Bugzilla – Bug 1220666
VUL-0: CVE-2024-22871: clojure: denial of service (DoS) via the clojure.core$partial$fn__5920 function.
Last modified: 2024-03-12 05:33:47 UTC
An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn__5920 function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22871 https://www.cve.org/CVERecord?id=CVE-2024-22871 https://hackmd.io/%40fe1w0/rymmJGida https://bugzilla.redhat.com/show_bug.cgi?id=2266785
> An issue in Clojure versions 1.20 1.20? I don't think that version exists yet.
The nvd website states "1.20 to 1.12.0-alpha5" the original blogpost however mentions "Under org.clojure:clojur (1.2.0 - 1.12.0-alpha5)" which makes more sense. https://github.com/advisories/GHSA-vr64-r9qj-h27f has more info about this bug. It was edited by an upstream clojure developer here: https://github.com/github/advisory-database/pull/3891/files And according to him the vuln is not only until alpha5 but it is until alpha8 (latest alpha) and git master. The upstream bugreport https://clojure.atlassian.net/browse/CLJ-2839 contains patches to fix it. In devel:languages:clojure/clojure we don't build clojure ourselves but ship their released jars/scripts. It is planned by upstream to create a new release once the fixes are ready/accepted.
SR#1156680 to Factory SR#1156681 to openSUSE:Backports:SLE-15-SP6/clojure @security just a reminder that the original report is wrong and closure 1.2.0 until clojure-1.12.0-alpha9 or clojure-1.11.2 are actually affected.
This is an autogenerated message for OBS integration: This bug (1220666) was mentioned in https://build.opensuse.org/request/show/1156680 Factory / clojure https://build.opensuse.org/request/show/1156681 Backports:SLE-15-SP6 / clojure
All SRs accepted.