5-4.module_el8.10.0+4047+545787c4 | Nov 6, 2025 | runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container | |
| CVE-2025-58183 | Med | 4.3 | < 2:1.20.0-2.el10_1 | 2:1.20.0-2.el10_1 | Oct 29, 2025 | tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r | |
| CVE-2025-9566 | Hig | 8.1 | < 2:1.14.5-4.module_el8.10.0+4047+545787c4 | 2:1.14.5-4.module_el8.10.0+4047+545787c4 | Sep 5, 2025 | There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only | |
| CVE-2025-6032 | Hig | 8.3 | < 2:1.14.5-4.module_el8.10.0+4023+db236c53 | 2:1.14.5-4.module_el8.10.0+4023+db236c53 | Jun 24, 2025 | A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack. | |
| CVE-2025-22871 | Cri | 9.1 | < 2:1.14.5-4.module_el8.10.0+4016+efd18bf8 | 2:1.14.5-4.module_el8.10.0+4016+efd18bf8 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2025-22869 | Hig | 7.5 | < 2:1.14.5-3.module_el8.10.0+3926+f12484f5 | 2:1.14.5-3.module_el8.10.0+3926+f12484f5 | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. | |
| CVE-2025-27144 | Med | — | < 2:1.18.1-1.el9_6 | 2:1.18.1-1.el9_6 | Feb 24, 2025 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par |
- affected < 2:1.22.2-6.el9_8fixed 2:1.22.2-6.el9_8
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
- affected < 2:1.22.2-6.el9_8fixed 2:1.22.2-6.el9_8
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C
- affected < 2:1.22.2-6.el9_8fixed 2:1.22.2-6.el9_8
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls
- affected < 2:1.14.6-2.module_el8.10.0+4211+49ea0979fixed 2:1.14.6-2.module_el8.10.0+4211+49ea0979
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- affected < 2:1.22.2-1.el10_2fixed 2:1.22.2-1.el10_2
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- affected < 2:1.20.0-3.el9_7fixed 2:1.20.0-3.el9_7
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61728Jan 28, 2026affected < 2:1.14.5-7.module_el8.10.0+4136+16425343fixed 2:1.14.5-7.module_el8.10.0+4136+16425343
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726Jan 28, 2026affected < 2:1.20.0-3.el9_7fixed 2:1.20.0-3.el9_7
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
- affected < 2:1.14.5-6.module_el8.10.0+4120+03ad4b47fixed 2:1.14.5-6.module_el8.10.0+4120+03ad4b47
A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is
- affected < 2:1.20.0-3.el9_7fixed 2:1.20.0-3.el9_7
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- affected < 2:1.14.5-5.module_el8.10.0+4082+f7f0c95efixed 2:1.14.5-5.module_el8.10.0+4082+f7f0c95e
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
- affected < 2:1.14.5-4.module_el8.10.0+4047+545787c4fixed 2:1.14.5-4.module_el8.10.0+4047+545787c4
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have
- affected < 2:1.14.5-4.module_el8.10.0+4047+545787c4fixed 2:1.14.5-4.module_el8.10.0+4047+545787c4
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the conta
- affected < 2:1.14.5-4.module_el8.10.0+4047+545787c4fixed 2:1.14.5-4.module_el8.10.0+4047+545787c4
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container
- affected < 2:1.20.0-2.el10_1fixed 2:1.20.0-2.el10_1
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
- affected < 2:1.14.5-4.module_el8.10.0+4047+545787c4fixed 2:1.14.5-4.module_el8.10.0+4047+545787c4
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only
- affected < 2:1.14.5-4.module_el8.10.0+4023+db236c53fixed 2:1.14.5-4.module_el8.10.0+4023+db236c53
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
- affected < 2:1.14.5-4.module_el8.10.0+4016+efd18bf8fixed 2:1.14.5-4.module_el8.10.0+4016+efd18bf8
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- affected < 2:1.14.5-3.module_el8.10.0+3926+f12484f5fixed 2:1.14.5-3.module_el8.10.0+3926+f12484f5
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
- affected < 2:1.18.1-1.el9_6fixed 2:1.18.1-1.el9_6
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par
Page 1 of 6