Security update for buildah

This update for buildah fixes the following issues: CVE-2023-45288: possible excessive CPU consumption due to no limit being set on the number of CONTINUATION frames read for an HTTP/2 request in golang.org/x/net/http2. bsc1236531 CVE-2025-27144: Fixed denial of service in parsing function of...

Security update for podman

This update for podman fixes the following issues: CVE-2024-6104: possible sensitive data exposure due to hashicorp/go-retryablehttp not sanitizing URLs when writing them to log files. bsc1227052 CVE-2023-45288: possible excessive CPU consumption due to no limit being set on the number of...

Security update for skopeo

This update for skopeo fixes the following issues: CVE-2024-6104: possible sensitive data exposure due to hashicorp/go-retryablehttp not sanitizing URLs when writing them to log files. bsc1227056 CVE-2023-45288: possible excessive CPU consumption due to no limit being set on the number of...

USN-6750-1 thunderbird vulnerabilities

Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing,...

ALPINE-CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

AZL-38608 CVE-2023-45288 affecting package libcontainers-common for versions less than 20240213-2

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-39625 CVE-2023-45288 affecting package kata-containers for versions less than 3.2.0.azl4-1

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

PT-2024-2622

Vulnerability Report Name of the Vulnerable Software and Affected Versions: Node.js versions 18.x, 20.x, and 21.x corepack20-20.12.1-1.1 corepack21-21.7.2-1.1 OpenSUSE affected versions not specified MosOS affected versions not specified Alma Linux affected versions not specified Rocky Linux...

AZL-34823 CVE-2023-26964 affecting package kata-containers for versions less than 3.2.0.azl0-2

An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RSTSTREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service DoS...

AZL-61174 CVE-2023-26964 affecting package rust for versions less than h2-0.3.26

An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RSTSTREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service DoS...

PT-2023-3149 · Hyper +2 · Hyper +2

Name of the Vulnerable Software and Affected Versions: hyper version 0.13.7 h2 version 0.2.4 Description: An issue in the H2 component of hyper occurs when processing HTTP2 RST STREAM frames, leading to stream stacking and high memory and CPU usage, which can result in a Denial of Service DoS. Th...

SUSE CVE-2018-10184

An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the maxframesize setting instead of being checked against the bufsize. The maxframesize only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the...

PT-2023-14021 · Google +1 · Golang.Org/X/Net/Http2/H2C +1

Name of the Vulnerable Software and Affected Versions: golang.org/x/net/http2/h2c affected versions not specified Description: A request smuggling attack is possible when using MaxBytesHandler. The body of an HTTP request is not fully consumed, and when the server attempts to read HTTP2 frames fr...

UBUNTU-CVE-2022-31780

Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2...

DEBIAN-CVE-2017-5446

An out-of-bounds read when an HTTP/2 connection to a servers sends "DATA" frames with incorrect data content. This leads to a potentially exploitable crash. This vulnerability affects Thunderbird 52.1, Firefox ESR 45.9, Firefox ESR 52.1, and Firefox 53...

UBUNTU-CVE-2018-10184

An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the maxframesize setting instead of being checked against the bufsize. The maxframesize only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the...

DEBIAN-CVE-2018-10184

An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the maxframesize setting instead of being checked against the bufsize. The maxframesize only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the...

Mozilla: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data (MFSA 2017-11, MFSA 2017-12)

An out-of-bounds read when an HTTP/2 connection to a servers sends "DATA" frames with incorrect data content. This leads to a potentially exploitable crash. This vulnerability affects Thunderbird 52.1, Firefox ESR 45.9, Firefox ESR 52.1, and Firefox 53...