|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-45288: go1.21,go1.22: net/http, x/net/http2: close connections when receiving too many headers | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Jeff Kowalczyk <jkowalczyk> |
| Status: | IN_PROGRESS --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | meissner, thomas.leroy |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/397669/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-45288:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1221404 | ||
|
Description
SMASH SMASH
2024-03-14 12:45:09 UTC
CRD: 2024-03-28 net/http is part of the Go package itself so a rebuild with a fixed version should fix all the dependencies. However, golang.org/x/net/http2 is a module embedded in many different places. I would wait for the Go security team advisory before opening another TRACKERBUG. CRD: 2024-04-04 there are draft patches in the VINCE issue, but I would say we pick up the go stable release that likely will happen soon after CRD. Upstream CVE announcement 2024-04-03: http2: close connections when receiving too many headers Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. Set a limit on the amount of excess header frames we will process before closing a connection. Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue. This is CVE-2023-45288 and Go issue https://go.dev/issue/65051. This is an autogenerated message for OBS integration: This bug (1221400) was mentioned in https://build.opensuse.org/request/show/1164437 Factory / go1.21 https://build.opensuse.org/request/show/1164438 Factory / go1.22 is public https://kb.cert.org/vuls/id/421644 cert note SUSE-SU-2024:1121-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1218424, 1221400 CVE References: CVE-2023-45288 Maintenance Incident: [SUSE:Maintenance:33201](https://smelt.suse.de/incident/33201/) Sources used: openSUSE Leap 15.5 (src): go1.22-1.22.2-150000.1.12.1 Development Tools Module 15-SP5 (src): go1.22-1.22.2-150000.1.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1122-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1212475, 1221400 CVE References: CVE-2023-45288 Maintenance Incident: [SUSE:Maintenance:33202](https://smelt.suse.de/incident/33202/) Sources used: openSUSE Leap 15.5 (src): go1.21-1.21.9-150000.1.30.1 Development Tools Module 15-SP5 (src): go1.21-1.21.9-150000.1.30.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): go1.21-1.21.9-150000.1.30.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): go1.21-1.21.9-150000.1.30.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): go1.21-1.21.9-150000.1.30.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): go1.21-1.21.9-150000.1.30.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): go1.21-1.21.9-150000.1.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1161-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1212475, 1221400 CVE References: CVE-2023-45288 Maintenance Incident: [SUSE:Maintenance:33204](https://smelt.suse.de/incident/33204/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): go1.21-1.21.9-1.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1160-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1218424, 1221400 CVE References: CVE-2023-45288 Maintenance Incident: [SUSE:Maintenance:33200](https://smelt.suse.de/incident/33200/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): go1.22-1.22.2-1.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:2108-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1221400, 1224323 CVE References: CVE-2023-45288 Maintenance Incident: [SUSE:Maintenance:34007](https://smelt.suse.de/incident/34007/) Sources used: openSUSE Leap Micro 5.3 (src): containerd-1.7.17-150000.111.3 openSUSE Leap Micro 5.4 (src): containerd-1.7.17-150000.111.3 openSUSE Leap 15.5 (src): containerd-1.7.17-150000.111.3 openSUSE Leap 15.6 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro for Rancher 5.3 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro 5.3 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro for Rancher 5.4 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro 5.4 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro 5.5 (src): containerd-1.7.17-150000.111.3 Containers Module 15-SP5 (src): containerd-1.7.17-150000.111.3 Containers Module 15-SP6 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): containerd-1.7.17-150000.111.3 SUSE Enterprise Storage 7.1 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro 5.1 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro 5.2 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro for Rancher 5.2 (src): containerd-1.7.17-150000.111.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |