Bug 1203681 (CVE-2022-1941) - VUL-0: CVE-2022-1941: protobuf: A potential Denial of Service issue in protobuf-cpp and protobuf-python
Summary: VUL-0: CVE-2022-1941: protobuf: A potential Denial of Service issue in protob...
Status: RESOLVED FIXED
: 1204630 1205141 (view as bug list)
Alias: CVE-2022-1941
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/343244/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1941:6.5:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-23 08:49 UTC by Thomas Leroy
Modified: 2024-04-19 14:27 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-09-23 08:49:36 UTC 
CVE-2022-1941

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions
prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for
protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2,
3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory
failures. A specially crafted message with multiple key-value per elements
creates parsing issues, and can lead to a Denial of Service against services
receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5,
3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for
protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1941
https://www.cve.org/CVERecord?id=CVE-2022-1941
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
https://cloud.google.com/support/bulletins#GCP-2022-019
Comment 1 Thomas Leroy 2022-09-23 08:53:15 UTC 
I think the following PR fixes the issue:
https://github.com/protocolbuffers/protobuf/pull/10546

According to the advisory, all versions should be affected, therefore all maintained codestreams:
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP2:Update
Comment 2 Max Lin 2022-09-29 10:49:41 UTC 
(In reply to Thomas Leroy from comment #1)
> I think the following PR fixes the issue:
> https://github.com/protocolbuffers/protobuf/pull/10546
> 

We need a ECO for update it to version 3.19.5(3.20 and above has stopped to support python < 3.7), wire_format.cc has lots of difference compare to SLE's dated protobuf, including a lot of new defined structures, variable type, and so on, therefore patch backporting is nearly not doable since the code base is so different. Update to a recent version should be a preferred option here.

> According to the advisory, all versions should be affected, therefore all
> maintained codestreams:
> - SUSE:SLE-15:Update

I've an experiment project with protobuf 3.19.5[1], the relevant package is: protobuf-c and AppStream, I did a reverse dependency rebuild of them, protobuf-c needs update to 1.3.2 at least(we have that in SLE15 SP2) for supporting protobuf 3.9.0 and above), AppStream is fine.

> - SUSE:SLE-15-SP2:Update

Relevant package: AppStream, collected, grpc, google-http-java-client, netty3, protobuf-c. Those package from SLE-15-SP2:Update all build successful with protobuf 3.19.5[1], we don't needs additional update for them, just needs rebuild them with protobuf 3.19.5.

[1] https://build.suse.de/project/show/home:mlin7442:branches:OBS_Maintained:protobuf


Can you help to open a ECO for protobuf version update?
Comment 3 Thomas Leroy 2022-09-29 12:26:18 UTC 
(In reply to Max Lin from comment #2)
> (In reply to Thomas Leroy from comment #1)
> > I think the following PR fixes the issue:
> > https://github.com/protocolbuffers/protobuf/pull/10546
> > 
> 
> We need a ECO for update it to version 3.19.5(3.20 and above has stopped to
> support python < 3.7), wire_format.cc has lots of difference compare to
> SLE's dated protobuf, including a lot of new defined structures, variable
> type, and so on, therefore patch backporting is nearly not doable since the
> code base is so different. Update to a recent version should be a preferred
> option here.
> 
> > According to the advisory, all versions should be affected, therefore all
> > maintained codestreams:
> > - SUSE:SLE-15:Update
> 
> I've an experiment project with protobuf 3.19.5[1], the relevant package is:
> protobuf-c and AppStream, I did a reverse dependency rebuild of them,
> protobuf-c needs update to 1.3.2 at least(we have that in SLE15 SP2) for
> supporting protobuf 3.9.0 and above), AppStream is fine.
> 
> > - SUSE:SLE-15-SP2:Update
> 
> Relevant package: AppStream, collected, grpc, google-http-java-client,
> netty3, protobuf-c. Those package from SLE-15-SP2:Update all build
> successful with protobuf 3.19.5[1], we don't needs additional update for
> them, just needs rebuild them with protobuf 3.19.5.
> 
> [1]
> https://build.suse.de/project/show/home:mlin7442:branches:OBS_Maintained:
> protobuf
> 
> 
> Can you help to open a ECO for protobuf version update?

