Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-45142 (GCVE-0-2023-45142)
Vulnerability from cvelistv5 – Published: 2023-10-12 16:33 – Updated: 2025-02-13 17:13
VLAI
EPSS
Title
OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics
Summary
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.
Severity
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_MISC |
| https://github.com/advisories/GHSA-cg3q-j54f-5p7p | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_MISC |
| https://lists.fedoraproject.org/archives/list/pac… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-go-contrib |
Affected:
< 0.44.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.751Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277"
},
{
"name": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-go-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-19T03:06:08.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277"
},
{
"name": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/"
}
],
"source": {
"advisory": "GHSA-rcjv-mgp8-qvmr",
"discovery": "UNKNOWN"
},
"title": "OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45142",
"datePublished": "2023-10-12T16:33:21.435Z",
"dateReserved": "2023-10-04T16:02:46.330Z",
"dateUpdated": "2025-02-13T17:13:49.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-45142",
"date": "2026-05-27",
"epss": "0.01159",
"percentile": "0.78843"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*\", \"versionEndExcluding\": \"0.44.0\", \"matchCriteriaId\": \"2E7726FA-0421-40C6-B36B-3B6618D81880\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.\"}, {\"lang\": \"es\", \"value\": \"OpenTelemetry-Go Contrib es una colecci\\u00f3n de paquetes de terceros para OpenTelemetry-Go. Un contenedor de controlador listo para usar agrega etiquetas `http.user_agent` y `http.method` que tienen cardinalidad independiente. Conduce al posible agotamiento de la memoria del servidor cuando se le env\\u00edan muchas solicitudes maliciosas. Un atacante puede configurar f\\u00e1cilmente el encabezado HTTP User-Agent o el m\\u00e9todo HTTP para solicitudes para que sea aleatorio y largo. La librer\\u00eda utiliza internamente `httpconv.ServerRequest` que registra cada valor para el `method` HTTP y el `User-Agent`. Para verse afectado, un programa debe utilizar el contenedor `otelhttp.NewHandler` y no filtrar ning\\u00fan m\\u00e9todo HTTP desconocido o agentes de usuario en el nivel de CDN, LB, middleware anterior, etc. La versi\\u00f3n 0.44.0 solucion\\u00f3 este problema cuando el Los valores recopilados para el atributo `http.request.method` se cambiaron para restringirlos a un conjunto de valores conocidos y se eliminaron otros atributos de alta cardinalidad. Como workaround para dejar de verse afectado, se puede utilizar `otelhttp.WithFilter()`, pero requiere una configuraci\\u00f3n manual cuidadosa para no registrar ciertas solicitudes por completo. Para mayor comodidad y uso seguro de esta librer\\u00eda, deber\\u00eda marcar de forma predeterminada con la etiqueta \\\"unknown\\\" los m\\u00e9todos HTTP no est\\u00e1ndar y los agentes de usuario para mostrar que dichas solicitudes se realizaron pero no aumentan la cardinalidad. En caso de que alguien quiera seguir con el comportamiento actual, la API de la librer\\u00eda deber\\u00eda permitir habilitarlo.\"}]",
"id": "CVE-2023-45142",
"lastModified": "2024-11-21T08:26:25.920",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2023-10-12T17:15:09.990",
"references": "[{\"url\": \"https://github.com/advisories/GHSA-cg3q-j54f-5p7p\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/advisories/GHSA-cg3q-j54f-5p7p\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-45142\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-10-12T17:15:09.990\",\"lastModified\":\"2024-11-21T08:26:25.920\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.\"},{\"lang\":\"es\",\"value\":\"OpenTelemetry-Go Contrib es una colecci\u00f3n de paquetes de terceros para OpenTelemetry-Go. Un contenedor de controlador listo para usar agrega etiquetas `http.user_agent` y `http.method` que tienen cardinalidad independiente. Conduce al posible agotamiento de la memoria del servidor cuando se le env\u00edan muchas solicitudes maliciosas. Un atacante puede configurar f\u00e1cilmente el encabezado HTTP User-Agent o el m\u00e9todo HTTP para solicitudes para que sea aleatorio y largo. La librer\u00eda utiliza internamente `httpconv.ServerRequest` que registra cada valor para el `method` HTTP y el `User-Agent`. Para verse afectado, un programa debe utilizar el contenedor `otelhttp.NewHandler` y no filtrar ning\u00fan m\u00e9todo HTTP desconocido o agentes de usuario en el nivel de CDN, LB, middleware anterior, etc. La versi\u00f3n 0.44.0 solucion\u00f3 este problema cuando el Los valores recopilados para el atributo `http.request.method` se cambiaron para restringirlos a un conjunto de valores conocidos y se eliminaron otros atributos de alta cardinalidad. Como workaround para dejar de verse afectado, se puede utilizar `otelhttp.WithFilter()`, pero requiere una configuraci\u00f3n manual cuidadosa para no registrar ciertas solicitudes por completo. Para mayor comodidad y uso seguro de esta librer\u00eda, deber\u00eda marcar de forma predeterminada con la etiqueta \\\"unknown\\\" los m\u00e9todos HTTP no est\u00e1ndar y los agentes de usuario para mostrar que dichas solicitudes se realizaron pero no aumentan la cardinalidad. En caso de que alguien quiera seguir con el comportamiento actual, la API de la librer\u00eda deber\u00eda permitir habilitarlo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"0.44.0\",\"matchCriteriaId\":\"2E7726FA-0421-40C6-B36B-3B6618D81880\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-cg3q-j54f-5p7p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/advisories/GHSA-cg3q-j54f-5p7p\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
MSRC_CVE-2023-45142
Vulnerability from csaf_microsoft - Published: 2023-10-01 00:00 - Updated: 2026-02-18 02:55Summary
OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
7.5 (High)
Affected products
Fixed
19 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 20090-17086 | — | ||
| Unresolved product id: 19863-17084 | — | ||
| Unresolved product id: 18252-17084 | — | ||
| Unresolved product id: 20094-17084 | — | ||
| Unresolved product id: 19808-17084 | — | ||
| Unresolved product id: 18123-17086 | — | ||
| Unresolved product id: 17411-17086 | — | ||
| Unresolved product id: 18124-17086 | — | ||
| Unresolved product id: 18057-17086 | — | ||
| Unresolved product id: 17801-17084 | — | ||
| Unresolved product id: 17786-17084 | — | ||
| Unresolved product id: 18125-17084 | — | ||
| Unresolved product id: 17789-17084 | — | ||
| Unresolved product id: 18126-17084 | — | ||
| Unresolved product id: 17795-17084 | — | ||
| Unresolved product id: 17766-17084 | — | ||
| Unresolved product id: 19955-17084 | — | ||
| Unresolved product id: 19961-17084 | — | ||
| Unresolved product id: 19966-17084 | — |
Known affected
19 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17086-2 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-7 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-9 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-1 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-13 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-20 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-15 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-11 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-17 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-10 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-19 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-6 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-5 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-4 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-3 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2023/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2023/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2023-45142 OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-45142.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics",
"tracking": {
"current_release_date": "2026-02-18T02:55:42.000Z",
"generator": {
"date": "2026-02-18T11:57:01.060Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2023-45142",
"initial_release_date": "2023-10-01T00:00:00.000Z",
"revision_history": [
{
"date": "2024-01-21T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2023-10-16T00:00:00.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
},
{
"date": "2024-06-30T07:00:00.000Z",
"legacy_version": "1.2",
"number": "3",
"summary": "Information published."
},
{
"date": "2024-08-25T00:00:00.000Z",
"legacy_version": "1.3",
"number": "4",
"summary": "Information published."
},
{
"date": "2024-08-26T00:00:00.000Z",
"legacy_version": "1.4",
"number": "5",
"summary": "Information published."
},
{
"date": "2024-08-27T00:00:00.000Z",
"legacy_version": "1.5",
"number": "6",
"summary": "Information published."
},
{
"date": "2024-08-28T00:00:00.000Z",
"legacy_version": "1.6",
"number": "7",
"summary": "Information published."
},
{
"date": "2024-08-29T00:00:00.000Z",
"legacy_version": "1.7",
"number": "8",
"summary": "Information published."
},
{
"date": "2024-08-30T00:00:00.000Z",
"legacy_version": "1.8",
"number": "9",
"summary": "Information published."
},
{
"date": "2024-08-31T00:00:00.000Z",
"legacy_version": "1.9",
"number": "10",
"summary": "Information published."
},
{
"date": "2024-09-01T00:00:00.000Z",
"legacy_version": "2",
"number": "11",
"summary": "Information published."
},
{
"date": "2024-09-02T00:00:00.000Z",
"legacy_version": "2.1",
"number": "12",
"summary": "Information published."
},
{
"date": "2024-09-03T00:00:00.000Z",
"legacy_version": "2.2",
"number": "13",
"summary": "Information published."
},
{
"date": "2024-09-05T00:00:00.000Z",
"legacy_version": "2.3",
"number": "14",
"summary": "Information published."
},
{
"date": "2024-09-06T00:00:00.000Z",
"legacy_version": "2.4",
"number": "15",
"summary": "Information published."
},
{
"date": "2024-09-07T00:00:00.000Z",
"legacy_version": "2.5",
"number": "16",
"summary": "Information published."
},
{
"date": "2024-09-08T00:00:00.000Z",
"legacy_version": "2.6",
"number": "17",
"summary": "Information published."
},
{
"date": "2024-09-11T00:00:00.000Z",
"legacy_version": "2.7",
"number": "18",
"summary": "Information published."
},
{
"date": "2026-02-18T02:55:42.000Z",
"legacy_version": "2.8",
"number": "19",
"summary": "Information published."
}
],
"status": "final",
"version": "19"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 opa 0.50.2-8",
"product": {
"name": "\u003ccbl2 opa 0.50.2-8",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "cbl2 opa 0.50.2-8",
"product": {
"name": "cbl2 opa 0.50.2-8",
"product_id": "20090"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 opa 0.63.0-1",
"product": {
"name": "\u003ccbl2 opa 0.63.0-1",
"product_id": "20"
}
},
{
"category": "product_version",
"name": "cbl2 opa 0.63.0-1",
"product": {
"name": "cbl2 opa 0.63.0-1",
"product_id": "17411"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 opa 0.63.0-1",
"product": {
"name": "\u003cazl3 opa 0.63.0-1",
"product_id": "17"
}
},
{
"category": "product_version",
"name": "azl3 opa 0.63.0-1",
"product": {
"name": "azl3 opa 0.63.0-1",
"product_id": "17789"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 opa 0.55.0-1",
"product": {
"name": "\u003cazl3 opa 0.55.0-1",
"product_id": "5"
}
},
{
"category": "product_version",
"name": "azl3 opa 0.55.0-1",
"product": {
"name": "azl3 opa 0.55.0-1",
"product_id": "19961"
}
}
],
"category": "product_name",
"name": "opa"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 cert-manager 1.11.2-8",
"product": {
"name": "\u003cazl3 cert-manager 1.11.2-8",
"product_id": "7"
}
},
{
"category": "product_version",
"name": "azl3 cert-manager 1.11.2-8",
"product": {
"name": "azl3 cert-manager 1.11.2-8",
"product_id": "19863"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 cert-manager 1.12.12-1",
"product": {
"name": "\u003cazl3 cert-manager 1.12.12-1",
"product_id": "19"
}
},
{
"category": "product_version",
"name": "azl3 cert-manager 1.12.12-1",
"product": {
"name": "azl3 cert-manager 1.12.12-1",
"product_id": "17766"
}
}
],
"category": "product_name",
"name": "cert-manager"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 kubernetes 1.28.7-2",
"product": {
"name": "\u003cazl3 kubernetes 1.28.7-2",
"product_id": "9"
}
},
{
"category": "product_version",
"name": "azl3 kubernetes 1.28.7-2",
"product": {
"name": "azl3 kubernetes 1.28.7-2",
"product_id": "18252"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 kubernetes 1.29.1-2",
"product": {
"name": "\u003cazl3 kubernetes 1.29.1-2",
"product_id": "10"
}
},
{
"category": "product_version",
"name": "azl3 kubernetes 1.29.1-2",
"product": {
"name": "azl3 kubernetes 1.29.1-2",
"product_id": "18126"
}
}
],
"category": "product_name",
"name": "kubernetes"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 prometheus 2.37.0-11",
"product": {
"name": "\u003cazl3 prometheus 2.37.0-11",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "azl3 prometheus 2.37.0-11",
"product": {
"name": "azl3 prometheus 2.37.0-11",
"product_id": "20094"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 prometheus 2.45.4-1",
"product": {
"name": "\u003cazl3 prometheus 2.45.4-1",
"product_id": "11"
}
},
{
"category": "product_version",
"name": "azl3 prometheus 2.45.4-1",
"product": {
"name": "azl3 prometheus 2.45.4-1",
"product_id": "18125"
}
}
],
"category": "product_name",
"name": "prometheus"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 docker-buildx 0.12.1-1",
"product": {
"name": "\u003cazl3 docker-buildx 0.12.1-1",
"product_id": "8"
}
},
{
"category": "product_version",
"name": "azl3 docker-buildx 0.12.1-1",
"product": {
"name": "azl3 docker-buildx 0.12.1-1",
"product_id": "19808"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 docker-buildx 0.14.0-1",
"product": {
"name": "\u003cazl3 docker-buildx 0.14.0-1",
"product_id": "15"
}
},
{
"category": "product_version",
"name": "azl3 docker-buildx 0.14.0-1",
"product": {
"name": "azl3 docker-buildx 0.14.0-1",
"product_id": "17801"
}
}
],
"category": "product_name",
"name": "docker-buildx"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 moby-engine 24.0.9-10",
"product": {
"name": "\u003ccbl2 moby-engine 24.0.9-10",
"product_id": "13"
}
},
{
"category": "product_version",
"name": "cbl2 moby-engine 24.0.9-10",
"product": {
"name": "cbl2 moby-engine 24.0.9-10",
"product_id": "18123"
}
}
],
"category": "product_name",
"name": "moby-engine"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 moby-compose 2.17.3-7",
"product": {
"name": "\u003ccbl2 moby-compose 2.17.3-7",
"product_id": "12"
}
},
{
"category": "product_version",
"name": "cbl2 moby-compose 2.17.3-7",
"product": {
"name": "cbl2 moby-compose 2.17.3-7",
"product_id": "18124"
}
}
],
"category": "product_name",
"name": "moby-compose"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 cri-tools 1.29.0-2",
"product": {
"name": "\u003ccbl2 cri-tools 1.29.0-2",
"product_id": "14"
}
},
{
"category": "product_version",
"name": "cbl2 cri-tools 1.29.0-2",
"product": {
"name": "cbl2 cri-tools 1.29.0-2",
"product_id": "18057"
}
}
],
"category": "product_name",
"name": "cri-tools"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 prometheus-adapter 0.12.0-1",
"product": {
"name": "\u003cazl3 prometheus-adapter 0.12.0-1",
"product_id": "18"
}
},
{
"category": "product_version",
"name": "azl3 prometheus-adapter 0.12.0-1",
"product": {
"name": "azl3 prometheus-adapter 0.12.0-1",
"product_id": "17786"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 prometheus-adapter 0.11.2-1",
"product": {
"name": "\u003cazl3 prometheus-adapter 0.11.2-1",
"product_id": "4"
}
},
{
"category": "product_version",
"name": "azl3 prometheus-adapter 0.11.2-1",
"product": {
"name": "azl3 prometheus-adapter 0.11.2-1",
"product_id": "19966"
}
}
],
"category": "product_name",
"name": "prometheus-adapter"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 kube-vip-cloud-provider 0.0.10-1",
"product": {
"name": "\u003cazl3 kube-vip-cloud-provider 0.0.10-1",
"product_id": "16"
}
},
{
"category": "product_version",
"name": "azl3 kube-vip-cloud-provider 0.0.10-1",
"product": {
"name": "azl3 kube-vip-cloud-provider 0.0.10-1",
"product_id": "17795"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 kube-vip-cloud-provider 0.0.7-1",
"product": {
"name": "\u003cazl3 kube-vip-cloud-provider 0.0.7-1",
"product_id": "6"
}
},
{
"category": "product_version",
"name": "azl3 kube-vip-cloud-provider 0.0.7-1",
"product": {
"name": "azl3 kube-vip-cloud-provider 0.0.7-1",
"product_id": "19955"
}
}
],
"category": "product_name",
"name": "kube-vip-cloud-provider"
},
{
"category": "product_name",
"name": "azl3 cloud-provider-kubevirt 0.5.1-1",
"product": {
"name": "azl3 cloud-provider-kubevirt 0.5.1-1",
"product_id": "3"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 opa 0.50.2-8 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 opa 0.50.2-8 as a component of CBL Mariner 2.0",
"product_id": "20090-17086"
},
"product_reference": "20090",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 cert-manager 1.11.2-8 as a component of Azure Linux 3.0",
"product_id": "17084-7"
},
"product_reference": "7",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 cert-manager 1.11.2-8 as a component of Azure Linux 3.0",
"product_id": "19863-17084"
},
"product_reference": "19863",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kubernetes 1.28.7-2 as a component of Azure Linux 3.0",
"product_id": "17084-9"
},
"product_reference": "9",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kubernetes 1.28.7-2 as a component of Azure Linux 3.0",
"product_id": "18252-17084"
},
"product_reference": "18252",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 prometheus 2.37.0-11 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 prometheus 2.37.0-11 as a component of Azure Linux 3.0",
"product_id": "20094-17084"
},
"product_reference": "20094",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 docker-buildx 0.12.1-1 as a component of Azure Linux 3.0",
"product_id": "17084-8"
},
"product_reference": "8",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 docker-buildx 0.12.1-1 as a component of Azure Linux 3.0",
"product_id": "19808-17084"
},
"product_reference": "19808",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 moby-engine 24.0.9-10 as a component of CBL Mariner 2.0",
"product_id": "17086-13"
},
"product_reference": "13",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 moby-engine 24.0.9-10 as a component of CBL Mariner 2.0",
"product_id": "18123-17086"
},
"product_reference": "18123",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 opa 0.63.0-1 as a component of CBL Mariner 2.0",
"product_id": "17086-20"
},
"product_reference": "20",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 opa 0.63.0-1 as a component of CBL Mariner 2.0",
"product_id": "17411-17086"
},
"product_reference": "17411",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 moby-compose 2.17.3-7 as a component of CBL Mariner 2.0",
"product_id": "17086-12"
},
"product_reference": "12",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 moby-compose 2.17.3-7 as a component of CBL Mariner 2.0",
"product_id": "18124-17086"
},
"product_reference": "18124",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 cri-tools 1.29.0-2 as a component of CBL Mariner 2.0",
"product_id": "17086-14"
},
"product_reference": "14",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 cri-tools 1.29.0-2 as a component of CBL Mariner 2.0",
"product_id": "18057-17086"
},
"product_reference": "18057",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 docker-buildx 0.14.0-1 as a component of Azure Linux 3.0",
