Bugzilla – Bug 1220535
VUL-0: CVE-2024-27099: python-uamqp: processing an incorrect `AMQP_VALUE` failed state cause a double free
Last modified: 2024-03-25 04:34:16 UTC
The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Services. When processing an incorrect `AMQP_VALUE` failed state, may cause a double free problem. This may cause a RCE. Update submodule with commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27099 https://www.cve.org/CVERecord?id=CVE-2024-27099 https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj Patch: https://github.com/Azure/azure-uamqp-c/commit/2ca42b6e4e098af2d17e487814a91d05f6ae4987
Tracking as affected: - SUSE:SLE-12-SP1:Update/python-uamqp - SUSE:SLE-15-SP1:Update/python-uamqp - openSUSE:Factory/python-uamqp
Fix can be easily backported to SUSE:SLE-15-SP1:Update and openSUSE:Factory. Already submitted a patched package for Factory: - https://build.opensuse.org/request/show/1152893 SUSE:SLE-15-SP1:Update will follow shortly.
SUSE-SU-2024:0947-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1217782, 1220535 CVE References: CVE-2024-27099 Maintenance Incident: [SUSE:Maintenance:32795](https://smelt.suse.de/incident/32795/) Sources used: openSUSE Leap 15.5 (src): python-uamqp-1.5.3-150100.4.18.1 Public Cloud Module 15-SP2 (src): python-uamqp-1.5.3-150100.4.18.1 Public Cloud Module 15-SP3 (src): python-uamqp-1.5.3-150100.4.18.1 Public Cloud Module 15-SP4 (src): python-uamqp-1.5.3-150100.4.18.1 Public Cloud Module 15-SP5 (src): python-uamqp-1.5.3-150100.4.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.