[Bug 1228240] New: VUL-0: CVE-2023-37788: oc: goproxy: nil pointer dereference causes panic in MITM mode
https://bugzilla.suse.com/show_bug.cgi?id=1228240 Bug ID: 1228240 Summary: VUL-0: CVE-2023-37788: oc: goproxy: nil pointer dereference causes panic in MITM mode Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://smash.suse.de/issue/372863/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: opensuse_buildservice@ojkastl.de Reporter: thomas.leroy@suse.com QA Contact: security-team@suse.de CC: security-team@suse.de Depends on: 1213466 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1213466 +++ CVE-2023-37788 goproxy v1.1 was discovered to contain an issue which can lead to a Denial of service (DoS) via unspecified vectors. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37788 https://www.cve.org/CVERecord?id=CVE-2023-37788 https://github.com/elazarl/goproxy https://github.com/elazarl/goproxy/issues/502 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228240 https://bugzilla.suse.com/show_bug.cgi?id=1228240#c1 --- Comment #1 from Thomas Leroy <thomas.leroy@suse.com> --- openSUSE:Factory/oc embeds a vulnerable version of goproxy -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228240 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228240 Thomas Leroy <thomas.leroy@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|1213466 | Blocks| |1213466 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228240 https://bugzilla.suse.com/show_bug.cgi?id=1228240#c2 --- Comment #2 from Johannes Kastl <opensuse_buildservice@ojkastl.de> --- Hi Thomas, has someone talked to upstream already? Kind Regards, Johannes -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228240 https://bugzilla.suse.com/show_bug.cgi?id=1228240#c3 Thomas Leroy <thomas.leroy@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from Thomas Leroy <thomas.leroy@suse.com> --- (In reply to Johannes Kastl from comment #2)
Hi Thomas,
has someone talked to upstream already?
Kind Regards, Johannes
Hi Johannes, I checked again and openSUSE:Factory/oc goproxy embedded version is already fixed, so no need to reach upstream and to submit in OBS. Sorry for the noise :) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com