"product_id": "17084-15"
},
"product_reference": "15",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 docker-buildx 0.14.0-1 as a component of Azure Linux 3.0",
"product_id": "17801-17084"
},
"product_reference": "17801",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 prometheus-adapter 0.12.0-1 as a component of Azure Linux 3.0",
"product_id": "17084-18"
},
"product_reference": "18",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 prometheus-adapter 0.12.0-1 as a component of Azure Linux 3.0",
"product_id": "17786-17084"
},
"product_reference": "17786",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 prometheus 2.45.4-1 as a component of Azure Linux 3.0",
"product_id": "17084-11"
},
"product_reference": "11",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 prometheus 2.45.4-1 as a component of Azure Linux 3.0",
"product_id": "18125-17084"
},
"product_reference": "18125",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 opa 0.63.0-1 as a component of Azure Linux 3.0",
"product_id": "17084-17"
},
"product_reference": "17",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 opa 0.63.0-1 as a component of Azure Linux 3.0",
"product_id": "17789-17084"
},
"product_reference": "17789",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kubernetes 1.29.1-2 as a component of Azure Linux 3.0",
"product_id": "17084-10"
},
"product_reference": "10",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kubernetes 1.29.1-2 as a component of Azure Linux 3.0",
"product_id": "18126-17084"
},
"product_reference": "18126",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kube-vip-cloud-provider 0.0.10-1 as a component of Azure Linux 3.0",
"product_id": "17084-16"
},
"product_reference": "16",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kube-vip-cloud-provider 0.0.10-1 as a component of Azure Linux 3.0",
"product_id": "17795-17084"
},
"product_reference": "17795",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 cert-manager 1.12.12-1 as a component of Azure Linux 3.0",
"product_id": "17084-19"
},
"product_reference": "19",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 cert-manager 1.12.12-1 as a component of Azure Linux 3.0",
"product_id": "17766-17084"
},
"product_reference": "17766",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kube-vip-cloud-provider 0.0.7-1 as a component of Azure Linux 3.0",
"product_id": "17084-6"
},
"product_reference": "6",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kube-vip-cloud-provider 0.0.7-1 as a component of Azure Linux 3.0",
"product_id": "19955-17084"
},
"product_reference": "19955",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 opa 0.55.0-1 as a component of Azure Linux 3.0",
"product_id": "17084-5"
},
"product_reference": "5",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 opa 0.55.0-1 as a component of Azure Linux 3.0",
"product_id": "19961-17084"
},
"product_reference": "19961",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 prometheus-adapter 0.11.2-1 as a component of Azure Linux 3.0",
"product_id": "17084-4"
},
"product_reference": "4",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 prometheus-adapter 0.11.2-1 as a component of Azure Linux 3.0",
"product_id": "19966-17084"
},
"product_reference": "19966",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 cloud-provider-kubevirt 0.5.1-1 as a component of Azure Linux 3.0",
"product_id": "17084-3"
},
"product_reference": "3",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45142",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"flags": [
{
"label": "component_not_present",
"product_ids": [
"17084-3"
]
}
],
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"20090-17086",
"19863-17084",
"18252-17084",
"20094-17084",
"19808-17084",
"18123-17086",
"17411-17086",
"18124-17086",
"18057-17086",
"17801-17084",
"17786-17084",
"18125-17084",
"17789-17084",
"18126-17084",
"17795-17084",
"17766-17084",
"19955-17084",
"19961-17084",
"19966-17084"
],
"known_affected": [
"17086-2",
"17084-7",
"17084-9",
"17084-1",
"17084-8",
"17086-13",
"17086-20",
"17086-12",
"17086-14",
"17084-15",
"17084-18",
"17084-11",
"17084-17",
"17084-10",
"17084-16",
"17084-19",
"17084-6",
"17084-5",
"17084-4"
],
"known_not_affected": [
"17084-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-45142 OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-45142.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-16T00:00:00.000Z",
"details": "0.63.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-2",
"17086-20",
"17084-17",
"17084-5"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-10-16T00:00:00.000Z",
"details": "1.12.12-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-7",
"17084-19"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-10-16T00:00:00.000Z",
"details": "1.29.1-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-9",
"17084-10"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-10-16T00:00:00.000Z",
"details": "2.45.4-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-1",
"17084-11"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-10-16T00:00:00.000Z",
"details": "0.14.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-8",
"17084-15"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-10-16T00:00:00.000Z",
"details": "24.0.9-10:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-13"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-10-16T00:00:00.000Z",
"details": "2.17.3-7:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-12"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-10-16T00:00:00.000Z",
"details": "1.29.0-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-14"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-10-16T00:00:00.000Z",
"details": "0.12.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-18",
"17084-4"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-10-16T00:00:00.000Z",
"details": "0.0.10-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-16",
"17084-6"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"17086-2",
"17084-7",
"17084-9",
"17084-1",
"17084-8",
"17086-13",
"17086-20",
"17086-12",
"17086-14",
"17084-15",
"17084-18",
"17084-11",
"17084-17",
"17084-10",
"17084-16",
"17084-19",
"17084-6",
"17084-5",
"17084-4"
]
}
],
"title": "OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics"
}
]
}
OPENSUSE-SU-2024:0211-1
Vulnerability from csaf_opensuse - Published: 2024-07-22 09:11 - Updated: 2024-07-22 09:11Summary
Security update for caddy
Severity
Moderate
Notes
Title of the patch: Security update for caddy
Description of the patch: This update for caddy fixes the following issues:
Update to version 2.8.4:
* cmd: fix regression in auto-detect of Caddyfile (#6362)
* Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped
Update to version 2.8.2:
* cmd: fix auto-detetction of .caddyfile extension (#6356)
* caddyhttp: properly sanitize requests for root path (#6360)
* caddytls: Implement certmagic.RenewalInfoGetter
Update to version 2.8.1:
* caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350)
* core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)
Update to version 2.8.0:
* acmeserver: Add `sign_with_root` for Caddyfile (#6345)
* caddyfile: Reject global request matchers earlier (#6339)
* core: Fix bug in AppIfConfigured (fix #6336)
* fix a typo (#6333)
* autohttps: Move log WARN to INFO, reduce confusion (#6185)
* reverseproxy: Support HTTP/3 transport to backend (#6312)
* context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292)
* Fix lint error about deprecated method in smallstep/certificates/authority
* go.mod: Upgrade dependencies
* caddytls: fix permission requirement with AutomationPolicy (#6328)
* caddytls: remove ClientHelloSNICtxKey (#6326)
* caddyhttp: Trace individual middleware handlers (#6313)
* templates: Add `pathEscape` template function and use it in file browser (#6278)
* caddytls: set server name in context (#6324)
* chore: downgrade minimum Go version in go.mod (#6318)
* caddytest: normalize the JSON config (#6316)
* caddyhttp: New experimental handler for intercepting responses (#6232)
* httpcaddyfile: Set challenge ports when http_port or https_port are used
* logging: Add support for additional logger filters other than hostname (#6082)
* caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106)
* caddyhttp: Alter log message when request is unhandled (close #5182)
* reverseproxy: Pointer to struct when loading modules; remove LazyCertPool (#6307)
* tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308)
* go.mod: CertMagic v0.21.0
* reverseproxy: Implement health_follow_redirects (#6302)
* caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)
* go.mod: Upgrade to quic-go v0.43.1
* reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)
* caddytls: Ability to drop connections (close #6294)
* httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)
* caddytls: Evict internal certs from cache based on issuer (#6266)
* chore: add warn logs when using deprecated fields (#6276)
* caddyhttp: Fix linter warning about deprecation
* go.mod: Upgrade to quic-go v0.43.0
* fileserver: Set 'Vary: Accept-Encoding' header (see #5849)
* events: Add debug log
* reverseproxy: handle buffered data during hijack (#6274)
* ci: remove `android` and `plan9` from cross-build workflow (#6268)
* run `golangci-lint run --fix --fast` (#6270)
* caddytls: Option to configure certificate lifetime (#6253)
* replacer: Implement `file.*` global replacements (#5463)
* caddyhttp: Address some Go 1.20 features (#6252)
* Quell linter (false positive)
* reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264)
* doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc (#6263)
* caddytls: Add Caddyfile support for on-demand permission module (close #6260)
* reverseproxy: Remove long-deprecated buffering properties
* reverseproxy: Reuse buffered request body even if partially drained
* reverseproxy: Accept EOF when buffering
* logging: Fix default access logger (#6251)
* fileserver: Improve Vary handling (#5849)
* cmd: Only validate config is proper JSON if config slice has data (#6250)
* staticresp: Use the evaluated response body for sniffing JSON content-type (#6249)
* encode: Slight fix for the previous commit
* encode: Improve Etag handling (fix #5849)
* httpcaddyfile: Skip automate loader if disable_certs is specified (fix #6148)
* caddyfile: Populate regexp matcher names by default (#6145)
* caddyhttp: record num. bytes read when response writer is hijacked (#6173)
* caddyhttp: Support multiple logger names per host (#6088)
* chore: fix some typos in comments (#6243)
* encode: Configurable compression level for zstd (#6140)
* caddytls: Remove shim code supporting deprecated lego-dns (#6231)
* connection policy: add `local_ip` matcher (#6074)
* reverseproxy: Wait for both ends of websocket to close (#6175)
* caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)
* caddytls: Still provision permission module if ask is specified
* fileserver: read etags from precomputed files (#6222)
* fileserver: Escape # and ? in img src (fix #6237)
* reverseproxy: Implement modular CA provider for TLS transport (#6065)
* caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)
* cmd: Fix panic related to config filename (fix #5919)
* cmd: Assume Caddyfile based on filename prefix and suffix (#5919)
* admin: Make `Etag` a header, not a trailer (#6208)
* caddyhttp: remove duplicate strings.Count in path matcher (fixes #6233) (#6234)
* caddyconfig: Use empty struct instead of bool in map (close #6224) (#6227)
* gitignore: Add rule for caddyfile.go (#6225)
* chore: Fix broken links in README.md (#6223)
* chore: Upgrade some dependencies (#6221)
* caddyhttp: Add plaintext response to `file_server browse` (#6093)
* admin: Use xxhash for etag (#6207)
* modules: fix some typo in conments (#6206)
* caddyhttp: Replace sensitive headers with REDACTED (close #5669)
* caddyhttp: close quic connections when server closes (#6202)
* reverseproxy: Use xxhash instead of fnv32 for LB (#6203)
* caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)
* chore: remove repetitive word (#6193)
* Added a null check to avoid segfault on rewrite query ops (#6191)
* rewrite: `uri query` replace operation (#6165)
* logging: support `ms` duration format and add docs (#6187)
* replacer: use RWMutex to protect static provider (#6184)
* caddyhttp: Allow `header` replacement with empty string (#6163)
* vars: Make nil values act as empty string instead of `'<nil>'` (#6174)
* chore: Update quic-go to v0.42.0 (#6176)
* caddyhttp: Accept XFF header values with ports, when parsing client IP (#6183)
* reverseproxy: configurable active health_passes and health_fails (#6154)
* reverseproxy: Configurable forward proxy URL (#6114)
* caddyhttp: upgrade to cel v0.20.0 (#6161)
* chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169)
* caddyhttp: suppress flushing if the response is being buffered (#6150)
* chore: encode: use FlushError instead of Flush (#6168)
* encode: write status immediately when status code is informational (#6164)
* httpcaddyfile: Keep deprecated `skip_log` in directive order (#6153)
* httpcaddyfile: Add `RegisterDirectiveOrder` function for plugin authors (#5865)
* rewrite: Implement `uri query` operations (#6120)
* fix struct names (#6151)
* fileserver: Preserve query during canonicalization redirect (#6109)
* logging: Implement `log_append` handler (#6066)
* httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)
* logging: Implement `append` encoder, allow flatter filters config (#6069)
* ci: fix the integration test `TestLeafCertLoaders` (#6149)
* vars: Allow overriding `http.auth.user.id` in replacer as a special case (#6108)
* caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050)
* cmd: Adjust config load logs/errors (#6032)
* reverseproxy: SRV dynamic upstream failover (#5832)
* ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)
* core: OnExit hooks (#6128)
* cmd: fix the output of the `Usage` section (#6138)
* caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
* acmeserver: add policy field to define allow/deny rules (#5796)
* reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)
* caddytest: Rename adapt tests to `*.caddyfiletest` extension (#6119)
* tests: uses testing.TB interface for helper to be able to use test server in benchmarks. (#6103)
* caddyfile: Assert having a space after heredoc marker to simply check (#6117)
* chore: Update Chroma to get the new Caddyfile lexer (#6118)
* reverseproxy: use context.WithoutCancel (#6116)
* caddyfile: Reject directives in the place of site addresses (#6104)
* caddyhttp: Register post-shutdown callbacks (#5948)
* caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)
* caddyauth: Drop support for `scrypt` (#6091)
* Revert 'caddyfile: Reject long heredoc markers (#6098)' (#6100)
* caddyauth: Rename `basicauth` to `basic_auth` (#6092)
* logging: Inline Caddyfile syntax for `ip_mask` filter (#6094)
* caddyfile: Reject long heredoc markers (#6098)
* chore: Rename CI jobs, run on M1 mac (#6089)
* fix: add back text/*
* fix: add more media types to the compressed by default list
* acmeserver: support specifying the allowed challenge types (#5794)
* matchers: Drop `forwarded` option from `remote_ip` matcher (#6085)
* caddyhttp: Test cases for `%2F` and `%252F` (#6084)
* fileserver: Browse can show symlink target if enabled (#5973)
* core: Support NO_COLOR env var to disable log coloring (#6078)
* Update comment in setcap helper script
* caddytls: Make on-demand 'ask' permission modular (#6055)
* core: Add `ctx.Slogger()` which returns an `slog` logger (#5945)
* chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043)
* chore: enabling a few more linters (#5961)
* caddyfile: Correctly close the heredoc when the closing marker appears immediately (#6062)
* caddyfile: Switch to slices.Equal for better performance (#6061)
* tls: modularize trusted CA providers (#5784)
* logging: Automatic `wrap` default for `filter` encoder (#5980)
* caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)
* caddyfile: Normalize & flatten all unmarshalers (#6037)
* cmd: reverseproxy: log: use caddy logger (#6042)
* matchers: `query` now ANDs multiple keys (#6054)
* caddyfile: Add heredoc support to `fmt` command (#6056)
* refactor: move automaxprocs init in caddycmd.Main()
* caddyfile: Allow heredoc blank lines (#6051)
* httpcaddyfile: Add optional status code argument to `handle_errors` directive (#5965)
* httpcaddyfile: Rewrite `root` and `rewrite` parsing to allow omitting matcher (#5844)
* fileserver: Implement caddyfile.Unmarshaler interface (#5850)
* reverseproxy: Add `tls_curves` option to HTTP transport (#5851)
* caddyhttp: Security enhancements for client IP parsing (#5805)
* replacer: Fix escaped closing braces (#5995)
* filesystem: Globally declared filesystems, `fs` directive (#5833)
* ci/cd: use the build tag `nobadger` to exclude badgerdb (#6031)
* httpcaddyfile: Fix redir <to> html (#6001)
* httpcaddyfile: Support client auth verifiers (#6022)
* tls: add reuse_private_keys (#6025)
* reverseproxy: Only change Content-Length when full request is buffered (#5830)
* Switch Solaris-derivatives away from listen_unix (#6021)
* chore: check against errors of `io/fs` instead of `os` (#6011)
* caddyhttp: support unix sockets in `caddy respond` command (#6010)
* fileserver: Add total file size to directory listing (#6003)
* httpcaddyfile: Fix cert file decoding to load multiple PEM in one file (#5997)
* cmd: use automaxprocs for better perf in containers (#5711)
* logging: Add `zap.Option` support (#5944)
* httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)
* metrics: Record request metrics on HTTP errors (#5979)
* go.mod: Updated quic-go to v0.40.1 (#5983)
* fileserver: Enable compression for command by default (#5855)
* fileserver: New --precompressed flag (#5880)
* caddyhttp: Add `uuid` to access logs when used (#5859)
* proxyprotocol: use github.com/pires/go-proxyproto (#5915)
* cmd: Preserve LastModified date when exporting storage (#5968)
* core: Always make AppDataDir for InstanceID (#5976)
* chore: cross-build for AIX (#5971)
* caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Context to DecisionFunc (#5923)
* tls: accept placeholders in string values of certificate loaders (#5963)
* templates: Offically make templates extensible (#5939)
* http2 uses new round-robin scheduler (#5946)
* panic when reading from backend failed to propagate stream error (#5952)
* chore: Bump otel to v1.21.0. (#5949)
* httpredirectlistener: Only set read limit for when request is HTTP (#5917)
* fileserver: Add .m4v for browse template icon
* Revert 'caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)' (#5924)
* go.mod: update quic-go version to v0.40.0 (#5922)
* update quic-go to v0.39.3 (#5918)
* chore: Fix usage pool comment (#5916)
* test: acmeserver: add smoke test for the ACME server directory (#5914)
* Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
* caddyhttp: Adjust `scheme` placeholder docs (#5910)
* go.mod: Upgrade quic-go to v0.39.1
* go.mod: CVE-2023-45142 Update opentelemetry (#5908)
* templates: Delete headers on `httpError` to reset to clean slate (#5905)
* httpcaddyfile: Remove port from logger names (#5881)
* core: Apply SO_REUSEPORT to UDP sockets (#5725)
* caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
* cmd: Add newline character to version string in CLI output (#5895)
* core: quic listener will manage the underlying socket by itself (#5749)
* templates: Clarify `include` args docs, add `.ClientIP` (#5898)
* httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)
* cmd: upgrade: resolve symlink of the executable (#5891)
* caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)
- CVEs:
* CVE-2024-22189 (boo#1222468)
* CVE-2023-45142
- Remove the manual user/group provides: the package uses
sysusers.d; the auto-provides were not working due to the broken
go_provides.
