January 2025 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1235194] New: VUL-0: CVE-2024-28180: kubefirst: gopkg.in/square/go-jose.v2: improper handling of highly compressed data
by bugzilla_noreply＠suse.com 07 Jan '25

07 Jan '25

https://bugzilla.suse.com/show_bug.cgi?id=1235194 Bug ID: 1235194 Summary: VUL-0: CVE-2024-28180: kubefirst: gopkg.in/square/go-jose.v2: improper handling of highly compressed data Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/396762/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: opensuse_buildservice(a)ojkastl.de Reporter: andrea.mattiazzo(a)suse.com QA Contact: security-team(a)suse.de Blocks: 1234984 Target Milestone: --- Found By: --- Blocker: --- Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28180 https://www.cve.org/CVERecord?id=CVE-2024-28180 https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694… https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451… https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf9… https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g https://bugzilla.redhat.com/show_bug.cgi?id=2268854 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://github.com/CVEProject/cvelistV5/blob/main//cves/2024/28xxx/CVE-2024… -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1235190] New: VUL-0: CVE-2024-28180: kubescape: gopkg.in/square/go-jose.v2,github.com/go-jose/go-jose/v3: improper handling of highly compressed data
by bugzilla_noreply＠suse.com 07 Jan '25

07 Jan '25

1 2

[Bug 1235192] New: VUL-0: CVE-2024-28180: kubeswitch: github.com/go-jose/go-jose/v3: improper handling of highly compressed data
by bugzilla_noreply＠suse.com 07 Jan '25

07 Jan '25

1 2

[Bug 1235191] New: VUL-0: CVE-2024-28180: kubernetes1.30,kubernetes1.31,kubernetes1.29: gopkg.in/square/go-jose.v2: improper handling of highly compressed data
by bugzilla_noreply＠suse.com 07 Jan '25

07 Jan '25

https://bugzilla.suse.com/show_bug.cgi?id=1235191 Bug ID: 1235191 Summary: VUL-0: CVE-2024-28180: kubernetes1.30,kubernetes1.31,kubernetes1.29: gopkg.in/square/go-jose.v2: improper handling of highly compressed data Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/396762/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: priyanka.saggu(a)suse.com Reporter: andrea.mattiazzo(a)suse.com QA Contact: security-team(a)suse.de Blocks: 1234984 Target Milestone: --- Found By: --- Blocker: --- Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28180 https://www.cve.org/CVERecord?id=CVE-2024-28180 https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694… https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451… https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf9… https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g https://bugzilla.redhat.com/show_bug.cgi?id=2268854 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://github.com/CVEProject/cvelistV5/blob/main//cves/2024/28xxx/CVE-2024… -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1235178] New: VUL-0: CVE-2024-28180: weave-gitops: gopkg.in/square/go-jose.v2: improper handling of highly compressed data
by bugzilla_noreply＠suse.com 07 Jan '25

07 Jan '25

https://bugzilla.suse.com/show_bug.cgi?id=1235178 Bug ID: 1235178 Summary: VUL-0: CVE-2024-28180: weave-gitops: gopkg.in/square/go-jose.v2: improper handling of highly compressed data Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/396762/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: opensuse_buildservice(a)ojkastl.de Reporter: andrea.mattiazzo(a)suse.com QA Contact: security-team(a)suse.de Blocks: 1234984 Target Milestone: --- Found By: --- Blocker: --- Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28180 https://www.cve.org/CVERecord?id=CVE-2024-28180 https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694… https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451… https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf9… https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g https://bugzilla.redhat.com/show_bug.cgi?id=2268854 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://github.com/CVEProject/cvelistV5/blob/main//cves/2024/28xxx/CVE-2024… -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1235182] New: VUL-0: CVE-2024-28180: rke2-1.29,rke2-1.30: gopkg.in/square/go-jose.v2: improper handling of highly compressed data
by bugzilla_noreply＠suse.com 07 Jan '25

07 Jan '25

https://bugzilla.suse.com/show_bug.cgi?id=1235182 Bug ID: 1235182 Summary: VUL-0: CVE-2024-28180: rke2-1.29,rke2-1.30: gopkg.in/square/go-jose.v2: improper handling of highly compressed data Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/396762/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: opensuse_buildservice(a)ojkastl.de Reporter: andrea.mattiazzo(a)suse.com QA Contact: security-team(a)suse.de Blocks: 1234984 Target Milestone: --- Found By: --- Blocker: --- Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28180 https://www.cve.org/CVERecord?id=CVE-2024-28180 https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694… https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451… https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf9… https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g https://bugzilla.redhat.com/show_bug.cgi?id=2268854 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://github.com/CVEProject/cvelistV5/blob/main//cves/2024/28xxx/CVE-2024… -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1235164] New: VUL-0: CVE-2023-49295: v2ray-core: github.com/quic-go/quic-go: memory exhaustion attack against QUIC's path validation mechanism
by bugzilla_noreply＠suse.com 07 Jan '25

