[Bug 1234794] New: VUL-0: CVE-2024-45338: golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html
https://bugzilla.suse.com/show_bug.cgi?id=1234794 Bug ID: 1234794 Summary: VUL-0: CVE-2024-45338: golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/433408/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: jmassaguerpla@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: stoyan.manolov@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-45338 https://www.cve.org/CVERecord?id=CVE-2024-45338 https://go.dev/cl/637536 https://go.dev/issue/70906 https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ https://pkg.go.dev/vuln/GO-2024-3333 https://bugzilla.redhat.com/show_bug.cgi?id=2333122 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |CVSSv3.1:SUSE:CVE-2024-4533 | |8:7.5:(AV:N/AC:L/PR:N/UI:N/ | |S:U/C:N/I:N/A:H) Priority|P3 - Medium |P2 - High -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 https://bugzilla.suse.com/show_bug.cgi?id=1234794#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|VUL-0: CVE-2024-45338: |VUL-0: CVE-2024-45338: |golang.org/x/net/html: |TRACKERBUG: |Non-linear parsing of |golang.org/x/net/html: |case-insensitive content in |Non-linear parsing of |golang.org/x/net/html |case-insensitive content in | |golang.org/x/net/html --- Comment #1 from Marcus Meissner <meissner@suse.com> --- needs to be expanded to all vendoring packages -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|CVSSv3.1:SUSE:CVE-2024-4533 |CVSSv3.1:SUSE:CVE-2024-4533 |8:7.5:(AV:N/AC:L/PR:N/UI:N/ |8:5.9:(AV:N/AC:H/PR:N/UI:N/ |S:U/C:N/I:N/A:H) |S:U/C:N/I:N/A:H) | |CVSSv4:SUSE:CVE-2024-45338: | |8.2:(AV:N/AC:H/AT:P/PR:N/UI | |:N/VC:N/VI:N/VA:H/SC:N/SI:N | |/SA:N) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 Andrea Mattiazzo <andrea.mattiazzo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andrea.mattiazzo@suse.com Summary|VUL-0: CVE-2024-45338: |VUL-0: CVE-2024-45338: |TRACKERBUG: |TRACKERBUG: |golang.org/x/net/html: |golang.org/x/net/html: |Non-linear parsing of |denial of service due to |case-insensitive content in |non-linear parsing of |golang.org/x/net/html |case-insensitive content -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 Bug 1234794 depends on bug 1235380, which changed state. Bug 1235380 Summary: VUL-0: CVE-2024-45338: app-builder: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content https://bugzilla.suse.com/show_bug.cgi?id=1235380 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 Bug 1234794 depends on bug 1235278, which changed state. Bug 1235278 Summary: VUL-0: CVE-2024-45338: rpm2docserv: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content https://bugzilla.suse.com/show_bug.cgi?id=1235278 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 Bug 1234794 depends on bug 1235381, which changed state. Bug 1235381 Summary: VUL-0: CVE-2024-45338: chezmoi: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content https://bugzilla.suse.com/show_bug.cgi?id=1235381 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 Bug 1234794 depends on bug 1235319, which changed state. Bug 1235319 Summary: VUL-0: CVE-2024-45338: podman: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content https://bugzilla.suse.com/show_bug.cgi?id=1235319 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 Bug 1234794 depends on bug 1235325, which changed state. Bug 1235325 Summary: VUL-0: CVE-2024-45338: gosec: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content https://bugzilla.suse.com/show_bug.cgi?id=1235325 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 Bug 1234794 depends on bug 1235325, which changed state. Bug 1235325 Summary: VUL-0: CVE-2024-45338: gosec: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content https://bugzilla.suse.com/show_bug.cgi?id=1235325 What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID |--- -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1234794 Bug 1234794 depends on bug 1235371, which changed state. Bug 1235371 Summary: VUL-0: CVE-2024-45338: cni,cni-plugins: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content https://bugzilla.suse.com/show_bug.cgi?id=1235371 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com