Security update for containerized-data-importer SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20279-1 Final 1 1 2026-02-26T16:03:48Z current 2026-02-26T16:03:48Z 2026-02-26T16:03:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for containerized-data-importer This update for containerized-data-importer fixes the following issues: Update to version 1.64.0. Security issues fixed: - CVE-2024-28180: improper handling of highly compressed data (bsc#1235204). - CVE-2024-45338: denial of service due to non-linear parsing of case-insensitive content (bsc#1235365). - CVE-2025-22868: unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239205). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-317 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1235204 SUSE Bug 1235204 https://bugzilla.suse.com/1235365 SUSE Bug 1235365 https://bugzilla.suse.com/1239205 SUSE Bug 1239205 https://www.suse.com/security/cve/CVE-2024-28180/ SUSE CVE CVE-2024-28180 page https://www.suse.com/security/cve/CVE-2024-45338/ SUSE CVE CVE-2024-45338 page https://www.suse.com/security/cve/CVE-2025-22868/ SUSE CVE CVE-2025-22868 page openSUSE Leap 16.0 containerized-data-importer-api-1.64.0-160000.1.1 containerized-data-importer-cloner-1.64.0-160000.1.1 containerized-data-importer-controller-1.64.0-160000.1.1 containerized-data-importer-importer-1.64.0-160000.1.1 containerized-data-importer-manifests-1.64.0-160000.1.1 containerized-data-importer-operator-1.64.0-160000.1.1 containerized-data-importer-uploadproxy-1.64.0-160000.1.1 containerized-data-importer-uploadserver-1.64.0-160000.1.1 obs-service-cdi_containers_meta-1.64.0-160000.1.1 containerized-data-importer-api-1.64.0-160000.1.1 as a component of openSUSE Leap 16.0 containerized-data-importer-cloner-1.64.0-160000.1.1 as a component of openSUSE Leap 16.0 containerized-data-importer-controller-1.64.0-160000.1.1 as a component of openSUSE Leap 16.0 containerized-data-importer-importer-1.64.0-160000.1.1 as a component of openSUSE Leap 16.0 containerized-data-importer-manifests-1.64.0-160000.1.1 as a component of openSUSE Leap 16.0 containerized-data-importer-operator-1.64.0-160000.1.1 as a component of openSUSE Leap 16.0 containerized-data-importer-uploadproxy-1.64.0-160000.1.1 as a component of openSUSE Leap 16.0 containerized-data-importer-uploadserver-1.64.0-160000.1.1 as a component of openSUSE Leap 16.0 obs-service-cdi_containers_meta-1.64.0-160000.1.1 as a component of openSUSE Leap 16.0 Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. CVE-2024-28180 openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1 openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-28180.html CVE-2024-28180 https://bugzilla.suse.com/1234984 SUSE Bug 1234984 An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. CVE-2024-45338 openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1 openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-45338.html CVE-2024-45338 https://bugzilla.suse.com/1234794 SUSE Bug 1234794 An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CVE-2025-22868 openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1 openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1 openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-22868.html CVE-2025-22868 https://bugzilla.suse.com/1239185 SUSE Bug 1239185 https://bugzilla.suse.com/1239186 SUSE Bug 1239186