MGASA-2024-0128

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2024-0128.html

Import Source

https://advisories.mageia.org/MGASA-2024-0128.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2024-0128

Related

CVE-2023-45288

Published

2024-04-13T16:56:38Z

Modified

2024-04-13T16:33:00Z

Summary

Updated golang packages fix security vulnerability

Details

CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / golang

Package

Name: golang
Purl: pkg:rpm/mageia/golang?distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.21.9-1.mga9

Ecosystem specific

{
    "section": "core"
}