- Provide user and group (due to RPM 4.19)
- Update caddy.sysusers to also create a group
- Update to version 2.7.6:
* caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Context to DecisionFunc (#5923)
* tls: accept placeholders in string values of certificate loaders (#5963)
* templates: Offically make templates extensible (#5939)
* http2 uses new round-robin scheduler (#5946)
* panic when reading from backend failed to propagate stream error (#5952)
* chore: Bump otel to v1.21.0. (#5949)
* httpredirectlistener: Only set read limit for when request is HTTP (#5917)
* fileserver: Add .m4v for browse template icon
* Revert 'caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)' (#5924)
* go.mod: update quic-go version to v0.40.0 (#5922)
* update quic-go to v0.39.3 (#5918)
* chore: Fix usage pool comment (#5916)
* test: acmeserver: add smoke test for the ACME server directory (#5914)
* Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
* caddyhttp: Adjust `scheme` placeholder docs (#5910)
* go.mod: Upgrade quic-go to v0.39.1
* go.mod: CVE-2023-45142 Update opentelemetry (#5908)
* templates: Delete headers on `httpError` to reset to clean slate (#5905)
* httpcaddyfile: Remove port from logger names (#5881)
* core: Apply SO_REUSEPORT to UDP sockets (#5725)
* caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
* cmd: Add newline character to version string in CLI output (#5895)
* core: quic listener will manage the underlying socket by itself (#5749)
* templates: Clarify `include` args docs, add `.ClientIP` (#5898)
* httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)
* cmd: upgrade: resolve symlink of the executable (#5891)
* caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)
- Update to version 2.7.5:
* admin: Respond with 4xx on non-existing config path (#5870)
* ci: Force the Go version for govulncheck (#5879)
* fileserver: Set canonical URL on browse template (#5867)
* tls: Add X25519Kyber768Draft00 PQ 'curve' behind build tag (#5852)
* reverseproxy: Add more debug logs (#5793)
* reverseproxy: Fix `least_conn` policy regression (#5862)
* reverseproxy: Add logging for dynamic A upstreams (#5857)
* reverseproxy: Replace health header placeholders (#5861)
* httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (#5860)
* cmd: Fix exiting with custom status code, add `caddy -v` (#5874)
* reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (#5828)
* reverseproxy: Fix retries on 'upstreams unavailable' error (#5841)
* httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (#5808)
* encode: Add `application/wasm*` to the default content types (#5869)
* fileserver: Add command shortcuts `-l` and `-a` (#5854)
* go.mod: Upgrade dependencies incl. x/net/http
* templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy compatibility (#5845)
* reverseproxy: Allow fallthrough for response handlers without routes (#5780)
* fix: caddytest.AssertResponseCode error message (#5853)
* caddyhttp: Use LimitedReader for HTTPRedirectListener
* fileserver: browse template SVG icons and UI tweaks (#5812)
* reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (#5811)
* httpcaddyfile: fix placeholder shorthands in named routes (#5791)
* cmd: Prevent overwriting existing env vars with `--envfile` (#5803)
* ci: Run govulncheck (#5790)
* logging: query filter for array of strings (#5779)
* logging: Clone array on log filters, prevent side-effects (#5786)
* fileserver: Export BrowseTemplate
* ci: ensure short-sha is exported correctly on all platforms (#5781)
* caddyfile: Fix case where heredoc marker is empty after newline (#5769)
* go.mod: Update quic-go to v0.38.0 (#5772)
* chore: Appease gosec linter (#5777)
* replacer: change timezone to UTC for 'time.now.http' placeholders (#5774)
* caddyfile: Adjust error formatting (#5765)
* update quic-go to v0.37.6 (#5767)
* httpcaddyfile: Stricter errors for site and upstream address schemes (#5757)
* caddyfile: Loosen heredoc parsing (#5761)
* fileserver: docs: clarify the ability to produce JSON array with `browse` (#5751)
* fix package typo (#5764)
- Switch to sysuser for user setup
Update to version 2.7.4:
* go.mod: Upgrade CertMagic and quic-go
* reverseproxy: Always return new upstreams (fix #5736) (#5752)
* ci: use gci linter (#5708)
* fileserver: Slightly more fitting icons
* cmd: Require config for caddy validate (fix #5612) (#5614)
* caddytls: Update docs for on-demand config
* fileserver: Don't repeat error for invalid method inside error context (#5705)
* ci: Update to Go 1.21 (#5719)
* ci: Add riscv64 (64-bit RISC-V) to goreleaser (#5720)
* go.mod: Upgrade golang.org/x/net to 0.14.0 (#5718)
* ci: Use gofumpt to format code (#5707)
* templates: Fix httpInclude (fix #5698)
Update to version 2.7.3:
* go.mod: Upgrade to quic-go v0.37.3
* cmd: Split unix sockets for admin endpoint addresses (#5696)
* reverseproxy: do not parse upstream address too early if it contains replaceble parts (#5695)
* caddyfile: check that matched key is not a substring of the replacement key (#5685)
* chore: use `--clean` instead of `--rm-dist` for goreleaser (#5691)
* go.mod: Upgrade quic-go to v0.37.2 (fix #5680)
* fileserver: browse: Render SVG images in grid
- Update to version 2.7.2:
* reverseproxy: Fix hijack ordering which broke websockets (#5679)
* httpcaddyfile: Fix `string does not match ~[]E` error (#5675)
* encode: Fix infinite recursion (#5672)
* caddyhttp: Make use of `http.ResponseController` (#5654)
* go.mod: Upgrade dependencies esp. smallstep/certificates
* core: Allow loopback hosts for admin endpoint (fix #5650) (#5664)
* httpcaddyfile: Allow `hostnames` & logger name overrides for log directive (#5643)
* reverseproxy: Connection termination cleanup (#5663)
* go.mod: Use quic-go 0.37.1
* reverseproxy: Export ipVersions type (#5648)
* go.mod: Use latest CertMagic (v0.19.1)
* caddyhttp: Preserve original error (fix #5652)
* fileserver: add lazy image loading (#5646)
* go.mod: Update quic-go to v0.37.0, bump to Go 1.20 minimum (#5644)
* core: Refine mutex during reloads (fix #5628) (#5645)
* go.mod: update quic-go to v0.36.2 (#5636)
* fileserver: Tweak grid view of browse template
* fileserver: add `export-template` sub-command to `file-server` (#5630)
* caddyfile: Fix comparing if two tokens are on the same line (#5626)
* caddytls: Reuse certificate cache through reloads (#5623)
* Minor tweaks to security.md
* reverseproxy: Pointer receiver
* caddyhttp: Trim dot/space only on Windows (fix #5613)
* update quic-go to v0.36.1 (#5611)
* caddyconfig: Specify config adapter for HTTP loader (close #5607)
* core: Embed net.UDPConn to gain optimizations (#5606)
* chore: remove deprecated property `rlcp` in goreleaser config (#5608)
* core: Skip `chmod` for abstract unix sockets (#5596)
* core: Add optional unix socket file permissions (#4741)
* reverseproxy: Honor `tls_except_port` for active health checks (#5591)
* Appease linter
* Fix compile on Windows, hopefully
* core: Properly preserve unix sockets (fix #5568)
* go.mod: Upgrade CertMagic for hotfix
* go.mod: Upgrade some dependencies
* chore: upgrade otel (#5586)
* go.mod: Update quic-go to v0.36.0 (#5584)
* reverseproxy: weighted_round_robin load balancing policy (#5579)
* reverseproxy: Experimental streaming timeouts (#5567)
* chore: remove refs of deprecated io/ioutil (#5576)
* headers: Allow `>` to defer shortcut for replacements (#5574)
* caddyhttp: Support custom network for HTTP/3 (#5573)
* reverseproxy: Fix parsing of source IP in case it's an ipv6 address (#5569)
* fileserver: browse: Better grid layout (#5564)
* caddytls: Clarify some JSON config docs
* cmd: Implement storage import/export (#5532)
* go.mod: Upgrade quic-go to 0.35.1
* update quic-go to v0.35.0 (#5560)
* templates: Add `readFile` action that does not evaluate templates (#5553)
* caddyfile: Track import name instead of modifying filename (#5540)
* core: Use SO_REUSEPORT_LB on FreeBSD (#5554)
* caddyfile: Do not replace import tokens if they are part of a snippet (#5539)
* fileserver: Don't set Etag if mtime is 0 or 1 (close #5548) (#5550)
* fileserver: browse: minor tweaks for grid view, dark mode (#5545)
* fileserver: Only set Etag if not already set (fix #5546) (#5547)
* fileserver: Fix file browser breadcrumb font (#5543)
* caddyhttp: Fix h3 shutdown (#5541)
* fileserver: More filetypes for browse icons
* fileserver: Fix file browser footer in grid mode (#5536)
* cmd: Avoid spammy log messages (fix #5538)
* httpcaddyfile: Sort Caddyfile slice
* caddyhttp: Implement named routes, `invoke` directive (#5107)
* rewrite: use escaped path, fix #5278 (#5504)
* headers: Add > Caddyfile shortcut for enabling defer (#5535)
* go.mod: Upgrade several dependencies
* reverseproxy: Expand port ranges to multiple upstreams in CLI + Caddyfile (#5494)
* fileserver: Use EscapedPath for browse (#5534)
* caddyhttp: Refactor cert Managers (fix #5415) (#5533)
* Slightly more helpful error message
* caddytls: Check for nil ALPN; close #5470 (#5473)
* cmd: Reduce spammy logs from --watch
* caddyhttp: Add a getter for Server.name (#5531)
* caddytls: Configurable fallback SNI (#5527)
* caddyhttp: Update quic's TLS configs after reload (#5517) (fix #4849)
* Add doc comment about changing admin endpoint
* feature: watch include directory (#5521)
* chore: remove deprecated linters (#5525)
* go.mod: Upgrade CertMagic again
* go.mod: Upgrade CertMagic
* reverseproxy: Optimize base case for least_conn and random_choose policies (#5487)
* reverseproxy: Fix active health check header canonicalization, refactor (#5446)
* reverseproxy: Add `fallback` for some policies, instead of always random (#5488)
* logging: Actually honor the SoftStart parameter
* logging: Soft start for net writer (close #5520)
* fastcgi: Fix `capture_stderr` (#5515)
* acmeserver: Configurable `resolvers`, fix smallstep deprecations (#5500)
* go.mod: Update some dependencies
* logging: Add traceID field to access logs when tracing is active (#5507)
* caddyhttp: Impl `ResponseWriter.Unwrap()`, prep for Go 1.20's `ResponseController` (#5509)
* reverseproxy: Fix reinitialize upstream healthy metrics (#5498)
* fix some comments (#5508)
* templates: Add `fileStat` function (#5497)
* caddyfile: Stricter parsing, error for brace on new line (#5505)
* core: Return default logger if no modules loaded
* celmatcher: Implement `pkix.Name` conversion to string (#5492)
* chore: Adjustments to CI caching (#5495)
* reverseproxy: Remove deprecated `lookup_srv` (#5396)
* cmd: Support `'` quotes in envfile parsing (#5437)
* Update contributing guidelines (#5466)
* caddyhttp: Serve http2 when listener wrapper doesn't return *tls.Conn (#4929)
* reverseproxy: Add `query` and `client_ip_hash` lb policies (#5468)
* cmd: Create pidfile before config load (close #5477)
* fileserver: Add color-scheme meta tag (#5475)
* proxyprotocol: Add PROXY protocol support to `reverse_proxy`, add HTTP listener wrapper (#5424)
* reverseproxy: Add mention of which half a copyBuffer err comes from (#5472)
* caddyhttp: Log request body bytes read (#5461)
* log: Make sink logs encodable (#5441)
* caddytls: Eval replacer on automation policy subjects (#5459)
* headers: Support deleting all headers as first op (#5464)
* replacer: Add HTTP time format (#5458)
* reverseproxy: Header up/down support for CLI command (#5460)
* caddyhttp: Determine real client IP if trusted proxies configured (#5104)
* httpcaddyfile: Adjust path matcher sorting to solve for specificity (#5462)
* caddytls: Zero out throttle window first (#5443)
* ci: add `--yes` to cosign arguments (#5440)
* reverseproxy: Reset Content-Length to prevent FastCGI from hanging (#5435)
* caddytls: Allow on-demand w/o ask for internal-only
* caddytls: Require 'ask' endpoint for on-demand TLS
* fileserver: New file browse template (#5427)
* go.mod: Upgrade dependencies
* tracing: Support autoprop from OTEL_PROPAGATORS (#5147)
* caddyhttp: Enable 0-RTT QUIC (#5425)
* encode: flush status code when hijacked. (#5419)
* fileserver: Remove trailing slash on fs filenames (#5417)
* core: Eliminate unnecessary shutdown delay on Unix (#5413)
* caddyhttp: Fix `vars_regexp` matcher with placeholders (#5408)
* context: Rename func to `AppIfConfigured` (#5397)
* reverseproxy: allow specifying ip version for dynamic `a` upstream (#5401)
* caddyfile: Fix heredoc fuzz crasher, drop trailing newline (#5404)
* caddyfile: Implement heredoc support (#5385)
* cmd: Expand cobra support, add short flags (#5379)
* ci: Update minimum Go version to 1.19
* go.mod: Upgrade quic-go to v0.33.0 (Go 1.19 min)
* reverseproxy: refactor HTTP transport layer (#5369)
* caddytls: Relax the warning for on-demand (#5384)
* cmd: Strict unmarshal for validate (#5383)
* caddyfile: Implement variadics for import args placeholders (#5249)
* cmd: make `caddy fmt` hints more clear (#5378)
* cmd: Adjust documentation for commands (#5377)
- Update to version 2.6.4:
* reverseproxy: Don't buffer chunked requests (fix #5366) (#5367)
Patchnames: openSUSE-2024-211
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for caddy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for caddy fixes the following issues:\n\nUpdate to version 2.8.4:\n\n * cmd: fix regression in auto-detect of Caddyfile (#6362)\n * Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped\n\nUpdate to version 2.8.2:\n\n * cmd: fix auto-detetction of .caddyfile extension (#6356)\n * caddyhttp: properly sanitize requests for root path (#6360)\n * caddytls: Implement certmagic.RenewalInfoGetter\n\nUpdate to version 2.8.1:\n\n * caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350)\n * core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)\n\nUpdate to version 2.8.0:\n\n * acmeserver: Add `sign_with_root` for Caddyfile (#6345)\n * caddyfile: Reject global request matchers earlier (#6339)\n * core: Fix bug in AppIfConfigured (fix #6336)\n * fix a typo (#6333)\n * autohttps: Move log WARN to INFO, reduce confusion (#6185)\n * reverseproxy: Support HTTP/3 transport to backend (#6312)\n * context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292)\n * Fix lint error about deprecated method in smallstep/certificates/authority\n * go.mod: Upgrade dependencies\n * caddytls: fix permission requirement with AutomationPolicy (#6328)\n * caddytls: remove ClientHelloSNICtxKey (#6326)\n * caddyhttp: Trace individual middleware handlers (#6313)\n * templates: Add `pathEscape` template function and use it in file browser (#6278)\n * caddytls: set server name in context (#6324)\n * chore: downgrade minimum Go version in go.mod (#6318)\n * caddytest: normalize the JSON config (#6316)\n * caddyhttp: New experimental handler for intercepting responses (#6232)\n * httpcaddyfile: Set challenge ports when http_port or https_port are used\n * logging: Add support for additional logger filters other than hostname (#6082)\n * caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106)\n * caddyhttp: Alter log message when request is unhandled (close #5182)\n * reverseproxy: Pointer to struct when loading modules; remove LazyCertPool (#6307)\n * tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308)\n * go.mod: CertMagic v0.21.0\n * reverseproxy: Implement health_follow_redirects (#6302)\n * caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)\n * go.mod: Upgrade to quic-go v0.43.1\n * reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)\n * caddytls: Ability to drop connections (close #6294)\n * httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)\n * caddytls: Evict internal certs from cache based on issuer (#6266)\n * chore: add warn logs when using deprecated fields (#6276)\n * caddyhttp: Fix linter warning about deprecation\n * go.mod: Upgrade to quic-go v0.43.0\n * fileserver: Set \u0027Vary: Accept-Encoding\u0027 header (see #5849)\n * events: Add debug log\n * reverseproxy: handle buffered data during hijack (#6274)\n * ci: remove `android` and `plan9` from cross-build workflow (#6268)\n * run `golangci-lint run --fix --fast` (#6270)\n * caddytls: Option to configure certificate lifetime (#6253)\n * replacer: Implement `file.*` global replacements (#5463)\n * caddyhttp: Address some Go 1.20 features (#6252)\n * Quell linter (false positive)\n * reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264)\n * doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc (#6263)\n * caddytls: Add Caddyfile support for on-demand permission module (close #6260)\n * reverseproxy: Remove long-deprecated buffering properties\n * reverseproxy: Reuse buffered request body even if partially drained\n * reverseproxy: Accept EOF when buffering\n * logging: Fix default access logger (#6251)\n * fileserver: Improve Vary handling (#5849)\n * cmd: Only validate config is proper JSON if config slice has data (#6250)\n * staticresp: Use the evaluated response body for sniffing JSON content-type (#6249)\n * encode: Slight fix for the previous commit\n * encode: Improve Etag handling (fix #5849)\n * httpcaddyfile: Skip automate loader if disable_certs is specified (fix #6148)\n * caddyfile: Populate regexp matcher names by default (#6145)\n * caddyhttp: record num. bytes read when response writer is hijacked (#6173)\n * caddyhttp: Support multiple logger names per host (#6088)\n * chore: fix some typos in comments (#6243)\n * encode: Configurable compression level for zstd (#6140)\n * caddytls: Remove shim code supporting deprecated lego-dns (#6231)\n * connection policy: add `local_ip` matcher (#6074)\n * reverseproxy: Wait for both ends of websocket to close (#6175)\n * caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)\n * caddytls: Still provision permission module if ask is specified\n * fileserver: read etags from precomputed files (#6222)\n * fileserver: Escape # and ? in img src (fix #6237)\n * reverseproxy: Implement modular CA provider for TLS transport (#6065)\n * caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)\n * cmd: Fix panic related to config filename (fix #5919)\n * cmd: Assume Caddyfile based on filename prefix and suffix (#5919)\n * admin: Make `Etag` a header, not a trailer (#6208)\n * caddyhttp: remove duplicate strings.Count in path matcher (fixes #6233) (#6234)\n * caddyconfig: Use empty struct instead of bool in map (close #6224) (#6227)\n * gitignore: Add rule for caddyfile.go (#6225)\n * chore: Fix broken links in README.md (#6223)\n * chore: Upgrade some dependencies (#6221)\n * caddyhttp: Add plaintext response to `file_server browse` (#6093)\n * admin: Use xxhash for etag (#6207)\n * modules: fix some typo in conments (#6206)\n * caddyhttp: Replace sensitive headers with REDACTED (close #5669)\n * caddyhttp: close quic connections when server closes (#6202)\n * reverseproxy: Use xxhash instead of fnv32 for LB (#6203)\n * caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)\n * chore: remove repetitive word (#6193)\n * Added a null check to avoid segfault on rewrite query ops (#6191)\n * rewrite: `uri query` replace operation (#6165)\n * logging: support `ms` duration format and add docs (#6187)\n * replacer: use RWMutex to protect static provider (#6184)\n * caddyhttp: Allow `header` replacement with empty string (#6163)\n * vars: Make nil values act as empty string instead of `\u0027\u003cnil\u003e\u0027` (#6174)\n * chore: Update quic-go to v0.42.0 (#6176)\n * caddyhttp: Accept XFF header values with ports, when parsing client IP (#6183)\n * reverseproxy: configurable active health_passes and health_fails (#6154)\n * reverseproxy: Configurable forward proxy URL (#6114)\n * caddyhttp: upgrade to cel v0.20.0 (#6161)\n * chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169)\n * caddyhttp: suppress flushing if the response is being buffered (#6150)\n * chore: encode: use FlushError instead of Flush (#6168)\n * encode: write status immediately when status code is informational (#6164)\n * httpcaddyfile: Keep deprecated `skip_log` in directive order (#6153)\n * httpcaddyfile: Add `RegisterDirectiveOrder` function for plugin authors (#5865)\n * rewrite: Implement `uri query` operations (#6120)\n * fix struct names (#6151)\n * fileserver: Preserve query during canonicalization redirect (#6109)\n * logging: Implement `log_append` handler (#6066)\n * httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)\n * logging: Implement `append` encoder, allow flatter filters config (#6069)\n * ci: fix the integration test `TestLeafCertLoaders` (#6149)\n * vars: Allow overriding `http.auth.user.id` in replacer as a special case (#6108)\n * caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050)\n * cmd: Adjust config load logs/errors (#6032)\n * reverseproxy: SRV dynamic upstream failover (#5832)\n * ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)\n * core: OnExit hooks (#6128)\n * cmd: fix the output of the `Usage` section (#6138)\n * caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)\n * acmeserver: add policy field to define allow/deny rules (#5796)\n * reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)\n * caddytest: Rename adapt tests to `*.caddyfiletest` extension (#6119)\n * tests: uses testing.TB interface for helper to be able to use test server in benchmarks. (#6103)\n * caddyfile: Assert having a space after heredoc marker to simply check (#6117)\n * chore: Update Chroma to get the new Caddyfile lexer (#6118)\n * reverseproxy: use context.WithoutCancel (#6116)\n * caddyfile: Reject directives in the place of site addresses (#6104)\n * caddyhttp: Register post-shutdown callbacks (#5948)\n * caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)\n * caddyauth: Drop support for `scrypt` (#6091)\n * Revert \u0027caddyfile: Reject long heredoc markers (#6098)\u0027 (#6100)\n * caddyauth: Rename `basicauth` to `basic_auth` (#6092)\n * logging: Inline Caddyfile syntax for `ip_mask` filter (#6094)\n * caddyfile: Reject long heredoc markers (#6098)\n * chore: Rename CI jobs, run on M1 mac (#6089)\n * fix: add back text/*\n * fix: add more media types to the compressed by default list\n * acmeserver: support specifying the allowed challenge types (#5794)\n * matchers: Drop `forwarded` option from `remote_ip` matcher (#6085)\n * caddyhttp: Test cases for `%2F` and `%252F` (#6084)\n * fileserver: Browse can show symlink target if enabled (#5973)\n * core: Support NO_COLOR env var to disable log coloring (#6078)\n * Update comment in setcap helper script\n * caddytls: Make on-demand \u0027ask\u0027 permission modular (#6055)\n * core: Add `ctx.Slogger()` which returns an `slog` logger (#5945)\n * chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043)\n * chore: enabling a few more linters (#5961)\n * caddyfile: Correctly close the heredoc when the closing marker appears immediately (#6062)\n * caddyfile: Switch to slices.Equal for better performance (#6061)\n * tls: modularize trusted CA providers (#5784)\n * logging: Automatic `wrap` default for `filter` encoder (#5980)\n * caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)\n * caddyfile: Normalize \u0026 flatten all unmarshalers (#6037)\n * cmd: reverseproxy: log: use caddy logger (#6042)\n * matchers: `query` now ANDs multiple keys (#6054)\n * caddyfile: Add heredoc support to `fmt` command (#6056)\n * refactor: move automaxprocs init in caddycmd.Main()\n * caddyfile: Allow heredoc blank lines (#6051)\n * httpcaddyfile: Add optional status code argument to `handle_errors` directive (#5965)\n * httpcaddyfile: Rewrite `root` and `rewrite` parsing to allow omitting matcher (#5844)\n * fileserver: Implement caddyfile.Unmarshaler interface (#5850)\n * reverseproxy: Add `tls_curves` option to HTTP transport (#5851)\n * caddyhttp: Security enhancements for client IP parsing (#5805)\n * replacer: Fix escaped closing braces (#5995)\n * filesystem: Globally declared filesystems, `fs` directive (#5833)\n * ci/cd: use the build tag `nobadger` to exclude badgerdb (#6031)\n * httpcaddyfile: Fix redir \u003cto\u003e html (#6001)\n * httpcaddyfile: Support client auth verifiers (#6022)\n * tls: add reuse_private_keys (#6025)\n * reverseproxy: Only change Content-Length when full request is buffered (#5830)\n * Switch Solaris-derivatives away from listen_unix (#6021)\n * chore: check against errors of `io/fs` instead of `os` (#6011)\n * caddyhttp: support unix sockets in `caddy respond` command (#6010)\n * fileserver: Add total file size to directory listing (#6003)\n * httpcaddyfile: Fix cert file decoding to load multiple PEM in one file (#5997)\n * cmd: use automaxprocs for better perf in containers (#5711)\n * logging: Add `zap.Option` support (#5944)\n * httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)\n * metrics: Record request metrics on HTTP errors (#5979)\n * go.mod: Updated quic-go to v0.40.1 (#5983)\n * fileserver: Enable compression for command by default (#5855)\n * fileserver: New --precompressed flag (#5880)\n * caddyhttp: Add `uuid` to access logs when used (#5859)\n * proxyprotocol: use github.com/pires/go-proxyproto (#5915)\n * cmd: Preserve LastModified date when exporting storage (#5968)\n * core: Always make AppDataDir for InstanceID (#5976)\n * chore: cross-build for AIX (#5971)\n * caddytls: Sync distributed storage cleaning (#5940)\n * caddytls: Context to DecisionFunc (#5923)\n * tls: accept placeholders in string values of certificate loaders (#5963)\n * templates: Offically make templates extensible (#5939)\n * http2 uses new round-robin scheduler (#5946)\n * panic when reading from backend failed to propagate stream error (#5952)\n * chore: Bump otel to v1.21.0. (#5949)\n * httpredirectlistener: Only set read limit for when request is HTTP (#5917)\n * fileserver: Add .m4v for browse template icon\n * Revert \u0027caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\u0027 (#5924)\n * go.mod: update quic-go version to v0.40.0 (#5922)\n * update quic-go to v0.39.3 (#5918)\n * chore: Fix usage pool comment (#5916)\n * test: acmeserver: add smoke test for the ACME server directory (#5914)\n * Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)\n * caddyhttp: Adjust `scheme` placeholder docs (#5910)\n * go.mod: Upgrade quic-go to v0.39.1\n * go.mod: CVE-2023-45142 Update opentelemetry (#5908)\n * templates: Delete headers on `httpError` to reset to clean slate (#5905)\n * httpcaddyfile: Remove port from logger names (#5881)\n * core: Apply SO_REUSEPORT to UDP sockets (#5725)\n * caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\n * cmd: Add newline character to version string in CLI output (#5895)\n * core: quic listener will manage the underlying socket by itself (#5749)\n * templates: Clarify `include` args docs, add `.ClientIP` (#5898)\n * httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)\n * cmd: upgrade: resolve symlink of the executable (#5891)\n * caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)\n\n- CVEs:\n * CVE-2024-22189 (boo#1222468)\n * CVE-2023-45142\n\n- Remove the manual user/group provides: the package uses\n sysusers.d; the auto-provides were not working due to the broken\n go_provides.