SUSE-SU-2024:3656-1

Source
https://www.suse.com/support/update/announcement/2024/suse-su-20243656-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:3656-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:3656-1
Related
Published
2024-10-16T11:33:42Z
Modified
2024-10-16T11:33:42Z
Summary
Security update for etcd
Details

This update for etcd fixes the following issues:

Update to version 3.5.12:

Security fixes:

  • CVE-2018-16873: Fixed remote command execution in cmd/go (bsc#1118897)
  • CVE-2018-16874: Fixed directory traversal in cmd/go (bsc#1118898)
  • CVE-2018-16875: Fixed CPU denial of service in crypto/x509 (bsc#1118899)
  • CVE-2018-16886: Fixed improper authentication issue when RBAC and client-cert-auth is enabled (bsc#1121850)
  • CVE-2020-15106: Fixed panic in decodeRecord method (bsc#1174951)
  • CVE-2020-15112: Fixed improper checks in entry index (bsc#1174951)
  • CVE-2021-28235: Fixed information discosure via debug function (bsc#1210138)
  • CVE-2022-41723: Fixed quadratic complexity in HPACK decoding in net/http (bsc#1208270, bsc#1208297)
  • CVE-2023-29406: Fixed insufficient sanitization of Host header in go net/http (bsc#1213229)
  • CVE-2023-47108: Fixed DoS vulnerability in otelgrpc (bsc#1217070)
  • CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (aka Terrapin Attack) in crypto/ssh (bsc#1217950, bsc#1218150)

Other changes:

  • Added hardening to systemd service(s) (bsc#1181400)
  • Fixed static /tmp file issue (bsc#1199031)
  • Fixed systemd service not starting (bsc#1183703)

Full changelog:

https://github.com/etcd-io/etcd/compare/v3.3.1...v3.5.12

References

Affected packages

openSUSE:Leap 15.5 / etcd

Package

Name
etcd
Purl
purl:rpm/suse/etcd&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.5.12-150000.7.6.1

Ecosystem specific

{
    "binaries": [
        {
            "etcdctl": "3.5.12-150000.7.6.1",
            "etcd": "3.5.12-150000.7.6.1"
        }
    ]
}

openSUSE:Leap 15.6 / etcd

Package

Name
etcd
Purl
purl:rpm/suse/etcd&distro=openSUSE%20Leap%2015.6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.5.12-150000.7.6.1

Ecosystem specific

{
    "binaries": [
        {
            "etcdctl": "3.5.12-150000.7.6.1",
            "etcd": "3.5.12-150000.7.6.1"
        }
    ]
}