ID

VAR-202310-0175

CVE

CVE-2023-44487

TITLE

Gentoo Linux Security Advisory 202311-09

DESCRIPTION

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202311-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Go: Multiple Vulnerabilities Date: November 25, 2023 Bugs: #873637, #883783, #894478, #903979, #908255, #915555, #916494 ID: 202311-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution. Background ========= Go is an open source programming language that makes it easy to build simple, reliable, and efficient software. Affected packages ================ Package Vulnerable Unaffected ----------- ------------ ------------ dev-lang/go < 1.20.10 >= 1.20.10 Description ========== Multiple vulnerabilities have been discovered in Go. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Go users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">\xdev-lang/go-1.20.10" # emerge --ask --oneshot --verbose @golang-rebuild References ========= [ 1 ] CVE-2022-2879 https://nvd.nist.gov/vuln/detail/CVE-2022-2879 [ 2 ] CVE-2022-2880 https://nvd.nist.gov/vuln/detail/CVE-2022-2880 [ 3 ] CVE-2022-41715 https://nvd.nist.gov/vuln/detail/CVE-2022-41715 [ 4 ] CVE-2022-41717 https://nvd.nist.gov/vuln/detail/CVE-2022-41717 [ 5 ] CVE-2022-41723 https://nvd.nist.gov/vuln/detail/CVE-2022-41723 [ 6 ] CVE-2022-41724 https://nvd.nist.gov/vuln/detail/CVE-2022-41724 [ 7 ] CVE-2022-41725 https://nvd.nist.gov/vuln/detail/CVE-2022-41725 [ 8 ] CVE-2023-24534 https://nvd.nist.gov/vuln/detail/CVE-2023-24534 [ 9 ] CVE-2023-24536 https://nvd.nist.gov/vuln/detail/CVE-2023-24536 [ 10 ] CVE-2023-24537 https://nvd.nist.gov/vuln/detail/CVE-2023-24537 [ 11 ] CVE-2023-24538 https://nvd.nist.gov/vuln/detail/CVE-2023-24538 [ 12 ] CVE-2023-29402 https://nvd.nist.gov/vuln/detail/CVE-2023-29402 [ 13 ] CVE-2023-29403 https://nvd.nist.gov/vuln/detail/CVE-2023-29403 [ 14 ] CVE-2023-29404 https://nvd.nist.gov/vuln/detail/CVE-2023-29404 [ 15 ] CVE-2023-29405 https://nvd.nist.gov/vuln/detail/CVE-2023-29405 [ 16 ] CVE-2023-29406 https://nvd.nist.gov/vuln/detail/CVE-2023-29406 [ 17 ] CVE-2023-29409 https://nvd.nist.gov/vuln/detail/CVE-2023-29409 [ 18 ] CVE-2023-39318 https://nvd.nist.gov/vuln/detail/CVE-2023-39318 [ 19 ] CVE-2023-39319 https://nvd.nist.gov/vuln/detail/CVE-2023-39319 [ 20 ] CVE-2023-39320 https://nvd.nist.gov/vuln/detail/CVE-2023-39320 [ 21 ] CVE-2023-39321 https://nvd.nist.gov/vuln/detail/CVE-2023-39321 [ 22 ] CVE-2023-39322 https://nvd.nist.gov/vuln/detail/CVE-2023-39322 [ 23 ] CVE-2023-39323 https://nvd.nist.gov/vuln/detail/CVE-2023-39323 [ 24 ] CVE-2023-39325 https://nvd.nist.gov/vuln/detail/CVE-2023-39325 [ 25 ] CVE-2023-44487 https://nvd.nist.gov/vuln/detail/CVE-2023-44487 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202311-09 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5549-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 05, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : trafficserver CVE ID : CVE-2022-47185 CVE-2023-33934 CVE-2023-39456 CVE-2023-41752 CVE-2023-44487 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service or information disclosure. For the oldstable distribution (bullseye), these problems have been fixed in version 8.1.9+ds-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 9.2.3+ds-1+deb12u1. We recommend that you upgrade your trafficserver packages. For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVH8qoACgkQEMKTtsN8 TjbxOhAAkZMjvXgCcE1d9hO03bcOOVEU8dm3D7POoeIVqmZlgHRH6Q7xh1E3ER+C dl2Nix0Y+8KiCP9JjL6K9yzNcMpmeQ1M6QYD8HJxyj/ihVpWv+SMrdelVyYG5BPM ClWLHzNk6oQm3fMWE//EXm6vxoXOust61gTjhjozV7D1VvWYvLdDt/w59I+wHHc2 XIJ9gVakNvVrmdB2ItEwrYmPrRA6uECB3ag3xP4Wh1H9SkwVgcbBW6ZrgmPAjVQO UTxdCYJuoWkYavr6bolxUG833DfnJRPk9mZJVCdvX4FJnNI6Mp/XGWQ0KNx8K2Xj u6bG//dTJ948q0i5c4thWlCuKkalpZAJ3KxcFyZo6Io1QjCaSN49Rj1agCuiJp4r nmbh0GAlebvOypuiOZieJEEbTIhJpgF1hCLS2jy/Eo8qLP7Iodvr2US7JNwVEirj v0GZx9w9uyFYKfNgRDlJDdaJsmi+2YfbXO4uxp8rFNUY3acL/P8mTsMJohiWjNuH q+/hY7egr7igRPSe+zl2m/tpx1zlPxH761qMqdTVNwztE4t09vW4crPrQ8siwmC1 0HCyGef7R8eNqlODCwpeG1wC+DXHzx00FWUG1r24lNGf7koFnsuALJBPGRptbHqm v6z+piRi8deQNb1vCsQXBzsXjVrK+i/MAAjNixnvTJ9BnVh2ZPY= =gKYQ -----END PGP SIGNATURE----- . Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13018. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2023:5905 Space precludes documenting all of the container images in this advisory. All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Description: Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up. Description: Release of Red Hat build of OptaPlanner 8.38.0 SP2. The purpose of this text-only erratum is to inform you about the security issues fixed. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. The following data is constructed from data provided by Red Hat's json file at: https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5705.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Important: rh-dotnet60-dotnet security, bug fix, and enhancement update Advisory ID: RHSA-2023:5705-01 Product: .NET Core on Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:5705 Issue date: 2023-10-16 Revision: 01 CVE Names: CVE-2023-44487 ==================================================================== Summary: An update for rh-dotnet60-dotnet is now available for .NET Core on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. The following packages have been upgraded to a later upstream version: rh-dotnet60-dotnet (6.0.123). (BZ#2242122) Security Fix(es): * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: https://access.redhat.com/articles/11258 CVEs: CVE-2023-44487 References: https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/RHSB-2023-003 . Description: IBM Business Automation Manager Open Editions is an open source business process management suite that combines process management and decision service management. It enables business and IT users to create, manage, validate, and deploy process applications and decision services. This release updates the IBM Business Automation Manager Open Editions images to 8.0.4. This release includes security fixes. ========================================================================== Ubuntu Security Notice USN-7067-1 October 14, 2024 haproxy vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS Summary: HAProxy could be made to crash or run programs if it received specially crafted network traffic. Software Description: - haproxy: fast and reliable load balancing reverse proxy Details: It was discovered that HAProxy did not properly limit the creation of new HTTP/2 streams. A remote attacker could possibly use this issue to cause HAProxy to consume excessive resources, leading to a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS haproxy 1.8.8-1ubuntu0.13+esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

code execution

EXTERNAL IDS

REFERENCES