\n\n- Provide user and group (due to RPM 4.19)\n- Update caddy.sysusers to also create a group\n\n- Update to version 2.7.6:\n\n * caddytls: Sync distributed storage cleaning (#5940)\n * caddytls: Context to DecisionFunc (#5923)\n * tls: accept placeholders in string values of certificate loaders (#5963)\n * templates: Offically make templates extensible (#5939)\n * http2 uses new round-robin scheduler (#5946)\n * panic when reading from backend failed to propagate stream error (#5952)\n * chore: Bump otel to v1.21.0. (#5949)\n * httpredirectlistener: Only set read limit for when request is HTTP (#5917)\n * fileserver: Add .m4v for browse template icon\n * Revert \u0027caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\u0027 (#5924)\n * go.mod: update quic-go version to v0.40.0 (#5922)\n * update quic-go to v0.39.3 (#5918)\n * chore: Fix usage pool comment (#5916)\n * test: acmeserver: add smoke test for the ACME server directory (#5914)\n * Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)\n * caddyhttp: Adjust `scheme` placeholder docs (#5910)\n * go.mod: Upgrade quic-go to v0.39.1\n * go.mod: CVE-2023-45142 Update opentelemetry (#5908)\n * templates: Delete headers on `httpError` to reset to clean slate (#5905)\n * httpcaddyfile: Remove port from logger names (#5881)\n * core: Apply SO_REUSEPORT to UDP sockets (#5725)\n * caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\n * cmd: Add newline character to version string in CLI output (#5895)\n * core: quic listener will manage the underlying socket by itself (#5749)\n * templates: Clarify `include` args docs, add `.ClientIP` (#5898)\n * httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)\n * cmd: upgrade: resolve symlink of the executable (#5891)\n * caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)\n\n- Update to version 2.7.5:\n\n * admin: Respond with 4xx on non-existing config path (#5870)\n * ci: Force the Go version for govulncheck (#5879)\n * fileserver: Set canonical URL on browse template (#5867)\n * tls: Add X25519Kyber768Draft00 PQ \u0027curve\u0027 behind build tag (#5852)\n * reverseproxy: Add more debug logs (#5793)\n * reverseproxy: Fix `least_conn` policy regression (#5862)\n * reverseproxy: Add logging for dynamic A upstreams (#5857)\n * reverseproxy: Replace health header placeholders (#5861)\n * httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (#5860)\n * cmd: Fix exiting with custom status code, add `caddy -v` (#5874)\n * reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (#5828)\n * reverseproxy: Fix retries on \u0027upstreams unavailable\u0027 error (#5841)\n * httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (#5808)\n * encode: Add `application/wasm*` to the default content types (#5869)\n * fileserver: Add command shortcuts `-l` and `-a` (#5854)\n * go.mod: Upgrade dependencies incl. x/net/http\n * templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy compatibility (#5845)\n * reverseproxy: Allow fallthrough for response handlers without routes (#5780)\n * fix: caddytest.AssertResponseCode error message (#5853)\n * caddyhttp: Use LimitedReader for HTTPRedirectListener\n * fileserver: browse template SVG icons and UI tweaks (#5812)\n * reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (#5811)\n * httpcaddyfile: fix placeholder shorthands in named routes (#5791)\n * cmd: Prevent overwriting existing env vars with `--envfile` (#5803)\n * ci: Run govulncheck (#5790)\n * logging: query filter for array of strings (#5779)\n * logging: Clone array on log filters, prevent side-effects (#5786)\n * fileserver: Export BrowseTemplate\n * ci: ensure short-sha is exported correctly on all platforms (#5781)\n * caddyfile: Fix case where heredoc marker is empty after newline (#5769)\n * go.mod: Update quic-go to v0.38.0 (#5772)\n * chore: Appease gosec linter (#5777)\n * replacer: change timezone to UTC for \u0027time.now.http\u0027 placeholders (#5774)\n * caddyfile: Adjust error formatting (#5765)\n * update quic-go to v0.37.6 (#5767)\n * httpcaddyfile: Stricter errors for site and upstream address schemes (#5757)\n * caddyfile: Loosen heredoc parsing (#5761)\n * fileserver: docs: clarify the ability to produce JSON array with `browse` (#5751)\n * fix package typo (#5764)\n\n- Switch to sysuser for user setup\n\nUpdate to version 2.7.4:\n\n * go.mod: Upgrade CertMagic and quic-go\n * reverseproxy: Always return new upstreams (fix #5736) (#5752)\n * ci: use gci linter (#5708)\n * fileserver: Slightly more fitting icons\n * cmd: Require config for caddy validate (fix #5612) (#5614)\n * caddytls: Update docs for on-demand config\n * fileserver: Don\u0027t repeat error for invalid method inside error context (#5705)\n * ci: Update to Go 1.21 (#5719)\n * ci: Add riscv64 (64-bit RISC-V) to goreleaser (#5720)\n * go.mod: Upgrade golang.org/x/net to 0.14.0 (#5718)\n * ci: Use gofumpt to format code (#5707)\n * templates: Fix httpInclude (fix #5698)\n\nUpdate to version 2.7.3:\n\n * go.mod: Upgrade to quic-go v0.37.3\n * cmd: Split unix sockets for admin endpoint addresses (#5696)\n * reverseproxy: do not parse upstream address too early if it contains replaceble parts (#5695)\n * caddyfile: check that matched key is not a substring of the replacement key (#5685)\n * chore: use `--clean` instead of `--rm-dist` for goreleaser (#5691)\n * go.mod: Upgrade quic-go to v0.37.2 (fix #5680)\n * fileserver: browse: Render SVG images in grid\n\n- Update to version 2.7.2:\n * reverseproxy: Fix hijack ordering which broke websockets (#5679)\n * httpcaddyfile: Fix `string does not match ~[]E` error (#5675)\n * encode: Fix infinite recursion (#5672)\n * caddyhttp: Make use of `http.ResponseController` (#5654)\n * go.mod: Upgrade dependencies esp. smallstep/certificates\n * core: Allow loopback hosts for admin endpoint (fix #5650) (#5664)\n * httpcaddyfile: Allow `hostnames` \u0026 logger name overrides for log directive (#5643)\n * reverseproxy: Connection termination cleanup (#5663)\n * go.mod: Use quic-go 0.37.1\n * reverseproxy: Export ipVersions type (#5648)\n * go.mod: Use latest CertMagic (v0.19.1)\n * caddyhttp: Preserve original error (fix #5652)\n * fileserver: add lazy image loading (#5646)\n * go.mod: Update quic-go to v0.37.0, bump to Go 1.20 minimum (#5644)\n * core: Refine mutex during reloads (fix #5628) (#5645)\n * go.mod: update quic-go to v0.36.2 (#5636)\n * fileserver: Tweak grid view of browse template\n * fileserver: add `export-template` sub-command to `file-server` (#5630)\n * caddyfile: Fix comparing if two tokens are on the same line (#5626)\n * caddytls: Reuse certificate cache through reloads (#5623)\n * Minor tweaks to security.md\n * reverseproxy: Pointer receiver\n * caddyhttp: Trim dot/space only on Windows (fix #5613)\n * update quic-go to v0.36.1 (#5611)\n * caddyconfig: Specify config adapter for HTTP loader (close #5607)\n * core: Embed net.UDPConn to gain optimizations (#5606)\n * chore: remove deprecated property `rlcp` in goreleaser config (#5608)\n * core: Skip `chmod` for abstract unix sockets (#5596)\n * core: Add optional unix socket file permissions (#4741)\n * reverseproxy: Honor `tls_except_port` for active health checks (#5591)\n * Appease linter\n * Fix compile on Windows, hopefully\n * core: Properly preserve unix sockets (fix #5568)\n * go.mod: Upgrade CertMagic for hotfix\n * go.mod: Upgrade some dependencies\n * chore: upgrade otel (#5586)\n * go.mod: Update quic-go to v0.36.0 (#5584)\n * reverseproxy: weighted_round_robin load balancing policy (#5579)\n * reverseproxy: Experimental streaming timeouts (#5567)\n * chore: remove refs of deprecated io/ioutil (#5576)\n * headers: Allow `\u003e` to defer shortcut for replacements (#5574)\n * caddyhttp: Support custom network for HTTP/3 (#5573)\n * reverseproxy: Fix parsing of source IP in case it\u0027s an ipv6 address (#5569)\n * fileserver: browse: Better grid layout (#5564)\n * caddytls: Clarify some JSON config docs\n * cmd: Implement storage import/export (#5532)\n * go.mod: Upgrade quic-go to 0.35.1\n * update quic-go to v0.35.0 (#5560)\n * templates: Add `readFile` action that does not evaluate templates (#5553)\n * caddyfile: Track import name instead of modifying filename (#5540)\n * core: Use SO_REUSEPORT_LB on FreeBSD (#5554)\n * caddyfile: Do not replace import tokens if they are part of a snippet (#5539)\n * fileserver: Don\u0027t set Etag if mtime is 0 or 1 (close #5548) (#5550)\n * fileserver: browse: minor tweaks for grid view, dark mode (#5545)\n * fileserver: Only set Etag if not already set (fix #5546) (#5547)\n * fileserver: Fix file browser breadcrumb font (#5543)\n * caddyhttp: Fix h3 shutdown (#5541)\n * fileserver: More filetypes for browse icons\n * fileserver: Fix file browser footer in grid mode (#5536)\n * cmd: Avoid spammy log messages (fix #5538)\n * httpcaddyfile: Sort Caddyfile slice\n * caddyhttp: Implement named routes, `invoke` directive (#5107)\n * rewrite: use escaped path, fix #5278 (#5504)\n * headers: Add \u003e Caddyfile shortcut for enabling defer (#5535)\n * go.mod: Upgrade several dependencies\n * reverseproxy: Expand port ranges to multiple upstreams in CLI + Caddyfile (#5494)\n * fileserver: Use EscapedPath for browse (#5534)\n * caddyhttp: Refactor cert Managers (fix #5415) (#5533)\n * Slightly more helpful error message\n * caddytls: Check for nil ALPN; close #5470 (#5473)\n * cmd: Reduce spammy logs from --watch\n * caddyhttp: Add a getter for Server.name (#5531)\n * caddytls: Configurable fallback SNI (#5527)\n * caddyhttp: Update quic\u0027s TLS configs after reload (#5517) (fix #4849)\n * Add doc comment about changing admin endpoint\n * feature: watch include directory (#5521)\n * chore: remove deprecated linters (#5525)\n * go.mod: Upgrade CertMagic again\n * go.mod: Upgrade CertMagic\n * reverseproxy: Optimize base case for least_conn and random_choose policies (#5487)\n * reverseproxy: Fix active health check header canonicalization, refactor (#5446)\n * reverseproxy: Add `fallback` for some policies, instead of always random (#5488)\n * logging: Actually honor the SoftStart parameter\n * logging: Soft start for net writer (close #5520)\n * fastcgi: Fix `capture_stderr` (#5515)\n * acmeserver: Configurable `resolvers`, fix smallstep deprecations (#5500)\n * go.mod: Update some dependencies\n * logging: Add traceID field to access logs when tracing is active (#5507)\n * caddyhttp: Impl `ResponseWriter.Unwrap()`, prep for Go 1.20\u0027s `ResponseController` (#5509)\n * reverseproxy: Fix reinitialize upstream healthy metrics (#5498)\n * fix some comments (#5508)\n * templates: Add `fileStat` function (#5497)\n * caddyfile: Stricter parsing, error for brace on new line (#5505)\n * core: Return default logger if no modules loaded\n * celmatcher: Implement `pkix.Name` conversion to string (#5492)\n * chore: Adjustments to CI caching (#5495)\n * reverseproxy: Remove deprecated `lookup_srv` (#5396)\n * cmd: Support `\u0027` quotes in envfile parsing (#5437)\n * Update contributing guidelines (#5466)\n * caddyhttp: Serve http2 when listener wrapper doesn\u0027t return *tls.Conn (#4929)\n * reverseproxy: Add `query` and `client_ip_hash` lb policies (#5468)\n * cmd: Create pidfile before config load (close #5477)\n * fileserver: Add color-scheme meta tag (#5475)\n * proxyprotocol: Add PROXY protocol support to `reverse_proxy`, add HTTP listener wrapper (#5424)\n * reverseproxy: Add mention of which half a copyBuffer err comes from (#5472)\n * caddyhttp: Log request body bytes read (#5461)\n * log: Make sink logs encodable (#5441)\n * caddytls: Eval replacer on automation policy subjects (#5459)\n * headers: Support deleting all headers as first op (#5464)\n * replacer: Add HTTP time format (#5458)\n * reverseproxy: Header up/down support for CLI command (#5460)\n * caddyhttp: Determine real client IP if trusted proxies configured (#5104)\n * httpcaddyfile: Adjust path matcher sorting to solve for specificity (#5462)\n * caddytls: Zero out throttle window first (#5443)\n * ci: add `--yes` to cosign arguments (#5440)\n * reverseproxy: Reset Content-Length to prevent FastCGI from hanging (#5435)\n * caddytls: Allow on-demand w/o ask for internal-only\n * caddytls: Require \u0027ask\u0027 endpoint for on-demand TLS\n * fileserver: New file browse template (#5427)\n * go.mod: Upgrade dependencies\n * tracing: Support autoprop from OTEL_PROPAGATORS (#5147)\n * caddyhttp: Enable 0-RTT QUIC (#5425)\n * encode: flush status code when hijacked. (#5419)\n * fileserver: Remove trailing slash on fs filenames (#5417)\n * core: Eliminate unnecessary shutdown delay on Unix (#5413)\n * caddyhttp: Fix `vars_regexp` matcher with placeholders (#5408)\n * context: Rename func to `AppIfConfigured` (#5397)\n * reverseproxy: allow specifying ip version for dynamic `a` upstream (#5401)\n * caddyfile: Fix heredoc fuzz crasher, drop trailing newline (#5404)\n * caddyfile: Implement heredoc support (#5385)\n * cmd: Expand cobra support, add short flags (#5379)\n * ci: Update minimum Go version to 1.19\n * go.mod: Upgrade quic-go to v0.33.0 (Go 1.19 min)\n * reverseproxy: refactor HTTP transport layer (#5369)\n * caddytls: Relax the warning for on-demand (#5384)\n * cmd: Strict unmarshal for validate (#5383)\n * caddyfile: Implement variadics for import args placeholders (#5249)\n * cmd: make `caddy fmt` hints more clear (#5378)\n * cmd: Adjust documentation for commands (#5377)\n\n\n- Update to version 2.6.4:\n\n * reverseproxy: Don\u0027t buffer chunked requests (fix #5366) (#5367)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2024-211",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0211-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:0211-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4POHOO6U2FW5XKZT7HPGZAJF7LQQW3W4/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:0211-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4POHOO6U2FW5XKZT7HPGZAJF7LQQW3W4/"
},
{
"category": "self",
"summary": "SUSE Bug 1222468",
"url": "https://bugzilla.suse.com/1222468"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45142 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45142/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-22189 page",
"url": "https://www.suse.com/security/cve/CVE-2024-22189/"
}
],
"title": "Security update for caddy",
"tracking": {
"current_release_date": "2024-07-22T09:11:35Z",
"generator": {
"date": "2024-07-22T09:11:35Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:0211-1",
"initial_release_date": "2024-07-22T09:11:35Z",
"revision_history": [
{
"date": "2024-07-22T09:11:35Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp155.2.3.1.aarch64",
"product": {
"name": "caddy-2.8.4-bp155.2.3.1.aarch64",
"product_id": "caddy-2.8.4-bp155.2.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp155.2.3.1.i586",
"product": {
"name": "caddy-2.8.4-bp155.2.3.1.i586",
"product_id": "caddy-2.8.4-bp155.2.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"product": {
"name": "caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"product_id": "caddy-bash-completion-2.8.4-bp155.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"product": {
"name": "caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"product_id": "caddy-fish-completion-2.8.4-bp155.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch",
"product": {
"name": "caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch",
"product_id": "caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp155.2.3.1.ppc64le",
"product": {
"name": "caddy-2.8.4-bp155.2.3.1.ppc64le",
"product_id": "caddy-2.8.4-bp155.2.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp155.2.3.1.s390x",
"product": {
"name": "caddy-2.8.4-bp155.2.3.1.s390x",
"product_id": "caddy-2.8.4-bp155.2.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp155.2.3.1.x86_64",
"product": {
"name": "caddy-2.8.4-bp155.2.3.1.x86_64",
"product_id": "caddy-2.8.4-bp155.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP5",
"product": {
"name": "SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp155.2.3.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.aarch64"
},
"product_reference": "caddy-2.8.4-bp155.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp155.2.3.1.i586 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.i586"
},
"product_reference": "caddy-2.8.4-bp155.2.3.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp155.2.3.1.ppc64le as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.ppc64le"
},
"product_reference": "caddy-2.8.4-bp155.2.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp155.2.3.1.s390x as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.s390x"
},
"product_reference": "caddy-2.8.4-bp155.2.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp155.2.3.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.x86_64"
},
"product_reference": "caddy-2.8.4-bp155.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-bash-completion-2.8.4-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch"
},
"product_reference": "caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-fish-completion-2.8.4-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch"
},
"product_reference": "caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch"
},
"product_reference": "caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp155.2.3.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.aarch64"
},
"product_reference": "caddy-2.8.4-bp155.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp155.2.3.1.i586 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.i586"
},
"product_reference": "caddy-2.8.4-bp155.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp155.2.3.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.ppc64le"
},
"product_reference": "caddy-2.8.4-bp155.2.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp155.2.3.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.s390x"
},
"product_reference": "caddy-2.8.4-bp155.2.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp155.2.3.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.x86_64"
},
"product_reference": "caddy-2.8.4-bp155.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-bash-completion-2.8.4-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch"
},
"product_reference": "caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-fish-completion-2.8.4-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch"
},
"product_reference": "caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch"
},
"product_reference": "caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45142",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45142"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.i586",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45142",
"url": "https://www.suse.com/security/cve/CVE-2023-45142"
},
{
"category": "external",
"summary": "SUSE Bug 1228553 for CVE-2023-45142",
"url": "https://bugzilla.suse.com/1228553"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.i586",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.i586",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-22T09:11:35Z",
"details": "important"
}
],
"title": "CVE-2023-45142"
},
{
"cve": "CVE-2024-22189",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-22189"
}
],
"notes": [
{
"category": "general",
"text": "quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.i586",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-22189",
"url": "https://www.suse.com/security/cve/CVE-2024-22189"
},
{
"category": "external",
"summary": "SUSE Bug 1222461 for CVE-2024-22189",
"url": "https://bugzilla.suse.com/1222461"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.i586",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.i586",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:caddy-bash-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-fish-completion-2.8.4-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caddy-zsh-completion-2.8.4-bp155.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-22T09:11:35Z",
"details": "important"
}
],
"title": "CVE-2024-22189"
}
]
}
OPENSUSE-SU-2024:0220-1
Vulnerability from csaf_opensuse - Published: 2024-07-26 10:03 - Updated: 2024-07-26 10:03Summary
Security update for caddy
Severity
Moderate
Notes
Title of the patch: Security update for caddy
Description of the patch: This update for caddy fixes the following issues:
- Update to version 2.8.4:
* cmd: fix regression in auto-detect of Caddyfile (#6362)
* Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped
- Update to version 2.8.2:
* cmd: fix auto-detetction of .caddyfile extension (#6356)
* caddyhttp: properly sanitize requests for root path (#6360)
* caddytls: Implement certmagic.RenewalInfoGetter
* build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361)
- Update to version 2.8.1:
* caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350)
* core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)
- Update to version 2.8.0:
* acmeserver: Add `sign_with_root` for Caddyfile (#6345)
* caddyfile: Reject global request matchers earlier (#6339)
* core: Fix bug in AppIfConfigured (fix #6336)
* fix a typo (#6333)
* autohttps: Move log WARN to INFO, reduce confusion (#6185)
* reverseproxy: Support HTTP/3 transport to backend (#6312)
* context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292)
* Fix lint error about deprecated method in smallstep/certificates/authority
* go.mod: Upgrade dependencies
* caddytls: fix permission requirement with AutomationPolicy (#6328)
* caddytls: remove ClientHelloSNICtxKey (#6326)
* caddyhttp: Trace individual middleware handlers (#6313)
* templates: Add `pathEscape` template function and use it in file browser (#6278)
* caddytls: set server name in context (#6324)
* chore: downgrade minimum Go version in go.mod (#6318)
* caddytest: normalize the JSON config (#6316)
* caddyhttp: New experimental handler for intercepting responses (#6232)
* httpcaddyfile: Set challenge ports when http_port or https_port are used
* logging: Add support for additional logger filters other than hostname (#6082)
* caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106)
* Second half of 6dce493
* caddyhttp: Alter log message when request is unhandled (close #5182)
