Alibaba Cloud Linux 3 : 0198: podman and buildah (ALINUX3-SA-2026:0198)

high Nessus Plugin ID 327271

Synopsis

The remote Alibaba Cloud Linux host is missing one or more security updates.

Description

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2026:0198 advisory.

Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

CVE-2026-25679:
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

CVE-2026-32280:
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

CVE-2026-32281:
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

CVE-2026-32283:
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

CVE-2026-34986:
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

CVE-2026-39829:
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

CVE-2026-39830:
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

CVE-2026-39832:
When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

CVE-2026-42508:
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20260198.xml

Plugin Details

Severity: High

ID: 327271

File Name: alinux3_sa_2026-0198.nasl

Version: 1.1

Type: Local

Published: 7/16/2026

Updated: 7/16/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.11

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-32283

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:podman, cpe:/o:alibabacloud:alibaba_cloud_linux_3, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:podman-remote, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:podman-gvproxy, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:buildah-tests, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:buildah, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:podman-catatonit, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:podman-docker, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:podman-tests, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:podman-plugins

Required KB Items: Host/local_checks_enabled, Host/Alibaba/release, Host/Alibaba/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 7/15/2026

Vulnerability Publication Date: 3/5/2026

Reference Information

CVE: CVE-2026-25679, CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-34986, CVE-2026-39829, CVE-2026-39830, CVE-2026-39832, CVE-2026-42508