Bug 1204501 (CVE-2022-32149) - VUL-0: CVE-2022-32149: grafana,cni,rekor,go1.19,terraform,go1.18,cri-o: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Summary: VUL-0: CVE-2022-32149: grafana,cni,rekor,go1.19,terraform,go1.18,cri-o: golan...
Status: RESOLVED FIXED
Alias: CVE-2022-32149
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/344901/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-19 12:41 UTC by Thomas Leroy
Modified: 2024-05-03 08:58 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-10-19 12:41:44 UTC 
rh#2134010

A vulnerability was found in golang.org/x/text/language package which could cause a denial of service. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Version v0.3.8 of golang.org/x/text fixes a vulnerability.

References:
https://groups.google.com/g/golang-dev/c/qfPIly0X7aU.
https://go.dev/issue/56152.

Upstream Commit:
https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2134010
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32149
https://www.cve.org/CVERecord?id=CVE-2022-32149
https://pkg.go.dev/vuln/GO-2022-1059
https://go.dev/cl/442235
https://go.dev/issue/56152
https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ
Comment 1 Thomas Leroy 2022-10-19 12:45:38 UTC 
After investigating, I identified several packages internally using the golang.org/x/text/language package:
- grafana
- cni
- rekor
- terraform
- cri-o

They all vendor a version of the vulnerable package, but none of them uses the vulnerable function, therefore the're not affected.

I'll keep this open because come packages could join the list with the improvements of our tracking tooling.
Comment 2 Maintenance Automation 2023-06-21 12:30:47 UTC 
SUSE-SU-2023:2579-1: An update that solves 16 vulnerabilities, contains four features and has one fix can now be installed.

Category: security (moderate)
Bug References: 1047218, 1192154, 1192696, 1200480, 1201535, 1201539, 1203185, 1203596, 1203597, 1203599, 1204501, 1207830, 1208719, 1208965, 1209645, 1210458, 1210907
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2022-0155, CVE-2022-27191, CVE-2022-27664, CVE-2022-31097, CVE-2022-31107, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-41715, CVE-2022-46146, CVE-2023-1387, CVE-2023-1410
Jira References: MSQA-666, PED-3576, PED-3578, PED-3694
Sources used:
SUSE Manager Client Tools for SLE 12 (src): mgr-daemon-4.3.7-1.41.1, uyuni-common-libs-4.3.8-1.33.1, zypp-plugin-spacewalk-1.0.14-30.42.1, spacecmd-4.3.21-38.121.1, grafana-9.5.1-1.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Maintenance Automation 2023-06-21 12:30:54 UTC 
SUSE-SU-2023:2578-1: An update that solves 15 vulnerabilities, contains three features and has one fix can now be installed.

Category: security (important)
Bug References: 1192154, 1192696, 1200480, 1201535, 1201539, 1203185, 1203596, 1203597, 1203599, 1204501, 1207830, 1208719, 1209645, 1210458, 1210640, 1210907
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2022-0155, CVE-2022-27664, CVE-2022-31097, CVE-2022-31107, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-41715, CVE-2022-46146, CVE-2023-1387, CVE-2023-1410
Jira References: MSQA-666, PED-3576, PED-3694
Sources used:
openSUSE Leap 15.4 (src): bind-9.16.6-150000.12.65.1, wire-0.5.0-150000.1.12.3, dracut-saltboot-0.1.1681904360.84ef141-150000.1.50.1, spacecmd-4.3.21-150000.3.98.1
openSUSE Leap 15.5 (src): wire-0.5.0-150000.1.12.3, dracut-saltboot-0.1.1681904360.84ef141-150000.1.50.1, spacecmd-4.3.21-150000.3.98.1
SUSE Manager Client Tools for SLE 15 (src): grafana-9.5.1-150000.1.48.5, spacecmd-4.3.21-150000.3.98.1, zypp-plugin-spacewalk-1.0.14-150000.3.35.1, uyuni-common-libs-4.3.8-150000.1.33.1, dracut-saltboot-0.1.1681904360.84ef141-150000.1.50.1, mgr-daemon-4.3.7-150000.1.41.1
SUSE Manager Client Tools for SLE Micro 5 (src): bind-9.16.6-150000.12.65.1, dracut-saltboot-0.1.1681904360.84ef141-150000.1.50.1
SUSE Manager Proxy 4.2 Module 4.2 (src): zypp-plugin-spacewalk-1.0.14-150000.3.35.1
SUSE Manager Proxy 4.3 Module 4.3 (src): zypp-plugin-spacewalk-1.0.14-150000.3.35.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): bind-9.16.6-150000.12.65.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): bind-9.16.6-150000.12.65.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): bind-9.16.6-150000.12.65.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): bind-9.16.6-150000.12.65.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): bind-9.16.6-150000.12.65.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): bind-9.16.6-150000.12.65.1
SUSE Enterprise Storage 7 (src): bind-9.16.6-150000.12.65.1
SUSE CaaS Platform 4.0 (src): bind-9.16.6-150000.12.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2023-06-21 12:31:05 UTC 
SUSE-SU-2023:2575-1: An update that solves 13 vulnerabilities and contains two features can now be installed.