* chore: Bump Go version in CI (#6310)
* go.mod: go 1.22.3
* Fix typos (#6311)
* reverseproxy: Pointer to struct when loading modules; remove LazyCertPool (#6307)
* tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308)
* go.mod: CertMagic v0.21.0
* reverseproxy: Implement health_follow_redirects (#6302)
* caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)
* go.mod: Upgrade to quic-go v0.43.1
* reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)
* caddytls: Ability to drop connections (close #6294)
* build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289)
* httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)
* caddytls: Evict internal certs from cache based on issuer (#6266)
* chore: add warn logs when using deprecated fields (#6276)
* caddyhttp: Fix linter warning about deprecation
* go.mod: Upgrade to quic-go v0.43.0
* fileserver: Set 'Vary: Accept-Encoding' header (see #5849)
* events: Add debug log
* reverseproxy: handle buffered data during hijack (#6274)
* ci: remove `android` and `plan9` from cross-build workflow (#6268)
* run `golangci-lint run --fix --fast` (#6270)
* caddytls: Option to configure certificate lifetime (#6253)
* replacer: Implement `file.*` global replacements (#5463)
* caddyhttp: Address some Go 1.20 features (#6252)
* Quell linter (false positive)
* reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264)
* doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc (#6263)
* caddytls: Add Caddyfile support for on-demand permission module (close #6260)
* reverseproxy: Remove long-deprecated buffering properties
* reverseproxy: Reuse buffered request body even if partially drained
* reverseproxy: Accept EOF when buffering
* logging: Fix default access logger (#6251)
* fileserver: Improve Vary handling (#5849)
* cmd: Only validate config is proper JSON if config slice has data (#6250)
* staticresp: Use the evaluated response body for sniffing JSON content-type (#6249)
* encode: Slight fix for the previous commit
* encode: Improve Etag handling (fix #5849)
* httpcaddyfile: Skip automate loader if disable_certs is specified (fix #6148)
* caddyfile: Populate regexp matcher names by default (#6145)
* caddyhttp: record num. bytes read when response writer is hijacked (#6173)
* caddyhttp: Support multiple logger names per host (#6088)
* chore: fix some typos in comments (#6243)
* encode: Configurable compression level for zstd (#6140)
* caddytls: Remove shim code supporting deprecated lego-dns (#6231)
* connection policy: add `local_ip` matcher (#6074)
* reverseproxy: Wait for both ends of websocket to close (#6175)
* caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)
* caddytls: Still provision permission module if ask is specified
* fileserver: read etags from precomputed files (#6222)
* fileserver: Escape # and ? in img src (fix #6237)
* reverseproxy: Implement modular CA provider for TLS transport (#6065)
* caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)
* cmd: Fix panic related to config filename (fix #5919)
* cmd: Assume Caddyfile based on filename prefix and suffix (#5919)
* admin: Make `Etag` a header, not a trailer (#6208)
* caddyhttp: remove duplicate strings.Count in path matcher (fixes #6233) (#6234)
* caddyconfig: Use empty struct instead of bool in map (close #6224) (#6227)
* gitignore: Add rule for caddyfile.go (#6225)
* chore: Fix broken links in README.md (#6223)
* chore: Upgrade some dependencies (#6221)
* caddyhttp: Add plaintext response to `file_server browse` (#6093)
* admin: Use xxhash for etag (#6207)
* modules: fix some typo in conments (#6206)
* caddyhttp: Replace sensitive headers with REDACTED (close #5669)
* caddyhttp: close quic connections when server closes (#6202)
* reverseproxy: Use xxhash instead of fnv32 for LB (#6203)
* caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)
* chore: upgrade deps (#6198)
* chore: remove repetitive word (#6193)
* Added a null check to avoid segfault on rewrite query ops (#6191)
* rewrite: `uri query` replace operation (#6165)
* logging: support `ms` duration format and add docs (#6187)
* replacer: use RWMutex to protect static provider (#6184)
* caddyhttp: Allow `header` replacement with empty string (#6163)
* vars: Make nil values act as empty string instead of `'<nil>'` (#6174)
* chore: Update quic-go to v0.42.0 (#6176)
* caddyhttp: Accept XFF header values with ports, when parsing client IP (#6183)
* reverseproxy: configurable active health_passes and health_fails (#6154)
* reverseproxy: Configurable forward proxy URL (#6114)
* caddyhttp: upgrade to cel v0.20.0 (#6161)
* chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169)
* caddyhttp: suppress flushing if the response is being buffered (#6150)
* chore: encode: use FlushError instead of Flush (#6168)
* encode: write status immediately when status code is informational (#6164)
* httpcaddyfile: Keep deprecated `skip_log` in directive order (#6153)
* httpcaddyfile: Add `RegisterDirectiveOrder` function for plugin authors (#5865)
* rewrite: Implement `uri query` operations (#6120)
* fix struct names (#6151)
* fileserver: Preserve query during canonicalization redirect (#6109)
* logging: Implement `log_append` handler (#6066)
* httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)
* logging: Implement `append` encoder, allow flatter filters config (#6069)
* ci: fix the integration test `TestLeafCertLoaders` (#6149)
* vars: Allow overriding `http.auth.user.id` in replacer as a special case (#6108)
* caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050)
* cmd: Adjust config load logs/errors (#6032)
* reverseproxy: SRV dynamic upstream failover (#5832)
* ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)
* core: OnExit hooks (#6128)
* cmd: fix the output of the `Usage` section (#6138)
* caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
* acmeserver: add policy field to define allow/deny rules (#5796)
* reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)
* caddytest: Rename adapt tests to `*.caddyfiletest` extension (#6119)
* tests: uses testing.TB interface for helper to be able to use test server in benchmarks. (#6103)
* caddyfile: Assert having a space after heredoc marker to simply check (#6117)
* chore: Update Chroma to get the new Caddyfile lexer (#6118)
* reverseproxy: use context.WithoutCancel (#6116)
* caddyfile: Reject directives in the place of site addresses (#6104)
* caddyhttp: Register post-shutdown callbacks (#5948)
* caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)
* caddyauth: Drop support for `scrypt` (#6091)
* Revert 'caddyfile: Reject long heredoc markers (#6098)' (#6100)
* caddyauth: Rename `basicauth` to `basic_auth` (#6092)
* logging: Inline Caddyfile syntax for `ip_mask` filter (#6094)
* caddyfile: Reject long heredoc markers (#6098)
* chore: Rename CI jobs, run on M1 mac (#6089)
* update comment
* improved list
* fix: add back text/*
* fix: add more media types to the compressed by default list
* acmeserver: support specifying the allowed challenge types (#5794)
* matchers: Drop `forwarded` option from `remote_ip` matcher (#6085)
* caddyhttp: Test cases for `%2F` and `%252F` (#6084)
* bump to golang 1.22 (#6083)
* fileserver: Browse can show symlink target if enabled (#5973)
* core: Support NO_COLOR env var to disable log coloring (#6078)
* build(deps): bump peter-evans/repository-dispatch from 2 to 3 (#6080)
* Update comment in setcap helper script
* caddytls: Make on-demand 'ask' permission modular (#6055)
* core: Add `ctx.Slogger()` which returns an `slog` logger (#5945)
* chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043)
* chore: enabling a few more linters (#5961)
* caddyfile: Correctly close the heredoc when the closing marker appears immediately (#6062)
* caddyfile: Switch to slices.Equal for better performance (#6061)
* tls: modularize trusted CA providers (#5784)
* logging: Automatic `wrap` default for `filter` encoder (#5980)
* caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)
* caddyfile: Normalize & flatten all unmarshalers (#6037)
* cmd: reverseproxy: log: use caddy logger (#6042)
* matchers: `query` now ANDs multiple keys (#6054)
* caddyfile: Add heredoc support to `fmt` command (#6056)
* refactor: move automaxprocs init in caddycmd.Main()
* caddyfile: Allow heredoc blank lines (#6051)
* httpcaddyfile: Add optional status code argument to `handle_errors` directive (#5965)
* httpcaddyfile: Rewrite `root` and `rewrite` parsing to allow omitting matcher (#5844)
* fileserver: Implement caddyfile.Unmarshaler interface (#5850)
* reverseproxy: Add `tls_curves` option to HTTP transport (#5851)
* caddyhttp: Security enhancements for client IP parsing (#5805)
* replacer: Fix escaped closing braces (#5995)
* filesystem: Globally declared filesystems, `fs` directive (#5833)
* ci/cd: use the build tag `nobadger` to exclude badgerdb (#6031)
* httpcaddyfile: Fix redir <to> html (#6001)
* httpcaddyfile: Support client auth verifiers (#6022)
* tls: add reuse_private_keys (#6025)
* reverseproxy: Only change Content-Length when full request is buffered (#5830)
* Switch Solaris-derivatives away from listen_unix (#6021)
* build(deps): bump actions/upload-artifact from 3 to 4 (#6013)
* build(deps): bump actions/setup-go from 4 to 5 (#6012)
* chore: check against errors of `io/fs` instead of `os` (#6011)
* caddyhttp: support unix sockets in `caddy respond` command (#6010)
* fileserver: Add total file size to directory listing (#6003)
* httpcaddyfile: Fix cert file decoding to load multiple PEM in one file (#5997)
* build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#5994)
* cmd: use automaxprocs for better perf in containers (#5711)
* logging: Add `zap.Option` support (#5944)
* httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)
* metrics: Record request metrics on HTTP errors (#5979)
* go.mod: Updated quic-go to v0.40.1 (#5983)
* fileserver: Enable compression for command by default (#5855)
* fileserver: New --precompressed flag (#5880)
* caddyhttp: Add `uuid` to access logs when used (#5859)
* proxyprotocol: use github.com/pires/go-proxyproto (#5915)
* cmd: Preserve LastModified date when exporting storage (#5968)
* core: Always make AppDataDir for InstanceID (#5976)
* chore: cross-build for AIX (#5971)
* caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Context to DecisionFunc (#5923)
* tls: accept placeholders in string values of certificate loaders (#5963)
* templates: Offically make templates extensible (#5939)
* http2 uses new round-robin scheduler (#5946)
* panic when reading from backend failed to propagate stream error (#5952)
* chore: Bump otel to v1.21.0. (#5949)
* httpredirectlistener: Only set read limit for when request is HTTP (#5917)
* fileserver: Add .m4v for browse template icon
* Revert 'caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)' (#5924)
* go.mod: update quic-go version to v0.40.0 (#5922)
* update quic-go to v0.39.3 (#5918)
* chore: Fix usage pool comment (#5916)
* test: acmeserver: add smoke test for the ACME server directory (#5914)
* Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
* caddyhttp: Adjust `scheme` placeholder docs (#5910)
* go.mod: Upgrade quic-go to v0.39.1
* go.mod: CVE-2023-45142 Update opentelemetry (#5908)
* templates: Delete headers on `httpError` to reset to clean slate (#5905)
* httpcaddyfile: Remove port from logger names (#5881)
* core: Apply SO_REUSEPORT to UDP sockets (#5725)
* caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
* cmd: Add newline character to version string in CLI output (#5895)
* core: quic listener will manage the underlying socket by itself (#5749)
* templates: Clarify `include` args docs, add `.ClientIP` (#5898)
* httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)
* cmd: upgrade: resolve symlink of the executable (#5891)
* caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)
- CVEs:
* CVE-2024-22189 (boo#1222468)
* CVE-2023-45142
- Update to version 2.7.6:
* caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Context to DecisionFunc (#5923)
* tls: accept placeholders in string values of certificate loaders (#5963)
* templates: Offically make templates extensible (#5939)
* http2 uses new round-robin scheduler (#5946)
* panic when reading from backend failed to propagate stream error (#5952)
* chore: Bump otel to v1.21.0. (#5949)
* httpredirectlistener: Only set read limit for when request is HTTP (#5917)
* fileserver: Add .m4v for browse template icon
* Revert 'caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)' (#5924)
* go.mod: update quic-go version to v0.40.0 (#5922)
* update quic-go to v0.39.3 (#5918)
* chore: Fix usage pool comment (#5916)
* test: acmeserver: add smoke test for the ACME server directory (#5914)
* Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
* caddyhttp: Adjust `scheme` placeholder docs (#5910)
* go.mod: Upgrade quic-go to v0.39.1
* go.mod: CVE-2023-45142 Update opentelemetry (#5908)
* templates: Delete headers on `httpError` to reset to clean slate (#5905)
* httpcaddyfile: Remove port from logger names (#5881)
* core: Apply SO_REUSEPORT to UDP sockets (#5725)
* caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
* cmd: Add newline character to version string in CLI output (#5895)
* core: quic listener will manage the underlying socket by itself (#5749)
* templates: Clarify `include` args docs, add `.ClientIP` (#5898)
* httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)
* cmd: upgrade: resolve symlink of the executable (#5891)
* caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)
- Update to version 2.7.5:
* admin: Respond with 4xx on non-existing config path (#5870)
* ci: Force the Go version for govulncheck (#5879)
* fileserver: Set canonical URL on browse template (#5867)
* tls: Add X25519Kyber768Draft00 PQ 'curve' behind build tag (#5852)
* reverseproxy: Add more debug logs (#5793)
* reverseproxy: Fix `least_conn` policy regression (#5862)
* reverseproxy: Add logging for dynamic A upstreams (#5857)
* reverseproxy: Replace health header placeholders (#5861)
* httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (#5860)
* cmd: Fix exiting with custom status code, add `caddy -v` (#5874)
* reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (#5828)
* reverseproxy: Fix retries on 'upstreams unavailable' error (#5841)
* httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (#5808)
* encode: Add `application/wasm*` to the default content types (#5869)
* fileserver: Add command shortcuts `-l` and `-a` (#5854)
* go.mod: Upgrade dependencies incl. x/net/http
* templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy compatibility (#5845)
* reverseproxy: Allow fallthrough for response handlers without routes (#5780)
* fix: caddytest.AssertResponseCode error message (#5853)
* build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5847)
* build(deps): bump actions/checkout from 3 to 4 (#5846)
* caddyhttp: Use LimitedReader for HTTPRedirectListener
* fileserver: browse template SVG icons and UI tweaks (#5812)
* reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (#5811)
* httpcaddyfile: fix placeholder shorthands in named routes (#5791)
* cmd: Prevent overwriting existing env vars with `--envfile` (#5803)
* ci: Run govulncheck (#5790)
* logging: query filter for array of strings (#5779)
* logging: Clone array on log filters, prevent side-effects (#5786)
* fileserver: Export BrowseTemplate
* ci: ensure short-sha is exported correctly on all platforms (#5781)
* caddyfile: Fix case where heredoc marker is empty after newline (#5769)
* go.mod: Update quic-go to v0.38.0 (#5772)
* chore: Appease gosec linter (#5777)
* replacer: change timezone to UTC for 'time.now.http' placeholders (#5774)
* caddyfile: Adjust error formatting (#5765)
* update quic-go to v0.37.6 (#5767)
* httpcaddyfile: Stricter errors for site and upstream address schemes (#5757)
* caddyfile: Loosen heredoc parsing (#5761)
* fileserver: docs: clarify the ability to produce JSON array with `browse` (#5751)
* fix package typo (#5764)
Patchnames: openSUSE-2024-220
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for caddy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for caddy fixes the following issues:\n\n- Update to version 2.8.4:\n\n * cmd: fix regression in auto-detect of Caddyfile (#6362)\n * Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped\n\n- Update to version 2.8.2:\n\n * cmd: fix auto-detetction of .caddyfile extension (#6356)\n * caddyhttp: properly sanitize requests for root path (#6360)\n * caddytls: Implement certmagic.RenewalInfoGetter\n * build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361)\n\n- Update to version 2.8.1:\n\n * caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350)\n * core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)\n\n- Update to version 2.8.0:\n\n * acmeserver: Add `sign_with_root` for Caddyfile (#6345)\n * caddyfile: Reject global request matchers earlier (#6339)\n * core: Fix bug in AppIfConfigured (fix #6336)\n * fix a typo (#6333)\n * autohttps: Move log WARN to INFO, reduce confusion (#6185)\n * reverseproxy: Support HTTP/3 transport to backend (#6312)\n * context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292)\n * Fix lint error about deprecated method in smallstep/certificates/authority\n * go.mod: Upgrade dependencies\n * caddytls: fix permission requirement with AutomationPolicy (#6328)\n * caddytls: remove ClientHelloSNICtxKey (#6326)\n * caddyhttp: Trace individual middleware handlers (#6313)\n * templates: Add `pathEscape` template function and use it in file browser (#6278)\n * caddytls: set server name in context (#6324)\n * chore: downgrade minimum Go version in go.mod (#6318)\n * caddytest: normalize the JSON config (#6316)\n * caddyhttp: New experimental handler for intercepting responses (#6232)\n * httpcaddyfile: Set challenge ports when http_port or https_port are used\n * logging: Add support for additional logger filters other than hostname (#6082)\n * caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106)\n * Second half of 6dce493\n * caddyhttp: Alter log message when request is unhandled (close #5182)\n * chore: Bump Go version in CI (#6310)\n * go.mod: go 1.22.3\n * Fix typos (#6311)\n * reverseproxy: Pointer to struct when loading modules; remove LazyCertPool (#6307)\n * tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308)\n * go.mod: CertMagic v0.21.0\n * reverseproxy: Implement health_follow_redirects (#6302)\n * caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)\n * go.mod: Upgrade to quic-go v0.43.1\n * reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)\n * caddytls: Ability to drop connections (close #6294)\n * build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289)\n * httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)\n * caddytls: Evict internal certs from cache based on issuer (#6266)\n * chore: add warn logs when using deprecated fields (#6276)\n * caddyhttp: Fix linter warning about deprecation\n * go.mod: Upgrade to quic-go v0.43.0\n * fileserver: Set \u0027Vary: Accept-Encoding\u0027 header (see #5849)\n * events: Add debug log\n * reverseproxy: handle buffered data during hijack (#6274)\n * ci: remove `android` and `plan9` from cross-build workflow (#6268)\n * run `golangci-lint run --fix --fast` (#6270)\n * caddytls: Option to configure certificate lifetime (#6253)\n * replacer: Implement `file.*` global replacements (#5463)\n * caddyhttp: Address some Go 1.20 features (#6252)\n * Quell linter (false positive)\n * reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264)\n * doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc (#6263)\n * caddytls: Add Caddyfile support for on-demand permission module (close #6260)\n * reverseproxy: Remove long-deprecated buffering properties\n * reverseproxy: Reuse buffered request body even if partially drained\n * reverseproxy: Accept EOF when buffering\n * logging: Fix default access logger (#6251)\n * fileserver: Improve Vary handling (#5849)\n * cmd: Only validate config is proper JSON if config slice has data (#6250)\n * staticresp: Use the evaluated response body for sniffing JSON content-type (#6249)\n * encode: Slight fix for the previous commit\n * encode: Improve Etag handling (fix #5849)\n * httpcaddyfile: Skip automate loader if disable_certs is specified (fix #6148)\n * caddyfile: Populate regexp matcher names by default (#6145)\n * caddyhttp: record num. bytes read when response writer is hijacked (#6173)\n * caddyhttp: Support multiple logger names per host (#6088)\n * chore: fix some typos in comments (#6243)\n * encode: Configurable compression level for zstd (#6140)\n * caddytls: Remove shim code supporting deprecated lego-dns (#6231)\n * connection policy: add `local_ip` matcher (#6074)\n * reverseproxy: Wait for both ends of websocket to close (#6175)\n * caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)\n * caddytls: Still provision permission module if ask is specified\n * fileserver: read etags from precomputed files (#6222)\n * fileserver: Escape # and ? in img src (fix #6237)\n * reverseproxy: Implement modular CA provider for TLS transport (#6065)\n * caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)\n * cmd: Fix panic related to config filename (fix #5919)\n * cmd: Assume Caddyfile based on filename prefix and suffix (#5919)\n * admin: Make `Etag` a header, not a trailer (#6208)\n * caddyhttp: remove duplicate strings.Count in path matcher (fixes #6233) (#6234)\n * caddyconfig: Use empty struct instead of bool in map (close #6224) (#6227)\n * gitignore: Add rule for caddyfile.go (#6225)\n * chore: Fix broken links in README.md (#6223)\n * chore: Upgrade some dependencies (#6221)\n * caddyhttp: Add plaintext response to `file_server browse` (#6093)\n * admin: Use xxhash for etag (#6207)\n * modules: fix some typo in conments (#6206)\n * caddyhttp: Replace sensitive headers with REDACTED (close #5669)\n * caddyhttp: close quic connections when server closes (#6202)\n * reverseproxy: Use xxhash instead of fnv32 for LB (#6203)\n * caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)\n * chore: upgrade deps (#6198)\n * chore: remove repetitive word (#6193)\n * Added a null check to avoid segfault on rewrite query ops (#6191)\n * rewrite: `uri query` replace operation (#6165)\n * logging: support `ms` duration format and add docs (#6187)\n * replacer: use RWMutex to protect static provider (#6184)\n * caddyhttp: Allow `header` replacement with empty string (#6163)\n * vars: Make nil values act as empty string instead of `\u0027\u003cnil\u003e\u0027` (#6174)\n * chore: Update quic-go to v0.42.0 (#6176)\n * caddyhttp: Accept XFF header values with ports, when parsing client IP (#6183)\n * reverseproxy: configurable active health_passes and health_fails (#6154)\n * reverseproxy: Configurable forward proxy URL (#6114)\n * caddyhttp: upgrade to cel v0.20.0 (#6161)\n * chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169)\n * caddyhttp: suppress flushing if the response is being buffered (#6150)\n * chore: encode: use FlushError instead of Flush (#6168)\n * encode: write status immediately when status code is informational (#6164)\n * httpcaddyfile: Keep deprecated `skip_log` in directive order (#6153)\n * httpcaddyfile: Add `RegisterDirectiveOrder` function for plugin authors (#5865)\n * rewrite: Implement `uri query` operations (#6120)\n * fix struct names (#6151)\n * fileserver: Preserve query during canonicalization redirect (#6109)\n * logging: Implement `log_append` handler (#6066)\n * httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)\n * logging: Implement `append` encoder, allow flatter filters config (#6069)\n * ci: fix the integration test `TestLeafCertLoaders` (#6149)\n * vars: Allow overriding `http.auth.user.id` in replacer as a special case (#6108)\n * caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050)\n * cmd: Adjust config load logs/errors (#6032)\n * reverseproxy: SRV dynamic upstream failover (#5832)\n * ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)\n * core: OnExit hooks (#6128)\n * cmd: fix the output of the `Usage` section (#6138)\n * caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)\n * acmeserver: add policy field to define allow/deny rules (#5796)\n * reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)\n * caddytest: Rename adapt tests to `*.caddyfiletest` extension (#6119)\n * tests: uses testing.TB interface for helper to be able to use test server in benchmarks. (#6103)\n * caddyfile: Assert having a space after heredoc marker to simply check (#6117)\n * chore: Update Chroma to get the new Caddyfile