07 Jan '25

https://bugzilla.suse.com/show_bug.cgi?id=1235164 Bug ID: 1235164 Summary: VUL-0: CVE-2023-49295: v2ray-core: github.com/quic-go/quic-go: memory exhaustion attack against QUIC's path validation mechanism Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/390776/ OS: Other Status: NEW Whiteboard: CVSSv3.1:SUSE:CVE-2023-49295:6.5:(AV:N/AC:L/PR:L/UI:N/ S:U/C:N/I:N/A:H) CVSSv4:SUSE:CVE-2023-49295:6.0:(AV:N/AC:L/AT:P/PR:L/UI :N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) Severity: Normal Priority: P5 - None Component: Security Assignee: hillwoodroc(a)gmail.com Reporter: andrea.mattiazzo(a)suse.com QA Contact: security-team(a)suse.de Blocks: 1234982 Target Milestone: --- Found By: --- Blocker: --- quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49295 https://www.cve.org/CVERecord?id=CVE-2023-49295 https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d60… https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541… https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded… https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928… https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965… https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d… https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee… https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b… https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf https://bugzilla.redhat.com/show_bug.cgi?id=2257815 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1235165] New: VUL-0: CVE-2023-49295: dnsproxy: github.com/quic-go/quic-go: memory exhaustion attack against QUIC's path validation mechanism
by bugzilla_noreply＠suse.com 07 Jan '25

07 Jan '25

https://bugzilla.suse.com/show_bug.cgi?id=1235165 Bug ID: 1235165 Summary: VUL-0: CVE-2023-49295: dnsproxy: github.com/quic-go/quic-go: memory exhaustion attack against QUIC's path validation mechanism Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/390776/ OS: Other Status: NEW Whiteboard: CVSSv3.1:SUSE:CVE-2023-49295:6.5:(AV:N/AC:L/PR:L/UI:N/ S:U/C:N/I:N/A:H) CVSSv4:SUSE:CVE-2023-49295:6.0:(AV:N/AC:L/AT:P/PR:L/UI :N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) Severity: Normal Priority: P5 - None Component: Security Assignee: eyadlorenzo(a)gmail.com Reporter: andrea.mattiazzo(a)suse.com QA Contact: security-team(a)suse.de Blocks: 1234982 Target Milestone: --- Found By: --- Blocker: --- quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49295 https://www.cve.org/CVERecord?id=CVE-2023-49295 https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d60… https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541… https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded… https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928… https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965… https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d… https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee… https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b… https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf https://bugzilla.redhat.com/show_bug.cgi?id=2257815 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1235212] New: VUL-0: CVE-2024-28180: kubearmor-client: github.com/go-jose/go-jose/v3: improper handling of highly compressed data
by bugzilla_noreply＠suse.com 07 Jan '25

07 Jan '25

https://bugzilla.suse.com/show_bug.cgi?id=1235212 https://bugzilla.suse.com/show_bug.cgi?id=1235212#c1 Bug ID: 1235212 Summary: VUL-0: CVE-2024-28180: kubearmor-client: github.com/go-jose/go-jose/v3: improper handling of highly compressed data Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/396762/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: opensuse_buildservice(a)ojkastl.de Reporter: andrea.mattiazzo(a)suse.com QA Contact: security-team(a)suse.de Blocks: 1234984 Target Milestone: --- Found By: --- Blocker: --- --- Comment #1 from Andrea Mattiazzo <andrea.mattiazzo(a)suse.com> --- Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28180 https://www.cve.org/CVERecord?id=CVE-2024-28180 https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694… https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451… https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf9… https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g https://bugzilla.redhat.com/show_bug.cgi?id=2268854 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://github.com/CVEProject/cvelistV5/blob/main//cves/2024/28xxx/CVE-2024… -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1235162] New: VUL-0: CVE-2023-49295: kubo: github.com/quic-go/quic-go: memory exhaustion attack against QUIC's path validation mechanism
by bugzilla_noreply＠suse.com 07 Jan '25

07 Jan '25

https://bugzilla.suse.com/show_bug.cgi?id=1235162 Bug ID: 1235162 Summary: VUL-0: CVE-2023-49295: kubo: github.com/quic-go/quic-go: memory exhaustion attack against QUIC's path validation mechanism Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/390776/ OS: Other Status: NEW Whiteboard: CVSSv3.1:SUSE:CVE-2023-49295:6.5:(AV:N/AC:L/PR:L/UI:N/ S:U/C:N/I:N/A:H) CVSSv4:SUSE:CVE-2023-49295:6.0:(AV:N/AC:L/AT:P/PR:L/UI :N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) Severity: Normal Priority: P5 - None Component: Security Assignee: bwiedemann(a)suse.com Reporter: andrea.mattiazzo(a)suse.com QA Contact: security-team(a)suse.de Blocks: 1234982 Target Milestone: --- Found By: --- Blocker: --- quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49295 https://www.cve.org/CVERecord?id=CVE-2023-49295 https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d60… https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541… https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded… https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928… https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965… https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d… https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee… https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b… https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf https://bugzilla.redhat.com/show_bug.cgi?id=2257815 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… https://lists.fedoraproject.org/archives/list/package-announce@lists.fedora… -- You are receiving this mail because: You are on the CC list for the bug.

1 2