Category: security (important)
Bug References: 1192154, 1192696, 1200480, 1201535, 1201539, 1203185, 1203596, 1203597, 1204501, 1209645, 1210907
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2022-0155, CVE-2022-27664, CVE-2022-31097, CVE-2022-31107, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2023-1387, CVE-2023-1410
Jira References: MSQA-666, PED-3694
Sources used:
SUSE Package Hub 15 15-SP4 (src): grafana-9.5.1-150200.3.41.3
SUSE Package Hub 15 15-SP5 (src): grafana-9.5.1-150200.3.41.3
openSUSE Leap 15.4 (src): grafana-9.5.1-150200.3.41.3
openSUSE Leap 15.5 (src): grafana-9.5.1-150200.3.41.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-09-28 12:31:04 UTC 
SUSE-SU-2023:3875-1: An update that solves four vulnerabilities, contains four features and has one security fix can now be installed.

Category: security (important)
Bug References: 1204501, 1208046, 1208270, 1213691, 1213880
CVE References: CVE-2022-32149, CVE-2022-41723, CVE-2022-46146, CVE-2023-29409
Jira References: ECO-3319, MSQA-699, PED-5405, SLE-24791
Sources used:
SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1, prometheus-postgres_exporter-0.10.1-1.9.2, golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1, golang-github-prometheus-node_exporter-1.5.0-1.9.2, spacecmd-4.3.23-1.18.2, scap-security-guide-0.1.69-1.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-09-28 12:31:24 UTC 
SUSE-SU-2023:3868-1: An update that solves four vulnerabilities, contains three features and has three security fixes can now be installed.

Category: security (important)
Bug References: 1204501, 1208046, 1208270, 1208298, 1208692, 1211525, 1213880
CVE References: CVE-2022-32149, CVE-2022-41723, CVE-2022-46146, CVE-2023-29409
Jira References: MSQA-699, PED-5405, PED-5406
Sources used:
openSUSE Leap 15.4 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-postgres_exporter-0.10.1-150000.1.14.3, spacecmd-4.3.23-150000.3.104.2, prometheus-blackbox_exporter-0.24.0-150000.1.23.3, supportutils-plugin-susemanager-client-4.3.3-150000.3.21.2
openSUSE Leap 15.5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-postgres_exporter-0.10.1-150000.1.14.3, spacecmd-4.3.23-150000.3.104.2, prometheus-blackbox_exporter-0.24.0-150000.1.23.3, supportutils-plugin-susemanager-client-4.3.3-150000.3.21.2
SUSE Manager Client Tools for SLE 15 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-postgres_exporter-0.10.1-150000.1.14.3, spacecmd-4.3.23-150000.3.104.2, python-pyvmomi-6.7.3-150000.1.6.2, supportutils-plugin-susemanager-client-4.3.3-150000.3.21.2, grafana-9.5.5-150000.1.54.3, golang-github-prometheus-prometheus-2.45.0-150000.3.50.3, prometheus-blackbox_exporter-0.24.0-150000.1.23.3, uyuni-common-libs-4.3.9-150000.1.36.2
SUSE Manager Client Tools for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, prometheus-blackbox_exporter-0.24.0-150000.1.23.3
SUSE Manager Proxy 4.2 Module 4.2 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-blackbox_exporter-0.24.0-150000.1.23.3
SUSE Manager Proxy 4.3 Module 4.3 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-blackbox_exporter-0.24.0-150000.1.23.3
SUSE Manager Server 4.2 Module 4.2 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-postgres_exporter-0.10.1-150000.1.14.3
SUSE Manager Server 4.3 Module 4.3 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-09-28 12:31:29 UTC 
SUSE-SU-2023:3867-1: An update that solves four vulnerabilities, contains three features and has three security fixes can now be installed.