lexer (#6118)\n * reverseproxy: use context.WithoutCancel (#6116)\n * caddyfile: Reject directives in the place of site addresses (#6104)\n * caddyhttp: Register post-shutdown callbacks (#5948)\n * caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)\n * caddyauth: Drop support for `scrypt` (#6091)\n * Revert \u0027caddyfile: Reject long heredoc markers (#6098)\u0027 (#6100)\n * caddyauth: Rename `basicauth` to `basic_auth` (#6092)\n * logging: Inline Caddyfile syntax for `ip_mask` filter (#6094)\n * caddyfile: Reject long heredoc markers (#6098)\n * chore: Rename CI jobs, run on M1 mac (#6089)\n * update comment\n * improved list\n * fix: add back text/*\n * fix: add more media types to the compressed by default list\n * acmeserver: support specifying the allowed challenge types (#5794)\n * matchers: Drop `forwarded` option from `remote_ip` matcher (#6085)\n * caddyhttp: Test cases for `%2F` and `%252F` (#6084)\n * bump to golang 1.22 (#6083)\n * fileserver: Browse can show symlink target if enabled (#5973)\n * core: Support NO_COLOR env var to disable log coloring (#6078)\n * build(deps): bump peter-evans/repository-dispatch from 2 to 3 (#6080)\n * Update comment in setcap helper script\n * caddytls: Make on-demand \u0027ask\u0027 permission modular (#6055)\n * core: Add `ctx.Slogger()` which returns an `slog` logger (#5945)\n * chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043)\n * chore: enabling a few more linters (#5961)\n * caddyfile: Correctly close the heredoc when the closing marker appears immediately (#6062)\n * caddyfile: Switch to slices.Equal for better performance (#6061)\n * tls: modularize trusted CA providers (#5784)\n * logging: Automatic `wrap` default for `filter` encoder (#5980)\n * caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)\n * caddyfile: Normalize \u0026 flatten all unmarshalers (#6037)\n * cmd: reverseproxy: log: use caddy logger (#6042)\n * matchers: `query` now ANDs multiple keys (#6054)\n * caddyfile: Add heredoc support to `fmt` command (#6056)\n * refactor: move automaxprocs init in caddycmd.Main()\n * caddyfile: Allow heredoc blank lines (#6051)\n * httpcaddyfile: Add optional status code argument to `handle_errors` directive (#5965)\n * httpcaddyfile: Rewrite `root` and `rewrite` parsing to allow omitting matcher (#5844)\n * fileserver: Implement caddyfile.Unmarshaler interface (#5850)\n * reverseproxy: Add `tls_curves` option to HTTP transport (#5851)\n * caddyhttp: Security enhancements for client IP parsing (#5805)\n * replacer: Fix escaped closing braces (#5995)\n * filesystem: Globally declared filesystems, `fs` directive (#5833)\n * ci/cd: use the build tag `nobadger` to exclude badgerdb (#6031)\n * httpcaddyfile: Fix redir \u003cto\u003e html (#6001)\n * httpcaddyfile: Support client auth verifiers (#6022)\n * tls: add reuse_private_keys (#6025)\n * reverseproxy: Only change Content-Length when full request is buffered (#5830)\n * Switch Solaris-derivatives away from listen_unix (#6021)\n * build(deps): bump actions/upload-artifact from 3 to 4 (#6013)\n * build(deps): bump actions/setup-go from 4 to 5 (#6012)\n * chore: check against errors of `io/fs` instead of `os` (#6011)\n * caddyhttp: support unix sockets in `caddy respond` command (#6010)\n * fileserver: Add total file size to directory listing (#6003)\n * httpcaddyfile: Fix cert file decoding to load multiple PEM in one file (#5997)\n * build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#5994)\n * cmd: use automaxprocs for better perf in containers (#5711)\n * logging: Add `zap.Option` support (#5944)\n * httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)\n * metrics: Record request metrics on HTTP errors (#5979)\n * go.mod: Updated quic-go to v0.40.1 (#5983)\n * fileserver: Enable compression for command by default (#5855)\n * fileserver: New --precompressed flag (#5880)\n * caddyhttp: Add `uuid` to access logs when used (#5859)\n * proxyprotocol: use github.com/pires/go-proxyproto (#5915)\n * cmd: Preserve LastModified date when exporting storage (#5968)\n * core: Always make AppDataDir for InstanceID (#5976)\n * chore: cross-build for AIX (#5971)\n * caddytls: Sync distributed storage cleaning (#5940)\n * caddytls: Context to DecisionFunc (#5923)\n * tls: accept placeholders in string values of certificate loaders (#5963)\n * templates: Offically make templates extensible (#5939)\n * http2 uses new round-robin scheduler (#5946)\n * panic when reading from backend failed to propagate stream error (#5952)\n * chore: Bump otel to v1.21.0. (#5949)\n * httpredirectlistener: Only set read limit for when request is HTTP (#5917)\n * fileserver: Add .m4v for browse template icon\n * Revert \u0027caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\u0027 (#5924)\n * go.mod: update quic-go version to v0.40.0 (#5922)\n * update quic-go to v0.39.3 (#5918)\n * chore: Fix usage pool comment (#5916)\n * test: acmeserver: add smoke test for the ACME server directory (#5914)\n * Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)\n * caddyhttp: Adjust `scheme` placeholder docs (#5910)\n * go.mod: Upgrade quic-go to v0.39.1\n * go.mod: CVE-2023-45142 Update opentelemetry (#5908)\n * templates: Delete headers on `httpError` to reset to clean slate (#5905)\n * httpcaddyfile: Remove port from logger names (#5881)\n * core: Apply SO_REUSEPORT to UDP sockets (#5725)\n * caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\n * cmd: Add newline character to version string in CLI output (#5895)\n * core: quic listener will manage the underlying socket by itself (#5749)\n * templates: Clarify `include` args docs, add `.ClientIP` (#5898)\n * httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)\n * cmd: upgrade: resolve symlink of the executable (#5891)\n * caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)\n\n- CVEs:\n * CVE-2024-22189 (boo#1222468)\n * CVE-2023-45142\n\n- Update to version 2.7.6:\n\n * caddytls: Sync distributed storage cleaning (#5940)\n * caddytls: Context to DecisionFunc (#5923)\n * tls: accept placeholders in string values of certificate loaders (#5963)\n * templates: Offically make templates extensible (#5939)\n * http2 uses new round-robin scheduler (#5946)\n * panic when reading from backend failed to propagate stream error (#5952)\n * chore: Bump otel to v1.21.0. (#5949)\n * httpredirectlistener: Only set read limit for when request is HTTP (#5917)\n * fileserver: Add .m4v for browse template icon\n * Revert \u0027caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\u0027 (#5924)\n * go.mod: update quic-go version to v0.40.0 (#5922)\n * update quic-go to v0.39.3 (#5918)\n * chore: Fix usage pool comment (#5916)\n * test: acmeserver: add smoke test for the ACME server directory (#5914)\n * Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)\n * caddyhttp: Adjust `scheme` placeholder docs (#5910)\n * go.mod: Upgrade quic-go to v0.39.1\n * go.mod: CVE-2023-45142 Update opentelemetry (#5908)\n * templates: Delete headers on `httpError` to reset to clean slate (#5905)\n * httpcaddyfile: Remove port from logger names (#5881)\n * core: Apply SO_REUSEPORT to UDP sockets (#5725)\n * caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\n * cmd: Add newline character to version string in CLI output (#5895)\n * core: quic listener will manage the underlying socket by itself (#5749)\n * templates: Clarify `include` args docs, add `.ClientIP` (#5898)\n * httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)\n * cmd: upgrade: resolve symlink of the executable (#5891)\n * caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)\n\n- Update to version 2.7.5:\n\n * admin: Respond with 4xx on non-existing config path (#5870)\n * ci: Force the Go version for govulncheck (#5879)\n * fileserver: Set canonical URL on browse template (#5867)\n * tls: Add X25519Kyber768Draft00 PQ \u0027curve\u0027 behind build tag (#5852)\n * reverseproxy: Add more debug logs (#5793)\n * reverseproxy: Fix `least_conn` policy regression (#5862)\n * reverseproxy: Add logging for dynamic A upstreams (#5857)\n * reverseproxy: Replace health header placeholders (#5861)\n * httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (#5860)\n * cmd: Fix exiting with custom status code, add `caddy -v` (#5874)\n * reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (#5828)\n * reverseproxy: Fix retries on \u0027upstreams unavailable\u0027 error (#5841)\n * httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (#5808)\n * encode: Add `application/wasm*` to the default content types (#5869)\n * fileserver: Add command shortcuts `-l` and `-a` (#5854)\n * go.mod: Upgrade dependencies incl. x/net/http\n * templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy compatibility (#5845)\n * reverseproxy: Allow fallthrough for response handlers without routes (#5780)\n * fix: caddytest.AssertResponseCode error message (#5853)\n * build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5847)\n * build(deps): bump actions/checkout from 3 to 4 (#5846)\n * caddyhttp: Use LimitedReader for HTTPRedirectListener\n * fileserver: browse template SVG icons and UI tweaks (#5812)\n * reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (#5811)\n * httpcaddyfile: fix placeholder shorthands in named routes (#5791)\n * cmd: Prevent overwriting existing env vars with `--envfile` (#5803)\n * ci: Run govulncheck (#5790)\n * logging: query filter for array of strings (#5779)\n * logging: Clone array on log filters, prevent side-effects (#5786)\n * fileserver: Export BrowseTemplate\n * ci: ensure short-sha is exported correctly on all platforms (#5781)\n * caddyfile: Fix case where heredoc marker is empty after newline (#5769)\n * go.mod: Update quic-go to v0.38.0 (#5772)\n * chore: Appease gosec linter (#5777)\n * replacer: change timezone to UTC for \u0027time.now.http\u0027 placeholders (#5774)\n * caddyfile: Adjust error formatting (#5765)\n * update quic-go to v0.37.6 (#5767)\n * httpcaddyfile: Stricter errors for site and upstream address schemes (#5757)\n * caddyfile: Loosen heredoc parsing (#5761)\n * fileserver: docs: clarify the ability to produce JSON array with `browse` (#5751)\n * fix package typo (#5764)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2024-220",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0220-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:0220-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QNDMJCVODSMOIFD655EHBVQRLNUDXLQK/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:0220-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QNDMJCVODSMOIFD655EHBVQRLNUDXLQK/"
},
{
"category": "self",
"summary": "SUSE Bug 1222468",
"url": "https://bugzilla.suse.com/1222468"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45142 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45142/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-22189 page",
"url": "https://www.suse.com/security/cve/CVE-2024-22189/"
}
],
"title": "Security update for caddy",
"tracking": {
"current_release_date": "2024-07-26T10:03:44Z",
"generator": {
"date": "2024-07-26T10:03:44Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:0220-1",
"initial_release_date": "2024-07-26T10:03:44Z",
"revision_history": [
{
"date": "2024-07-26T10:03:44Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp156.3.3.1.aarch64",
"product": {
"name": "caddy-2.8.4-bp156.3.3.1.aarch64",
"product_id": "caddy-2.8.4-bp156.3.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp156.3.3.1.i586",
"product": {
"name": "caddy-2.8.4-bp156.3.3.1.i586",
"product_id": "caddy-2.8.4-bp156.3.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"product": {
"name": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"product_id": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"product": {
"name": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"product_id": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"product": {
"name": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"product_id": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp156.3.3.1.ppc64le",
"product": {
"name": "caddy-2.8.4-bp156.3.3.1.ppc64le",
"product_id": "caddy-2.8.4-bp156.3.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp156.3.3.1.s390x",
"product": {
"name": "caddy-2.8.4-bp156.3.3.1.s390x",
"product_id": "caddy-2.8.4-bp156.3.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp156.3.3.1.x86_64",
"product": {
"name": "caddy-2.8.4-bp156.3.3.1.x86_64",
"product_id": "caddy-2.8.4-bp156.3.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP6",
"product": {
"name": "SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.aarch64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.i586 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.ppc64le as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.s390x as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.x86_64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.i586 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45142",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45142"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45142",
"url": "https://www.suse.com/security/cve/CVE-2023-45142"
},
{
"category": "external",
"summary": "SUSE Bug 1228553 for CVE-2023-45142",
"url": "https://bugzilla.suse.com/1228553"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-26T10:03:44Z",
"details": "important"
}
],
"title": "CVE-2023-45142"
},
{
"cve": "CVE-2024-22189",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-22189"
}
],
"notes": [
{
"category": "general",
"text": "quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-22189",
"url": "https://www.suse.com/security/cve/CVE-2024-22189"
},
{
"category": "external",
"summary": "SUSE Bug 1222461 for CVE-2024-22189",
"url": "https://bugzilla.suse.com/1222461"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-26T10:03:44Z",
"details": "important"
}
],
"title": "CVE-2024-22189"
}
]
}
OPENSUSE-SU-2024:13360-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
teleport-14.1.1-1.1 on GA media
Severity
Important
Notes
Title of the patch: teleport-14.1.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the teleport-14.1.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13360
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.3 (Critical)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
18 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "teleport-14.1.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the teleport-14.1.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13360",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13360-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-44487 page",
"url": "https://www.suse.com/security/cve/CVE-2023-44487/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45133 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45133/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45142 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45142/"
}
],
"title": "teleport-14.1.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13360-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "teleport-14.1.1-1.1.aarch64",
"product": {
"name": "teleport-14.1.1-1.1.aarch64",
"product_id": "teleport-14.1.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tbot-14.1.1-1.1.aarch64",
"product": {
"name": "teleport-tbot-14.1.1-1.1.aarch64",
"product_id": "teleport-tbot-14.1.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tctl-14.1.1-1.1.aarch64",
"product": {
"name": "teleport-tctl-14.1.1-1.1.aarch64",
"product_id": "teleport-tctl-14.1.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tsh-14.1.1-1.1.aarch64",
"product": {
"name": "teleport-tsh-14.1.1-1.1.aarch64",
"product_id": "teleport-tsh-14.1.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "teleport-14.1.1-1.1.ppc64le",
"product": {
"name": "teleport-14.1.1-1.1.ppc64le",
"product_id": "teleport-14.1.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tbot-14.1.1-1.1.ppc64le",
"product": {
"name": "teleport-tbot-14.1.1-1.1.ppc64le",
"product_id": "teleport-tbot-14.1.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tctl-14.1.1-1.1.ppc64le",
"product": {
"name": "teleport-tctl-14.1.1-1.1.ppc64le",
"product_id": "teleport-tctl-14.1.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tsh-14.1.1-1.1.ppc64le",
"product": {
"name": "teleport-tsh-14.1.1-1.1.ppc64le",
"product_id": "teleport-tsh-14.1.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "teleport-14.1.1-1.1.s390x",
"product": {
"name": "teleport-14.1.1-1.1.s390x",
"product_id": "teleport-14.1.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tbot-14.1.1-1.1.s390x",
"product": {
"name": "teleport-tbot-14.1.1-1.1.s390x",
"product_id": "teleport-tbot-14.1.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tctl-14.1.1-1.1.s390x",
"product": {
"name": "teleport-tctl-14.1.1-1.1.s390x",
"product_id": "teleport-tctl-14.1.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tsh-14.1.1-1.1.s390x",
"product": {
"name": "teleport-tsh-14.1.1-1.1.s390x",
"product_id": "teleport-tsh-14.1.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "teleport-14.1.1-1.1.x86_64",
"product": {
"name": "teleport-14.1.1-1.1.x86_64",
"product_id": "teleport-14.1.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tbot-14.1.1-1.1.x86_64",
"product": {
"name": "teleport-tbot-14.1.1-1.1.x86_64",
"product_id": "teleport-tbot-14.1.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tctl-14.1.1-1.1.x86_64",
"product": {
"name": "teleport-tctl-14.1.1-1.1.x86_64",
"product_id": "teleport-tctl-14.1.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tsh-14.1.1-1.1.x86_64",
"product": {
"name": "teleport-tsh-14.1.1-1.1.x86_64",
"product_id": "teleport-tsh-14.1.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-14.1.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64"
},
"product_reference": "teleport-14.1.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-14.1.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le"
},
"product_reference": "teleport-14.1.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-14.1.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x"
},
"product_reference": "teleport-14.1.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-14.1.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64"
},
"product_reference": "teleport-14.1.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-14.1.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64"
},
"product_reference": "teleport-tbot-14.1.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-14.1.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le"
},
"product_reference": "teleport-tbot-14.1.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-14.1.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x"
},
"product_reference": "teleport-tbot-14.1.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-14.1.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64"
},
"product_reference": "teleport-tbot-14.1.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-14.1.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64"
},
"product_reference": "teleport-tctl-14.1.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-14.1.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le"
},
"product_reference": "teleport-tctl-14.1.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-14.1.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x"
},
"product_reference": "teleport-tctl-14.1.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-14.1.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64"
},
"product_reference": "teleport-tctl-14.1.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-14.1.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64"
},
"product_reference": "teleport-tsh-14.1.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-14.1.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le"
},
"product_reference": "teleport-tsh-14.1.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-14.1.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x"
},
"product_reference": "teleport-tsh-14.1.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-14.1.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64"
},
"product_reference": "teleport-tsh-14.1.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-44487",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-44487"
}
],
"notes": [
{
"category": "general",
"text": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-44487",
"url": "https://www.suse.com/security/cve/CVE-2023-44487"
},
{
"category": "external",
"summary": "SUSE Bug 1216109 for CVE-2023-44487",
"url": "https://bugzilla.suse.com/1216109"
},
{
"category": "external",
"summary": "SUSE Bug 1216123 for CVE-2023-44487",
"url": "https://bugzilla.suse.com/1216123"
},
{
"category": "external",
"summary": "SUSE Bug 1216169 for CVE-2023-44487",
"url": "https://bugzilla.suse.com/1216169"
},
{
"category": "external",
"summary": "SUSE Bug 1216171 for CVE-2023-44487",
"url": "https://bugzilla.suse.com/1216171"
},
{
"category": "external",
"summary": "SUSE Bug 1216174 for CVE-2023-44487",
"url": "https://bugzilla.suse.com/1216174"
},
{
"category": "external",
"summary": "SUSE Bug 1216176 for CVE-2023-44487",
"url": "https://bugzilla.suse.com/1216176"
},
{
"category": "external",
"summary": "SUSE Bug 1216181 for CVE-2023-44487",
"url": "https://bugzilla.suse.com/1216181"
},
{
"category": "external",
"summary": "SUSE Bug 1216182 for CVE-2023-44487",
"url": "https://bugzilla.suse.com/1216182"
},
{
"category": "external",
"summary": "SUSE Bug 1216190 for CVE-2023-44487",
"url": "https://bugzilla.suse.com/1216190"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-44487"
},
{
"cve": "CVE-2023-45133",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45133"
}
],
"notes": [
{
"category": "general",
"text": "Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45133",
"url": "https://www.suse.com/security/cve/CVE-2023-45133"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2023-45133"
},
{
"cve": "CVE-2023-45142",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45142"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45142",
"url": "https://www.suse.com/security/cve/CVE-2023-45142"
},
{
"category": "external",
"summary": "SUSE Bug 1228553 for CVE-2023-45142",
"url": "https://bugzilla.suse.com/1228553"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:teleport-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-14.1.1-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-14.1.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-45142"
}
]
}
OPENSUSE-SU-2024:13495-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
caddy-2.7.6-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: caddy-2.7.6-1.1 on GA media
Description of the patch: These are all security issues fixed in the caddy-2.7.6-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13495
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:caddy-2.7.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:caddy-2.7.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:caddy-2.7.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:caddy-2.7.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "caddy-2.7.6-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the caddy-2.7.6-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13495",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13495-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45142 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45142/"
}
],
"title": "caddy-2.7.6-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13495-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.7.6-1.1.aarch64",
"product": {
"name": "caddy-2.7.6-1.1.aarch64",
"product_id": "caddy-2.7.6-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.7.6-1.1.ppc64le",
"product": {
"name": "caddy-2.7.6-1.1.ppc64le",
"product_id": "caddy-2.7.6-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.7.6-1.1.s390x",
"product": {
"name": "caddy-2.7.6-1.1.s390x",
"product_id": "caddy-2.7.6-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.7.6-1.1.x86_64",
"product": {
"name": "caddy-2.7.6-1.1.x86_64",
"product_id": "caddy-2.7.6-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.7.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:caddy-2.7.6-1.1.aarch64"
},
"product_reference": "caddy-2.7.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.7.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:caddy-2.7.6-1.1.ppc64le"
},
"product_reference": "caddy-2.7.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.7.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:caddy-2.7.6-1.1.s390x"