Thanks for your feedback Max, let me open it :)
Comment 4 Thomas Leroy 2022-09-29 13:17:37 UTC 
ECO created: https://jira.suse.com/browse/PED-2076
Comment 5 Marcus Meissner 2022-09-29 13:43:52 UTC 
libprotobuf*20 -> libprotobuf*30 is a major library version change.

we cannot remove the old package, we could only add it in parallel new.
Comment 6 Max Lin 2022-09-29 14:50:32 UTC 
(In reply to Marcus Meissner from comment #5)
> libprotobuf*20 -> libprotobuf*30 is a major library version change.
> 

Yes, soname has changed.

> we cannot remove the old package, we could only add it in parallel new.

What does that mean exactly? I need to submit like protobuf_319 instead of protobuf like that? Rebuild package depends on linprotobuf.so.20 in the same incident with newer protobuf could not solve that soname issue?
Comment 7 Marcus Meissner 2022-09-29 14:57:04 UTC 
yes something like this.

And we would still need to support both packages for now.

YOu always need to think about third party packages. We can recompile our own packages, but third party apps might link and use libprotobuf.so.20 and never get updated, but still expect security fixes.


So unrelated to the evaluation I would suggest get it into SLES 15 SP5 so we do have a newer version there.
Comment 10 Max Lin 2022-10-20 05:48:37 UTC 
Submitted MR#282811
Comment 14 Swamp Workflow Management 2022-11-09 11:23:40 UTC 
SUSE-SU-2022:3922-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194530,1203681,1204256
CVE References: CVE-2021-22569,CVE-2022-1941,CVE-2022-3171
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    protobuf-3.9.2-150200.4.19.2
openSUSE Leap 15.4 (src):    protobuf-3.9.2-150200.4.19.2
openSUSE Leap 15.3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Manager Server 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Manager Retail Branch Server 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Manager Proxy 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Server 15-SP2-BCL (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Micro 5.3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Micro 5.2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Micro 5.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Installer 15-SP2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    protobuf-3.9.2-150200.4.19.2
SUSE Enterprise Storage 7 (src):    protobuf-3.9.2-150200.4.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Chao Xiong 2022-11-10 02:54:43 UTC 
*** Bug 1205141 has been marked as a duplicate of this bug. ***
Comment 16 Max Lin 2022-11-18 09:26:32 UTC 
*** Bug 1204630 has been marked as a duplicate of this bug. ***
Comment 17 Max Lin 2022-11-18 09:33:52 UTC 
The resubmitted SR#283063 got accepted, and the incident has been released. This vulnerability is fixed in protobuf 3.9 for the SP2 and the later version in SLE. Reassigning back to security team for the verification.

For the record: protobuf 3.5.0 in SUSE:SLE-15:Update doesn't have the relevant code for the patching, some files even doesn't exist in 3.5.0 per the fix commit, the vulnerability should be exist after upstream refactored protobuf above of protobuf 3.5.
Comment 24 Maintenance Automation 2023-07-05 08:30:10 UTC 
SUSE-SU-2023:2783-1: An update that solves seven vulnerabilities, contains two features and has seven fixes can now be installed.

