[Bugs] [Bug 13496] New: [CVE 21] avro 1.7.6 CVEs found
bugzilla
bugzilla на rosalinux.ru
Ср Авг 23 23:17:50 MSK 2023
https://bugzilla.rosalinux.ru/show_bug.cgi?id=13496
Platform: 2021.1
Bug ID: 13496
Summary: [CVE 21] avro 1.7.6 CVEs found
Classification: ROSA-based products
Product: ROSA Fresh
Version: All
Hardware: All
URL: CVE-2023-37475,
OS: Linux
Status: CONFIRMED
Severity: normal
Priority: Normal
Component: System (kernel, glibc, systemd, bash, PAM...)
Assignee: bugs на lists.rosalinux.ru
Reporter: y.tumanov на rosalinux.ru
QA Contact: bugs на lists.rosalinux.ru
CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
y.tumanov на rosalinux.ru
Target Milestone: ---
Flags: secteam_verified?
Please patch CVEs for package avro version 1.7.6
INFO (CVEs are): avro 1.7.6
cves found
CVE-2023-37475
Desc: Hamba avro is a go lang encoder/decoder implementation of the avro codec
specification. In affected versions a well-crafted string passed to avro's
`github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out
of memory` which is unrecoverable and can cause denial of service of the
consumer of avro. The root cause of the issue is that avro uses part of the
input to `Unmarshal()` to determine the size when creating a new slice and
hence an attacker may consume arbitrary amounts of memory which in turn may
cause the application to crash. This issue has been addressed in commit
`b4a402f4` which has been included in release version `2.13.0`. Users are
advised to upgrade. There are no known workarounds for this vulnerability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-37475
Severity: HIGH
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/5e4b8982/attachment.html>
Подробная информация о списке рассылки Bugs