},
"product_reference": "caddy-2.7.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.7.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:caddy-2.7.6-1.1.x86_64"
},
"product_reference": "caddy-2.7.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45142",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45142"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:caddy-2.7.6-1.1.aarch64",
"openSUSE Tumbleweed:caddy-2.7.6-1.1.ppc64le",
"openSUSE Tumbleweed:caddy-2.7.6-1.1.s390x",
"openSUSE Tumbleweed:caddy-2.7.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45142",
"url": "https://www.suse.com/security/cve/CVE-2023-45142"
},
{
"category": "external",
"summary": "SUSE Bug 1228553 for CVE-2023-45142",
"url": "https://bugzilla.suse.com/1228553"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:caddy-2.7.6-1.1.aarch64",
"openSUSE Tumbleweed:caddy-2.7.6-1.1.ppc64le",
"openSUSE Tumbleweed:caddy-2.7.6-1.1.s390x",
"openSUSE Tumbleweed:caddy-2.7.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:caddy-2.7.6-1.1.aarch64",
"openSUSE Tumbleweed:caddy-2.7.6-1.1.ppc64le",
"openSUSE Tumbleweed:caddy-2.7.6-1.1.s390x",
"openSUSE Tumbleweed:caddy-2.7.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-45142"
}
]
}
OPENSUSE-SU-2024:14232-1
Vulnerability from csaf_opensuse - Published: 2024-08-01 00:00 - Updated: 2024-08-01 00:00Summary
golang-github-prometheus-prometheus-2.53.0-3.1 on GA media
Severity
Moderate
Notes
Title of the patch: golang-github-prometheus-prometheus-2.53.0-3.1 on GA media
Description of the patch: These are all security issues fixed in the golang-github-prometheus-prometheus-2.53.0-3.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14232
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "golang-github-prometheus-prometheus-2.53.0-3.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the golang-github-prometheus-prometheus-2.53.0-3.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14232",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14232-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45142 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45142/"
}
],
"title": "golang-github-prometheus-prometheus-2.53.0-3.1 on GA media",
"tracking": {
"current_release_date": "2024-08-01T00:00:00Z",
"generator": {
"date": "2024-08-01T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14232-1",
"initial_release_date": "2024-08-01T00:00:00Z",
"revision_history": [
{
"date": "2024-08-01T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.aarch64",
"product": {
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.aarch64",
"product_id": "golang-github-prometheus-prometheus-2.53.0-3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.ppc64le",
"product": {
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.ppc64le",
"product_id": "golang-github-prometheus-prometheus-2.53.0-3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.s390x",
"product": {
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.s390x",
"product_id": "golang-github-prometheus-prometheus-2.53.0-3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.x86_64",
"product": {
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.x86_64",
"product_id": "golang-github-prometheus-prometheus-2.53.0-3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.aarch64"
},
"product_reference": "golang-github-prometheus-prometheus-2.53.0-3.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.ppc64le"
},
"product_reference": "golang-github-prometheus-prometheus-2.53.0-3.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.s390x"
},
"product_reference": "golang-github-prometheus-prometheus-2.53.0-3.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.53.0-3.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.x86_64"
},
"product_reference": "golang-github-prometheus-prometheus-2.53.0-3.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45142",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45142"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45142",
"url": "https://www.suse.com/security/cve/CVE-2023-45142"
},
{
"category": "external",
"summary": "SUSE Bug 1228553 for CVE-2023-45142",
"url": "https://bugzilla.suse.com/1228553"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.53.0-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-01T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-45142"
}
]
}
OPENSUSE-SU-2024:14320-1
Vulnerability from csaf_opensuse - Published: 2024-09-06 00:00 - Updated: 2024-09-06 00:00Summary
containerd-1.7.21-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: containerd-1.7.21-1.1 on GA media
Description of the patch: These are all security issues fixed in the containerd-1.7.21-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14320
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:containerd-1.7.21-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-1.7.21-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-1.7.21-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-1.7.21-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:containerd-1.7.21-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-1.7.21-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-1.7.21-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-1.7.21-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "containerd-1.7.21-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the containerd-1.7.21-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14320",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14320-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45142 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45142/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-47108 page",
"url": "https://www.suse.com/security/cve/CVE-2023-47108/"
}
],
"title": "containerd-1.7.21-1.1 on GA media",
"tracking": {
"current_release_date": "2024-09-06T00:00:00Z",
"generator": {
"date": "2024-09-06T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14320-1",
"initial_release_date": "2024-09-06T00:00:00Z",
"revision_history": [
{
"date": "2024-09-06T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.21-1.1.aarch64",
"product": {
"name": "containerd-1.7.21-1.1.aarch64",
"product_id": "containerd-1.7.21-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.7.21-1.1.aarch64",
"product": {
"name": "containerd-ctr-1.7.21-1.1.aarch64",
"product_id": "containerd-ctr-1.7.21-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "containerd-devel-1.7.21-1.1.aarch64",
"product": {
"name": "containerd-devel-1.7.21-1.1.aarch64",
"product_id": "containerd-devel-1.7.21-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.21-1.1.ppc64le",
"product": {
"name": "containerd-1.7.21-1.1.ppc64le",
"product_id": "containerd-1.7.21-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.7.21-1.1.ppc64le",
"product": {
"name": "containerd-ctr-1.7.21-1.1.ppc64le",
"product_id": "containerd-ctr-1.7.21-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "containerd-devel-1.7.21-1.1.ppc64le",
"product": {
"name": "containerd-devel-1.7.21-1.1.ppc64le",
"product_id": "containerd-devel-1.7.21-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.21-1.1.s390x",
"product": {
"name": "containerd-1.7.21-1.1.s390x",
"product_id": "containerd-1.7.21-1.1.s390x"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.7.21-1.1.s390x",
"product": {
"name": "containerd-ctr-1.7.21-1.1.s390x",
"product_id": "containerd-ctr-1.7.21-1.1.s390x"
}
},
{
"category": "product_version",
"name": "containerd-devel-1.7.21-1.1.s390x",
"product": {
"name": "containerd-devel-1.7.21-1.1.s390x",
"product_id": "containerd-devel-1.7.21-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.21-1.1.x86_64",
"product": {
"name": "containerd-1.7.21-1.1.x86_64",
"product_id": "containerd-1.7.21-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.7.21-1.1.x86_64",
"product": {
"name": "containerd-ctr-1.7.21-1.1.x86_64",
"product_id": "containerd-ctr-1.7.21-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerd-devel-1.7.21-1.1.x86_64",
"product": {
"name": "containerd-devel-1.7.21-1.1.x86_64",
"product_id": "containerd-devel-1.7.21-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.21-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-1.7.21-1.1.aarch64"
},
"product_reference": "containerd-1.7.21-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.21-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-1.7.21-1.1.ppc64le"
},
"product_reference": "containerd-1.7.21-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.21-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-1.7.21-1.1.s390x"
},
"product_reference": "containerd-1.7.21-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.21-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-1.7.21-1.1.x86_64"
},
"product_reference": "containerd-1.7.21-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.7.21-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.aarch64"
},
"product_reference": "containerd-ctr-1.7.21-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.7.21-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.ppc64le"
},
"product_reference": "containerd-ctr-1.7.21-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.7.21-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.s390x"
},
"product_reference": "containerd-ctr-1.7.21-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.7.21-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.x86_64"
},
"product_reference": "containerd-ctr-1.7.21-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-devel-1.7.21-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.aarch64"
},
"product_reference": "containerd-devel-1.7.21-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-devel-1.7.21-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.ppc64le"
},
"product_reference": "containerd-devel-1.7.21-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-devel-1.7.21-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.s390x"
},
"product_reference": "containerd-devel-1.7.21-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-devel-1.7.21-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.x86_64"
},
"product_reference": "containerd-devel-1.7.21-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45142",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45142"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:containerd-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45142",
"url": "https://www.suse.com/security/cve/CVE-2023-45142"
},
{
"category": "external",
"summary": "SUSE Bug 1228553 for CVE-2023-45142",
"url": "https://bugzilla.suse.com/1228553"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:containerd-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:containerd-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-06T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-45142"
},
{
"cve": "CVE-2023-47108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-47108"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:containerd-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-47108",
"url": "https://www.suse.com/security/cve/CVE-2023-47108"
},
{
"category": "external",
"summary": "SUSE Bug 1217070 for CVE-2023-47108",
"url": "https://bugzilla.suse.com/1217070"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:containerd-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:containerd-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-ctr-1.7.21-1.1.x86_64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.aarch64",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.ppc64le",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.s390x",
"openSUSE Tumbleweed:containerd-devel-1.7.21-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-06T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-47108"
}
]
}
OPENSUSE-SU-2024:14321-1
Vulnerability from csaf_opensuse - Published: 2024-09-06 00:00 - Updated: 2024-09-06 00:00Summary
docker-26.1.5_ce-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: docker-26.1.5_ce-2.1 on GA media
Description of the patch: These are all security issues fixed in the docker-26.1.5_ce-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14321
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:docker-26.1.5_ce-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-26.1.5_ce-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-26.1.5_ce-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-26.1.5_ce-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:docker-26.1.5_ce-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-26.1.5_ce-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-26.1.5_ce-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-26.1.5_ce-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "docker-26.1.5_ce-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the docker-26.1.5_ce-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14321",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14321-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45142 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45142/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-47108 page",
"url": "https://www.suse.com/security/cve/CVE-2023-47108/"
}
],
"title": "docker-26.1.5_ce-2.1 on GA media",
"tracking": {
"current_release_date": "2024-09-06T00:00:00Z",
"generator": {
"date": "2024-09-06T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14321-1",
"initial_release_date": "2024-09-06T00:00:00Z",
"revision_history": [
{
"date": "2024-09-06T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "docker-26.1.5_ce-2.1.aarch64",
"product": {
"name": "docker-26.1.5_ce-2.1.aarch64",
"product_id": "docker-26.1.5_ce-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "docker-bash-completion-26.1.5_ce-2.1.aarch64",
"product": {
"name": "docker-bash-completion-26.1.5_ce-2.1.aarch64",
"product_id": "docker-bash-completion-26.1.5_ce-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "docker-fish-completion-26.1.5_ce-2.1.aarch64",
"product": {
"name": "docker-fish-completion-26.1.5_ce-2.1.aarch64",
"product_id": "docker-fish-completion-26.1.5_ce-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "docker-rootless-extras-26.1.5_ce-2.1.aarch64",
"product": {
"name": "docker-rootless-extras-26.1.5_ce-2.1.aarch64",
"product_id": "docker-rootless-extras-26.1.5_ce-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "docker-zsh-completion-26.1.5_ce-2.1.aarch64",
"product": {
"name": "docker-zsh-completion-26.1.5_ce-2.1.aarch64",
"product_id": "docker-zsh-completion-26.1.5_ce-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-26.1.5_ce-2.1.ppc64le",
"product": {
"name": "docker-26.1.5_ce-2.1.ppc64le",
"product_id": "docker-26.1.5_ce-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "docker-bash-completion-26.1.5_ce-2.1.ppc64le",
"product": {
"name": "docker-bash-completion-26.1.5_ce-2.1.ppc64le",
"product_id": "docker-bash-completion-26.1.5_ce-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "docker-fish-completion-26.1.5_ce-2.1.ppc64le",
"product": {
"name": "docker-fish-completion-26.1.5_ce-2.1.ppc64le",
"product_id": "docker-fish-completion-26.1.5_ce-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "docker-rootless-extras-26.1.5_ce-2.1.ppc64le",
"product": {
"name": "docker-rootless-extras-26.1.5_ce-2.1.ppc64le",
"product_id": "docker-rootless-extras-26.1.5_ce-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "docker-zsh-completion-26.1.5_ce-2.1.ppc64le",
"product": {
"name": "docker-zsh-completion-26.1.5_ce-2.1.ppc64le",
"product_id": "docker-zsh-completion-26.1.5_ce-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-26.1.5_ce-2.1.s390x",
"product": {
"name": "docker-26.1.5_ce-2.1.s390x",
"product_id": "docker-26.1.5_ce-2.1.s390x"
}
},
{
"category": "product_version",
"name": "docker-bash-completion-26.1.5_ce-2.1.s390x",
"product": {
"name": "docker-bash-completion-26.1.5_ce-2.1.s390x",
"product_id": "docker-bash-completion-26.1.5_ce-2.1.s390x"
}
},
{
"category": "product_version",
"name": "docker-fish-completion-26.1.5_ce-2.1.s390x",
"product": {
"name": "docker-fish-completion-26.1.5_ce-2.1.s390x",
"product_id": "docker-fish-completion-26.1.5_ce-2.1.s390x"
}
},
{
"category": "product_version",
"name": "docker-rootless-extras-26.1.5_ce-2.1.s390x",
"product": {
"name": "docker-rootless-extras-26.1.5_ce-2.1.s390x",
"product_id": "docker-rootless-extras-26.1.5_ce-2.1.s390x"
}
},
{
"category": "product_version",
"name": "docker-zsh-completion-26.1.5_ce-2.1.s390x",
"product": {
"name": "docker-zsh-completion-26.1.5_ce-2.1.s390x",
"product_id": "docker-zsh-completion-26.1.5_ce-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-26.1.5_ce-2.1.x86_64",
"product": {
"name": "docker-26.1.5_ce-2.1.x86_64",
"product_id": "docker-26.1.5_ce-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-bash-completion-26.1.5_ce-2.1.x86_64",
"product": {
"name": "docker-bash-completion-26.1.5_ce-2.1.x86_64",
"product_id": "docker-bash-completion-26.1.5_ce-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-fish-completion-26.1.5_ce-2.1.x86_64",
"product": {
"name": "docker-fish-completion-26.1.5_ce-2.1.x86_64",
"product_id": "docker-fish-completion-26.1.5_ce-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-rootless-extras-26.1.5_ce-2.1.x86_64",
"product": {
"name": "docker-rootless-extras-26.1.5_ce-2.1.x86_64",
"product_id": "docker-rootless-extras-26.1.5_ce-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-zsh-completion-26.1.5_ce-2.1.x86_64",
"product": {
"name": "docker-zsh-completion-26.1.5_ce-2.1.x86_64",
"product_id": "docker-zsh-completion-26.1.5_ce-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-26.1.5_ce-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-26.1.5_ce-2.1.aarch64"
},
"product_reference": "docker-26.1.5_ce-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-26.1.5_ce-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-26.1.5_ce-2.1.ppc64le"
},
"product_reference": "docker-26.1.5_ce-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-26.1.5_ce-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-26.1.5_ce-2.1.s390x"
},
"product_reference": "docker-26.1.5_ce-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-26.1.5_ce-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-26.1.5_ce-2.1.x86_64"
},
"product_reference": "docker-26.1.5_ce-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-bash-completion-26.1.5_ce-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.aarch64"
},
"product_reference": "docker-bash-completion-26.1.5_ce-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-bash-completion-26.1.5_ce-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.ppc64le"
},
"product_reference": "docker-bash-completion-26.1.5_ce-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-bash-completion-26.1.5_ce-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.s390x"
},
"product_reference": "docker-bash-completion-26.1.5_ce-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-bash-completion-26.1.5_ce-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.x86_64"
},
"product_reference": "docker-bash-completion-26.1.5_ce-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-fish-completion-26.1.5_ce-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.aarch64"
},
"product_reference": "docker-fish-completion-26.1.5_ce-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-fish-completion-26.1.5_ce-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.ppc64le"
},
"product_reference": "docker-fish-completion-26.1.5_ce-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-fish-completion-26.1.5_ce-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.s390x"
},
"product_reference": "docker-fish-completion-26.1.5_ce-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-fish-completion-26.1.5_ce-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.x86_64"
},
"product_reference": "docker-fish-completion-26.1.5_ce-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-rootless-extras-26.1.5_ce-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.aarch64"
},
"product_reference": "docker-rootless-extras-26.1.5_ce-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-rootless-extras-26.1.5_ce-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.ppc64le"
},
"product_reference": "docker-rootless-extras-26.1.5_ce-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-rootless-extras-26.1.5_ce-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.s390x"
},
"product_reference": "docker-rootless-extras-26.1.5_ce-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-rootless-extras-26.1.5_ce-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.x86_64"
},
"product_reference": "docker-rootless-extras-26.1.5_ce-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-zsh-completion-26.1.5_ce-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.aarch64"
},
"product_reference": "docker-zsh-completion-26.1.5_ce-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-zsh-completion-26.1.5_ce-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.ppc64le"
},
"product_reference": "docker-zsh-completion-26.1.5_ce-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-zsh-completion-26.1.5_ce-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.s390x"
},
"product_reference": "docker-zsh-completion-26.1.5_ce-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-zsh-completion-26.1.5_ce-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.x86_64"
},
"product_reference": "docker-zsh-completion-26.1.5_ce-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45142",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45142"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45142",
"url": "https://www.suse.com/security/cve/CVE-2023-45142"
},
{
"category": "external",
"summary": "SUSE Bug 1228553 for CVE-2023-45142",
"url": "https://bugzilla.suse.com/1228553"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-06T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-45142"
},
{
"cve": "CVE-2023-47108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-47108"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-47108",
"url": "https://www.suse.com/security/cve/CVE-2023-47108"
},
{
"category": "external",
"summary": "SUSE Bug 1217070 for CVE-2023-47108",
"url": "https://bugzilla.suse.com/1217070"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-bash-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-fish-completion-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-rootless-extras-26.1.5_ce-2.1.x86_64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.aarch64",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.ppc64le",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.s390x",
"openSUSE Tumbleweed:docker-zsh-completion-26.1.5_ce-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-06T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-47108"
}
]
}
RHBA-2023:7648
Vulnerability from csaf_redhat - Published: 2023-12-05 06:56 - Updated: 2026-05-19 21:18Summary
Red Hat Bug Fix Advisory: MTV 2.5.3 Images
Severity
Moderate
Notes
Topic: Updated Release packages that fix several bugs and add various enhancements are now available.
Details: Migration Toolkit for Virtualization 2.5.3 Images
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This issue may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 | — |
Vendor Fix
fix
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Golang. The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This issue may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 | — |
Vendor Fix
fix
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Golang. Processing an incomplete post-handshake message for a QUIC connection caused a panic.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 | — |
Vendor Fix
fix
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Golang. QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With the fix, connections now consistently reject messages larger than 65KiB in size.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 | — |
Vendor Fix
fix
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 | — |
Threats
Impact
Moderate
A memory leak was found in the otelhttp handler of open-telemetry. This flaw allows a remote, unauthenticated attacker to exhaust the server's memory by sending many malicious requests, affecting the availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 | — |
Workaround
|
Threats
Impact
Moderate
References
43 references
Acknowledgments
GMO Cybersecurity by Ierae, Inc.