Category: security (important)
Bug References: 1204501, 1208046, 1208270, 1208298, 1208692, 1211525, 1213880
CVE References: CVE-2022-32149, CVE-2022-41723, CVE-2022-46146, CVE-2023-29409
Jira References: MSQA-699, PED-5405, PED-5406
Sources used:
SUSE Manager Client Tools for SLE 12 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-1.12.2, uyuni-common-libs-4.3.9-1.36.3, golang-github-prometheus-alertmanager-0.23.0-1.21.2, golang-github-prometheus-node_exporter-1.5.0-1.27.2, prometheus-postgres_exporter-0.10.1-1.14.3, supportutils-plugin-susemanager-client-4.3.3-6.27.2, spacecmd-4.3.23-38.127.3, golang-github-prometheus-prometheus-2.45.0-1.47.3, golang-github-lusitaniae-apache_exporter-1.0.0-1.18.2, prometheus-blackbox_exporter-0.24.0-1.23.2, grafana-9.5.5-1.54.3
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.27.2
SUSE Linux Enterprise Server 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.27.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.27.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2024-01-23 20:30:14 UTC 
SUSE-SU-2024:0196-1: An update that solves 44 vulnerabilities, contains 14 features and has 35 security fixes can now be installed.

Category: security (moderate)
Bug References: 1172110, 1176460, 1180816, 1180942, 1181119, 1181935, 1183684, 1187725, 1188061, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1197507, 1198903, 1199810, 1200142, 1200480, 1200591, 1200968, 1200970, 1201003, 1201059, 1201535, 1201539, 1202614, 1202945, 1203283, 1203596, 1203597, 1203599, 1204032, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205599, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208060, 1208062, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210640, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2021-20228, CVE-2021-3447, CVE-2021-3583, CVE-2021-3620, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-23552, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3694, PED-4556, PED-5405, PED-5406, SLE-23422, SLE-23439, SLE-23631, SLE-24133, SLE-24565, SLE-24791
Sources used:
SUSE Manager Client Tools Beta for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1
SUSE Manager Client Tools Beta for SLE 15 (src): python-pyvmomi-6.7.3-159000.3.6.1, golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, supportutils-plugin-salt-1.2.2-159000.5.9.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, mgr-push-5.0.1-159000.4.21.1, golang-github-lusitaniae-apache_exporter-1.0.0-159000.4.12.1, rhnlib-5.0.1-159000.6.30.1, golang-github-prometheus-prometheus-2.45.0-159000.6.33.1, spacewalk-client-tools-5.0.1-159000.6.48.1, uyuni-common-libs-5.0.1-159000.3.33.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1, golang-github-boynux-squid_exporter-1.6-159000.4.9.1, ansible-2.9.27-159000.3.9.1, prometheus-postgres_exporter-0.10.1-159000.3.6.1, grafana-9.5.8-159000.4.24.1, spacecmd-5.0.1-159000.6.42.1, python-hwdata-2.3.5-159000.5.13.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, supportutils-plugin-susemanager-client-5.0.1-159000.6.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2024-01-23 20:30:46 UTC 
SUSE-SU-2024:0191-1: An update that solves 45 vulnerabilities, contains 17 features and has 30 security fixes can now be installed.

Category: security (moderate)
Bug References: 1047218, 1172110, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1194873, 1195726, 1195727, 1195728, 1196338, 1196652, 1197507, 1198903, 1199810, 1200480, 1200591, 1200725, 1201003, 1201059, 1201535, 1201539, 1203283, 1203596, 1203597, 1203599, 1204032, 1204089, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208051, 1208060, 1208062, 1208064, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-39226, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-21673, CVE-2022-21698, CVE-2022-21702, CVE-2022-21703, CVE-2022-21713, CVE-2022-23552, CVE-2022-27191, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128, CVE-2023-40577
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3578, PED-3694, PED-4556, PED-5405, PED-5406, PED-7353, SLE-23422, SLE-23439, SLE-24238, SLE-24239, SLE-24565, SLE-24791, SUMA-114
Sources used:
SUSE Manager Client Tools Beta for SLE 12 (src): rhnlib-5.0.1-24.30.3, spacecmd-5.0.1-41.42.3, grafana-9.5.8-4.21.2, prometheus-postgres_exporter-0.10.1-3.6.4, golang-github-prometheus-node_exporter-1.5.0-4.15.4, golang-github-QubitProducts-exporter_exporter-0.4.0-4.6.2, system-user-grafana-1.0.0-3.7.2, kiwi-desc-saltboot-0.1.1687520761.cefb248-4.15.2, golang-github-prometheus-prometheus-2.45.0-4.33.3, supportutils-plugin-susemanager-client-5.0.1-9.15.2, uyuni-common-libs-5.0.1-3.33.3, prometheus-blackbox_exporter-0.24.0-3.6.3, golang-github-lusitaniae-apache_exporter-1.0.0-4.12.4, golang-github-prometheus-alertmanager-0.26.0-4.12.4, system-user-prometheus-1.0.0-3.7.2, python-hwdata-2.3.5-15.12.2, golang-github-boynux-squid_exporter-1.6-4.9.2, supportutils-plugin-salt-1.2.2-9.9.2, golang-github-prometheus-promu-0.14.0-4.12.2, mgr-push-5.0.1-4.21.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Robert Frohl 2024-05-03 08:58:59 UTC 
done, closing