Category: security (important)
Bug References: 1099269, 1133277, 1144068, 1162343, 1177127, 1178168, 1182066, 1184753, 1194530, 1197726, 1198331, 1199282, 1203681, 1204256
CVE References: CVE-2018-1000518, CVE-2020-25659, CVE-2020-36242, CVE-2021-22569, CVE-2021-22570, CVE-2022-1941, CVE-2022-3171
Jira References: PM-3243, SLE-24629
Sources used:
openSUSE Leap 15.4 (src): python-zope.interface-4.4.2-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1, python-humanfriendly-10.0-150100.6.3.3, python-websocket-client-1.3.2-150100.6.7.3, python-jsondiff-1.3.0-150100.3.6.3, python-knack-0.9.0-150100.3.7.3, python-hyperlink-17.2.1-150000.3.4.1, azure-cli-core-2.17.1-150100.6.18.1
SUSE Linux Enterprise Server 15 SP1 (src): protobuf-3.9.2-150100.8.3.3
Basesystem Module 15-SP4 (src): python-websocket-client-1.3.2-150100.6.7.3
Basesystem Module 15-SP5 (src): python-websocket-client-1.3.2-150100.6.7.3
SUSE Package Hub 15 15-SP5 (src): python-humanfriendly-10.0-150100.6.3.3
Public Cloud Module 15-SP1 (src): python-pytest-asyncio-0.8.0-150100.3.3.3, python-grpcio-gcp-0.2.2-150100.3.3.3, python-zope.interface-4.4.2-150000.3.4.1, grpc-1.25.0-150100.3.3.3, python-aiocontextvars-0.2.2-150100.3.3.3, protobuf-3.9.2-150100.8.3.3, python-humanfriendly-10.0-150100.6.3.3, python-cryptography-3.3.2-150100.7.15.3, python-cryptography-vectors-3.3.2-150100.3.11.3, python-jsondiff-1.3.0-150100.3.6.3, python-avro-1.11.0-150100.3.3.3, python-knack-0.9.0-150100.3.7.3, python-websockets-9.1-150100.3.3.3, python-opencensus-context-0.1.2-150100.3.3.3, python-opencensus-0.8.0-150100.3.3.3, python-pytest-3.10.1-150000.7.5.1, python-Twisted-17.9.0-150000.3.8.1, python-psutil-5.9.1-150100.6.6.3, python-requests-2.25.1-150100.6.13.3, python-websocket-client-1.3.2-150100.6.7.3, python-opencensus-ext-threading-0.1.2-150100.3.3.3, python-googleapis-common-protos-1.6.0-150100.3.3.3, python-Deprecated-1.2.13-150100.3.3.3, python-PyGithub-1.43.5-150100.3.3.3, azure-cli-core-2.17.1-150100.6.18.1, python-opentelemetry-api-1.5.0-150100.3.3.3, python-google-api-core-1.14.2-150100.3.3.3
Public Cloud Module 15-SP2 (src): python-opencensus-context-0.1.2-150100.3.3.3, python-pytest-asyncio-0.8.0-150100.3.3.3, python-opencensus-0.8.0-150100.3.3.3, python-pytest-3.10.1-150000.7.5.1, python-knack-0.9.0-150100.3.7.3, python-aiocontextvars-0.2.2-150100.3.3.3, python-humanfriendly-10.0-150100.6.3.3, python-opencensus-ext-threading-0.1.2-150100.3.3.3, python-jsondiff-1.3.0-150100.3.6.3, python-avro-1.11.0-150100.3.3.3, python-Deprecated-1.2.13-150100.3.3.3, python-PyGithub-1.43.5-150100.3.3.3, azure-cli-core-2.17.1-150100.6.18.1, python-opentelemetry-api-1.5.0-150100.3.3.3, python-websockets-9.1-150100.3.3.3
Public Cloud Module 15-SP3 (src): python-opencensus-context-0.1.2-150100.3.3.3, python-opencensus-0.8.0-150100.3.3.3, python-knack-0.9.0-150100.3.7.3, python-aiocontextvars-0.2.2-150100.3.3.3, python-humanfriendly-10.0-150100.6.3.3, python-opencensus-ext-threading-0.1.2-150100.3.3.3, python-jsondiff-1.3.0-150100.3.6.3, python-avro-1.11.0-150100.3.3.3, python-Deprecated-1.2.13-150100.3.3.3, python-PyGithub-1.43.5-150100.3.3.3, azure-cli-core-2.17.1-150100.6.18.1, python-opentelemetry-api-1.5.0-150100.3.3.3, python-websockets-9.1-150100.3.3.3
Public Cloud Module 15-SP4 (src): python-opencensus-context-0.1.2-150100.3.3.3, python-opencensus-0.8.0-150100.3.3.3, python-knack-0.9.0-150100.3.7.3, python-aiocontextvars-0.2.2-150100.3.3.3, python-humanfriendly-10.0-150100.6.3.3, python-opencensus-ext-threading-0.1.2-150100.3.3.3, python-cryptography-vectors-3.3.2-150100.3.11.3, python-jsondiff-1.3.0-150100.3.6.3, python-avro-1.11.0-150100.3.3.3, python-Deprecated-1.2.13-150100.3.3.3, python-PyGithub-1.43.5-150100.3.3.3, azure-cli-core-2.17.1-150100.6.18.1, python-opentelemetry-api-1.5.0-150100.3.3.3, python-websockets-9.1-150100.3.3.3
Public Cloud Module 15-SP5 (src): python-humanfriendly-10.0-150100.6.3.3, python-knack-0.9.0-150100.3.7.3, azure-cli-core-2.17.1-150100.6.18.1, python-jsondiff-1.3.0-150100.3.6.3
Server Applications Module 15-SP4 (src): python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
Server Applications Module 15-SP5 (src): python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): python-psutil-5.9.1-150100.6.6.3, python-requests-2.25.1-150100.6.13.3, python-cryptography-3.3.2-150100.7.15.3, python-websocket-client-1.3.2-150100.6.7.3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): python-zope.interface-4.4.2-150000.3.4.1, python-psutil-5.9.1-150100.6.6.3, python-requests-2.25.1-150100.6.13.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1, python-Automat-0.6.0-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): python-Automat-0.6.0-150000.3.4.1, python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python-Automat-0.6.0-150000.3.4.1, python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
SUSE Linux Enterprise Real Time 15 SP3 (src): python-Automat-0.6.0-150000.3.4.1, python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): python-Twisted-17.9.0-150000.3.8.1, python-zope.interface-4.4.2-150000.3.4.1, python-psutil-5.9.1-150100.6.6.3, python-requests-2.25.1-150100.6.13.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1, protobuf-3.9.2-150100.8.3.3, python-Automat-0.6.0-150000.3.4.1, python-cryptography-3.3.2-150100.7.15.3, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): python-zope.interface-4.4.2-150000.3.4.1, python-psutil-5.9.1-150100.6.6.3, python-requests-2.25.1-150100.6.13.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1, python-Automat-0.6.0-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python-Automat-0.6.0-150000.3.4.1, python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): python-Twisted-17.9.0-150000.3.8.1, python-zope.interface-4.4.2-150000.3.4.1, python-psutil-5.9.1-150100.6.6.3, python-requests-2.25.1-150100.6.13.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1, protobuf-3.9.2-150100.8.3.3, python-Automat-0.6.0-150000.3.4.1, python-cryptography-3.3.2-150100.7.15.3, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): python-zope.interface-4.4.2-150000.3.4.1, python-psutil-5.9.1-150100.6.6.3, python-requests-2.25.1-150100.6.13.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1, python-Automat-0.6.0-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python-Automat-0.6.0-150000.3.4.1, python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
SUSE Manager Proxy 4.2 (src): python-Automat-0.6.0-150000.3.4.1, python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
SUSE Manager Retail Branch Server 4.2 (src): python-Automat-0.6.0-150000.3.4.1, python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
SUSE Manager Server 4.2 (src): python-Automat-0.6.0-150000.3.4.1, python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
SUSE Enterprise Storage 7.1 (src): python-Automat-0.6.0-150000.3.4.1, python-zope.interface-4.4.2-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1
SUSE Enterprise Storage 7 (src): python-zope.interface-4.4.2-150000.3.4.1, python-psutil-5.9.1-150100.6.6.3, python-requests-2.25.1-150100.6.13.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1, python-Automat-0.6.0-150000.3.4.1, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3
SUSE CaaS Platform 4.0 (src): python-Twisted-17.9.0-150000.3.8.1, python-zope.interface-4.4.2-150000.3.4.1, python-psutil-5.9.1-150100.6.6.3, python-requests-2.25.1-150100.6.13.3, python-incremental-17.5.0-150000.3.4.1, python-constantly-15.1.0-150000.3.4.1, protobuf-3.9.2-150100.8.3.3, python-Automat-0.6.0-150000.3.4.1, python-cryptography-3.3.2-150100.7.15.3, python-hyperlink-17.2.1-150000.3.4.1, python-websocket-client-1.3.2-150100.6.7.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Marcus Meissner 2023-09-06 09:21:45 UTC 
SUSE:SLE-12-SP1:Update protobuf 