Takeshi Kaneko
Martin Seemann
Marten Seemann
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Release packages that fix several bugs and add various enhancements are now available.",
"title": "Topic"
},
{
"category": "general",
"text": "Migration Toolkit for Virtualization 2.5.3 Images",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2023:7648",
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
},
{
"category": "external",
"summary": "MTV-698",
"url": "https://issues.redhat.com/browse/MTV-698"
},
{
"category": "external",
"summary": "MTV-699",
"url": "https://issues.redhat.com/browse/MTV-699"
},
{
"category": "external",
"summary": "MTV-714",
"url": "https://issues.redhat.com/browse/MTV-714"
},
{
"category": "external",
"summary": "MTV-783",
"url": "https://issues.redhat.com/browse/MTV-783"
},
{
"category": "external",
"summary": "MTV-803",
"url": "https://issues.redhat.com/browse/MTV-803"
},
{
"category": "external",
"summary": "MTV-811",
"url": "https://issues.redhat.com/browse/MTV-811"
},
{
"category": "external",
"summary": "MTV-812",
"url": "https://issues.redhat.com/browse/MTV-812"
},
{
"category": "external",
"summary": "MTV-818",
"url": "https://issues.redhat.com/browse/MTV-818"
},
{
"category": "external",
"summary": "MTV-830",
"url": "https://issues.redhat.com/browse/MTV-830"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhba-2023_7648.json"
}
],
"title": "Red Hat Bug Fix Advisory: MTV 2.5.3 Images",
"tracking": {
"current_release_date": "2026-05-19T21:18:08+00:00",
"generator": {
"date": "2026-05-19T21:18:08+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHBA-2023:7648",
"initial_release_date": "2023-12-05T06:56:16+00:00",
"revision_history": [
{
"date": "2023-12-05T06:56:16+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-12-05T06:56:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-19T21:18:08+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "8Base-MTV-2.5",
"product": {
"name": "8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2.5::el9"
}
}
},
{
"category": "product_name",
"name": "8Base-MTV-2.5",
"product": {
"name": "8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2.5::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"product_id": "migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-api-rhel9\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"product_id": "migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-console-plugin-rhel9\u0026tag=2.5.3-4"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"product_id": "migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-controller-rhel9\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"product_id": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-must-gather-api-rhel8\u0026tag=2.5.3-7"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"product_id": "migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-must-gather-rhel8\u0026tag=2.5.3-9"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"product_id": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-openstack-populator-rhel9\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"product_id": "migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-operator-bundle\u0026tag=2.5.3-30"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"product_id": "migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-rhel8-operator\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"product_id": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-ova-provider-server-rhel9\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"product_id": "migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-populator-controller-rhel9\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"product_id": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-rhv-populator-rhel8\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"product_id": "migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-validation-rhel9\u0026tag=2.5.3-12"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64",
"product_id": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-virt-v2v-rhel9\u0026tag=2.5.3-10"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"product_id": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8\u0026tag=2.5.3-11"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 as a component of 8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"relates_to_product_reference": "8Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 as a component of 8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"relates_to_product_reference": "8Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 as a component of 8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"relates_to_product_reference": "8Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 as a component of 8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"relates_to_product_reference": "8Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 as a component of 8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"relates_to_product_reference": "8Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Kaneko"
],
"organization": "GMO Cybersecurity by Ierae, Inc."
}
],
"cve": "CVE-2023-39318",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2237776"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang. The html/template package did not properly handle HMTL-like \"\u003c!--\" and \"--\u003e\" comment tokens, nor hashbang \"#!\" comment tokens, in \u003cscript\u003e contexts. This issue may cause the template parser to improperly interpret the contents of \u003cscript\u003e contexts, causing actions to be improperly escaped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: improper handling of HTML-like comments within script contexts",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"known_not_affected": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39318"
},
{
"category": "external",
"summary": "RHBZ#2237776",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237776"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39318",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39318"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39318",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39318"
},
{
"category": "external",
"summary": "https://go.dev/cl/526156",
"url": "https://go.dev/cl/526156"
},
{
"category": "external",
"summary": "https://go.dev/issue/62196",
"url": "https://go.dev/issue/62196"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-2041.json",
"url": "https://vuln.go.dev/ID/GO-2023-2041.json"
}
],
"release_date": "2023-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-05T06:56:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: html/template: improper handling of HTML-like comments within script contexts"
},
{
"acknowledgments": [
{
"names": [
"Takeshi Kaneko"
],
"organization": "GMO Cybersecurity by Ierae, Inc."
}
],
"cve": "CVE-2023-39319",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2237773"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang. The html/template package did not apply the proper rules for handling occurrences of \"\u003cscript\", \"\u003c!--\", and \"\u003c/script\" within JS literals in \u003cscript\u003e contexts. This issue may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: improper handling of special tags within script contexts",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"known_not_affected": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39319"
},
{
"category": "external",
"summary": "RHBZ#2237773",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237773"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39319"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39319",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39319"
},
{
"category": "external",
"summary": "https://go.dev/cl/526157",
"url": "https://go.dev/cl/526157"
},
{
"category": "external",
"summary": "https://go.dev/issue/62197",
"url": "https://go.dev/issue/62197"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-2043.json",
"url": "https://vuln.go.dev/ID/GO-2023-2043.json"
}
],
"release_date": "2023-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-05T06:56:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: html/template: improper handling of special tags within script contexts"
},
{
"acknowledgments": [
{
"names": [
"Martin Seemann"
]
}
],
"cve": "CVE-2023-39321",
"cwe": {
"id": "CWE-805",
"name": "Buffer Access with Incorrect Length Value"
},
"discovery_date": "2023-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2237777"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang. Processing an incomplete post-handshake message for a QUIC connection caused a panic.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: panic when processing post-handshake message on QUIC connections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The flaw has been marked as moderate instead of high like NVD \nQUICConn.HandleData buffers data and passes it to handlePostHandshakeMessage every time the buffer contains a complete message, while HandleData doesn\u0027t limit the amount of data it can buffer, a panic or denial of service would likely be lower severity,also in order to exploit this vulnerability, an attacker would have to smuggle partial handshake data which might be rejected altogether as per tls RFC specification.Therfore because of a lower severity denial of service and conditions that are beyond the scope of attackers control,we have marked this as moderate severity",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"known_not_affected": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39321"
},
{
"category": "external",
"summary": "RHBZ#2237777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237777"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39321"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39321",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39321"
},
{
"category": "external",
"summary": "https://go.dev/cl/523039",
"url": "https://go.dev/cl/523039"
},
{
"category": "external",
"summary": "https://go.dev/issue/62266",
"url": "https://go.dev/issue/62266"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-2044.json",
"url": "https://vuln.go.dev/ID/GO-2023-2044.json"
}
],
"release_date": "2023-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-05T06:56:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: panic when processing post-handshake message on QUIC connections"
},
{
"acknowledgments": [
{
"names": [
"Marten Seemann"
]
}
],
"cve": "CVE-2023-39322",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2237778"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang. QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With the fix, connections now consistently reject messages larger than 65KiB in size.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: lack of a limit on buffered post-handshake",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A vulnerability was found in the Go QUIC protocol implementation in the logic that processes post-handshake messages. It is an uncontrolled resource consumption flaw, triggered when a malicious connection sends data without an enforced upper bound. This leads to unbounded memory growth, causing the service to crash and resulting in a denial of service.The single-dimensional impact of denial of service and the added complexity of whether the resource exhaustion would happen, being out of an attacker\u0027s control,this has been rated as moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"known_not_affected": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39322"
},
{
"category": "external",
"summary": "RHBZ#2237778",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237778"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39322"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39322",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39322"
},
{
"category": "external",
"summary": "https://go.dev/cl/523039",
"url": "https://go.dev/cl/523039"
},
{
"category": "external",
"summary": "https://go.dev/issue/62266",
"url": "https://go.dev/issue/62266"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-2045.json",
"url": "https://vuln.go.dev/ID/GO-2023-2045.json"
}
],
"release_date": "2023-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-05T06:56:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: lack of a limit on buffered post-handshake"
},
{
"cve": "CVE-2023-45142",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-10-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2245180"
}
],
"notes": [
{
"category": "description",
"text": "A memory leak was found in the otelhttp handler of open-telemetry. This flaw allows a remote, unauthenticated attacker to exhaust the server\u0027s memory by sending many malicious requests, affecting the availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "opentelemetry: DoS vulnerability in otelhttp",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While no authentication is required, there are a significant number of non-default factors which prevent widespread exploitation of this flaw. For a service to be affected, all of the following must be true:\n* The go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp package must be in use\n* Configured a metrics pipeline which uses the otelhttp.NewHandler wrapper function\n* No filtering of unknown HTTP methods or user agents at a higher level (such as Content Delivery Network/Load Balancer/etc...)\n\nDue to the limited attack surface, Red Hat Product Security rates the impact as Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64"
],
"known_not_affected": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45142"
},
{
"category": "external",
"summary": "RHBZ#2245180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245180"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45142",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45142"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45142",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45142"
},
{
"category": "external",
"summary": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
}
],
"release_date": "2023-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-05T06:56:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
},
{
"category": "workaround",
"details": "As a workaround to stop being affected otelhttp.WithFilter() can be used.\n\nFor convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.\n\nThe other possibility is to disable HTTP metrics instrumentation by passing otelhttp.WithMeterProvider option with noop.NewMeterProvider.",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "opentelemetry: DoS vulnerability in otelhttp"
}
]
}
RHBA-2023_7648
Vulnerability from csaf_redhat - Published: 2023-12-05 06:56 - Updated: 2024-12-17 21:48Summary
Red Hat Bug Fix Advisory: MTV 2.5.3 Images
Severity
Moderate
Notes
Topic: Updated Release packages that fix several bugs and add various enhancements are now available.
Details: Migration Toolkit for Virtualization 2.5.3 Images
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This issue may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 | — |
Vendor Fix
fix
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Golang. The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This issue may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 | — |
Vendor Fix
fix
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Golang. Processing an incomplete post-handshake message for a QUIC connection caused a panic.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 | — |
Vendor Fix
fix
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Golang. QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With the fix, connections now consistently reject messages larger than 65KiB in size.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 | — |
Vendor Fix
fix
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 | — | ||
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 | — | ||
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 | — |
Threats
Impact
Moderate
A memory leak was found in the otelhttp handler of open-telemetry. This flaw allows a remote, unauthenticated attacker to exhaust the server's memory by sending many malicious requests, affecting the availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 | — |
Workaround
|
Threats
Impact
Moderate
References
43 references
Acknowledgments
GMO Cybersecurity by Ierae, Inc.
Takeshi Kaneko
Martin Seemann
Marten Seemann
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Release packages that fix several bugs and add various enhancements are now available.",
"title": "Topic"
},
{
"category": "general",
"text": "Migration Toolkit for Virtualization 2.5.3 Images",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2023:7648",
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
},
{
"category": "external",
"summary": "MTV-698",
"url": "https://issues.redhat.com/browse/MTV-698"
},
{
"category": "external",
"summary": "MTV-699",
"url": "https://issues.redhat.com/browse/MTV-699"
},
{
"category": "external",
"summary": "MTV-714",
"url": "https://issues.redhat.com/browse/MTV-714"
},
{
"category": "external",
"summary": "MTV-783",
"url": "https://issues.redhat.com/browse/MTV-783"
},
{
"category": "external",
"summary": "MTV-803",
"url": "https://issues.redhat.com/browse/MTV-803"
},
{
"category": "external",
"summary": "MTV-811",
"url": "https://issues.redhat.com/browse/MTV-811"
},
{
"category": "external",
"summary": "MTV-812",
"url": "https://issues.redhat.com/browse/MTV-812"
},
{
"category": "external",
"summary": "MTV-818",
"url": "https://issues.redhat.com/browse/MTV-818"
},
{
"category": "external",
"summary": "MTV-830",
"url": "https://issues.redhat.com/browse/MTV-830"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhba-2023_7648.json"
}
],
"title": "Red Hat Bug Fix Advisory: MTV 2.5.3 Images",
"tracking": {
"current_release_date": "2024-12-17T21:48:11+00:00",
"generator": {
"date": "2024-12-17T21:48:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHBA-2023:7648",
"initial_release_date": "2023-12-05T06:56:16+00:00",
"revision_history": [
{
"date": "2023-12-05T06:56:16+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-12-05T06:56:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T21:48:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "8Base-MTV-2.5",
"product": {
"name": "8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2.5::el9"
}
}
},
{
"category": "product_name",
"name": "8Base-MTV-2.5",
"product": {
"name": "8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2.5::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"product_id": "migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-api-rhel9\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"product_id": "migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-console-plugin-rhel9\u0026tag=2.5.3-4"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"product_id": "migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-controller-rhel9\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"product_id": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-must-gather-api-rhel8\u0026tag=2.5.3-7"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"product_id": "migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-must-gather-rhel8\u0026tag=2.5.3-9"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"product_id": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-openstack-populator-rhel9\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"product_id": "migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-operator-bundle\u0026tag=2.5.3-30"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"product_id": "migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-rhel8-operator\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"product_id": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-ova-provider-server-rhel9\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"product_id": "migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-populator-controller-rhel9\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"product_id": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-rhv-populator-rhel8\u0026tag=2.5.3-11"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"product_id": "migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-validation-rhel9\u0026tag=2.5.3-12"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64",
"product_id": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-virt-v2v-rhel9\u0026tag=2.5.3-10"
}
}
},
{
"category": "product_version",
"name": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"product": {
"name": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"product_id": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1?arch=amd64\u0026repository_url=registry.redhat.io/migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8\u0026tag=2.5.3-11"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64 as a component of 8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"relates_to_product_reference": "8Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64 as a component of 8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"relates_to_product_reference": "8Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64 as a component of 8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"relates_to_product_reference": "8Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64 as a component of 8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"relates_to_product_reference": "8Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64 as a component of 8Base-MTV-2.5",
"product_id": "8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"relates_to_product_reference": "8Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64 as a component of 8Base-MTV-2.5",
"product_id": "9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
},
"product_reference": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64",
"relates_to_product_reference": "9Base-MTV-2.5"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Kaneko"
],
"organization": "GMO Cybersecurity by Ierae, Inc."
}
],
"cve": "CVE-2023-39318",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2237776"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang. The html/template package did not properly handle HMTL-like \"\u003c!--\" and \"--\u003e\" comment tokens, nor hashbang \"#!\" comment tokens, in \u003cscript\u003e contexts. This issue may cause the template parser to improperly interpret the contents of \u003cscript\u003e contexts, causing actions to be improperly escaped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: improper handling of HTML-like comments within script contexts",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"known_not_affected": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39318"
},
{
"category": "external",
"summary": "RHBZ#2237776",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237776"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39318",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39318"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39318",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39318"
},
{
"category": "external",
"summary": "https://go.dev/cl/526156",
"url": "https://go.dev/cl/526156"
},
{
"category": "external",
"summary": "https://go.dev/issue/62196",
"url": "https://go.dev/issue/62196"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-2041.json",
"url": "https://vuln.go.dev/ID/GO-2023-2041.json"
}
],
"release_date": "2023-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-05T06:56:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: html/template: improper handling of HTML-like comments within script contexts"
},
{
"acknowledgments": [
{
"names": [
"Takeshi Kaneko"
],
"organization": "GMO Cybersecurity by Ierae, Inc."
}
],
"cve": "CVE-2023-39319",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2237773"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang. The html/template package did not apply the proper rules for handling occurrences of \"\u003cscript\", \"\u003c!--\", and \"\u003c/script\" within JS literals in \u003cscript\u003e contexts. This issue may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: improper handling of special tags within script contexts",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"known_not_affected": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39319"
},
{
"category": "external",
"summary": "RHBZ#2237773",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237773"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39319"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39319",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39319"
},
{
"category": "external",
"summary": "https://go.dev/cl/526157",
"url": "https://go.dev/cl/526157"
},
{
"category": "external",
"summary": "https://go.dev/issue/62197",
"url": "https://go.dev/issue/62197"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-2043.json",
"url": "https://vuln.go.dev/ID/GO-2023-2043.json"
}
],
"release_date": "2023-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-05T06:56:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: html/template: improper handling of special tags within script contexts"
},
{
"acknowledgments": [
{
"names": [
"Martin Seemann"
]
}
],
"cve": "CVE-2023-39321",
"discovery_date": "2023-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2237777"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang. Processing an incomplete post-handshake message for a QUIC connection caused a panic.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: panic when processing post-handshake message on QUIC connections",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"known_not_affected": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39321"
},
{
"category": "external",
"summary": "RHBZ#2237777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237777"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39321"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39321",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39321"
},
{
"category": "external",
"summary": "https://go.dev/cl/523039",
"url": "https://go.dev/cl/523039"
},
{
"category": "external",
"summary": "https://go.dev/issue/62266",
"url": "https://go.dev/issue/62266"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-2044.json",
"url": "https://vuln.go.dev/ID/GO-2023-2044.json"
}
],
"release_date": "2023-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-05T06:56:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: panic when processing post-handshake message on QUIC connections"
},
{
"acknowledgments": [
{
"names": [
"Marten Seemann"
]
}
],
"cve": "CVE-2023-39322",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2237778"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang. QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With the fix, connections now consistently reject messages larger than 65KiB in size.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: lack of a limit on buffered post-handshake",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"known_not_affected": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39322"
},
{
"category": "external",
"summary": "RHBZ#2237778",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237778"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39322"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39322",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39322"
},
{
"category": "external",
"summary": "https://go.dev/cl/523039",
"url": "https://go.dev/cl/523039"
},
{
"category": "external",
"summary": "https://go.dev/issue/62266",
"url": "https://go.dev/issue/62266"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-2045.json",
"url": "https://vuln.go.dev/ID/GO-2023-2045.json"
}
],
"release_date": "2023-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-05T06:56:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: lack of a limit on buffered post-handshake"
},
{
"cve": "CVE-2023-45142",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-10-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2245180"
}
],
"notes": [
{
"category": "description",
"text": "A memory leak was found in the otelhttp handler of open-telemetry. This flaw allows a remote, unauthenticated attacker to exhaust the server\u0027s memory by sending many malicious requests, affecting the availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "opentelemetry: DoS vulnerability in otelhttp",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While no authentication is required, there are a significant number of non-default factors which prevent widespread exploitation of this flaw. For a service to be affected, all of the following must be true:\n* The go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp package must be in use\n* Configured a metrics pipeline which uses the otelhttp.NewHandler wrapper function\n* No filtering of unknown HTTP methods or user agents at a higher level (such as Content Delivery Network/Load Balancer/etc...)\n\nDue to the limited attack surface, Red Hat Product Security rates the impact as Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64"
],
"known_not_affected": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45142"
},
{
"category": "external",
"summary": "RHBZ#2245180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245180"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45142",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45142"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45142",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45142"
},
{
"category": "external",
"summary": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
"url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
}
],
"release_date": "2023-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-05T06:56:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:7648"
},
{
"category": "workaround",
"details": "As a workaround to stop being affected otelhttp.WithFilter() can be used.\n\nFor convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.\n\nThe other possibility is to disable HTTP metrics instrumentation by passing otelhttp.WithMeterProvider option with noop.NewMeterProvider.",
"product_ids": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-api-rhel8@sha256:8754f24846c622dab9bd423895512a8380f5bdb11569632a5ef8330f2beca1d7_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-must-gather-rhel8@sha256:fceee04ea01c3b516623ef6f15591e6807b9f00fe0c172d54b5d2787f51ac3b6_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhel8-operator@sha256:97e9e4096fe23ef06a79cc24db15f2d185922a76c00bf96fd4b49d541186c8fe_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-rhv-populator-rhel8@sha256:8fedc9fe464f5cacd62bb045b248e43d3bd89cbcefd168a3a1fae01e4728bd02_amd64",
"8Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8@sha256:cce69df41be6386f1abf91f6466a4d8deaab4ec893354bd9e8be90fc35ef46b1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-api-rhel9@sha256:886beb6c16e2c325aad2c0aa7ab33d261af0c59daf901f1325a4f855a93e94e3_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-console-plugin-rhel9@sha256:0df281d03f068951d4f82683bd1c3348ac905dd7d7097adb82ebd32da09e3159_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-controller-rhel9@sha256:da28fd4f76380dfa9072911ae004f9009199d45ea1f2bb7c6b1e86f874e1ace1_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-openstack-populator-rhel9@sha256:d0b218a09f5435fee89a2b0a9f4ff9a56891b123e565611094ebc81927576f92_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-operator-bundle@sha256:f6b4db29214b9e92404569b732eb4df67c3f5cab85f9f56219aee2e330a034ac_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-ova-provider-server-rhel9@sha256:20ba9c9859980fecdcf6aab2c9b90808fe2170e2e6408eab680721341816b316_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-populator-controller-rhel9@sha256:d478f7b0cafe869f013da6ddc58055e8a54fa6f7e0778cd05176f08ca4cc4e5f_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-validation-rhel9@sha256:e0a5ff55776d70f48cd20ee87c8ca38039a1f1325d726041e958cf47f97711fe_amd64",
"9Base-MTV-2.5:migration-toolkit-virtualization/mtv-virt-v2v-rhel9@sha256:455e95d6dacbe580cc3b9273c4c740d3f8b708b05c8c2dbdd1f67280b64d4ad6_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "opentelemetry: DoS vulnerability in otelhttp"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…