发布于3月6日3月6日 Members Oracle Linux: CVE-2024-37298: ELSA-2024-5258:container-tools:ol8 security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 06/30/2024 Created 10/18/2024 Added 10/16/2024 Modified 12/01/2024 Description gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue. A flaw was found in the gorilla/schema package. Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could trigger memory exhaustion and lead to a denial of service. Solution(s) oracle-linux-upgrade-podman oracle-linux-upgrade-podman-docker oracle-linux-upgrade-podman-plugins oracle-linux-upgrade-podman-remote oracle-linux-upgrade-podman-tests References https://attackerkb.com/topics/cve-2024-37298 CVE - 2024-37298 ELSA-2024-5258 ELSA-2024-6194