is not fixed yet.
Comment 26 Max Lin 2023-09-06 09:26:36 UTC 
(In reply to Marcus Meissner from comment #25)
> SUSE:SLE-12-SP1:Update protobuf 
> 
> is not fixed yet.

I'm definitely not SLE12's protobuf maintainer.
Comment 27 Maintenance Automation 2023-09-20 08:30:20 UTC 
SUSE-SU-2023:2783-2: An update that solves seven vulnerabilities, contains two features and has seven security fixes can now be installed.

Category: security (important)
Bug References: 1099269, 1133277, 1144068, 1162343, 1177127, 1178168, 1182066, 1184753, 1194530, 1197726, 1198331, 1199282, 1203681, 1204256
CVE References: CVE-2018-1000518, CVE-2020-25659, CVE-2020-36242, CVE-2021-22569, CVE-2021-22570, CVE-2022-1941, CVE-2022-3171
Jira References: PM-3243, SLE-24629
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): python-websocket-client-1.3.2-150100.6.7.3, python-cryptography-3.3.2-150100.7.15.3, protobuf-3.9.2-150100.8.3.3, python-requests-2.25.1-150100.6.13.3, python-psutil-5.9.1-150100.6.6.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Robert Frohl 2024-04-19 14:27:07 UTC 
done