Bugzilla – Bug 1210127
VUL-0: CVE-2023-24534: go1.19,go1.20: net/http, net/textproto: denial of service from excessive memory allocation
Last modified: 2024-05-06 11:54:58 UTC
HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs. Certain unusual patterns of input data could cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. Header parsing now correctly allocates only the memory required to hold parsed headers. Thanks to Jakob Ackermann (@das7pad) for discovering this issue. This is CVE-2023-24534 and Go issue https://go.dev/issue/58975.
This is an autogenerated message for OBS integration: This bug (1210127) was mentioned in https://build.opensuse.org/request/show/1077384 Factory / go1.19 https://build.opensuse.org/request/show/1077385 Factory / go1.20
SUSE-SU-2023:1792-1: An update that solves four vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1200441, 1210127, 1210128, 1210129, 1210130 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538 Sources used: openSUSE Leap 15.4 (src): go1.19-1.19.8-150000.1.26.1 Development Tools Module 15-SP4 (src): go1.19-1.19.8-150000.1.26.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.19-1.19.8-150000.1.26.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.19-1.19.8-150000.1.26.1 SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.8-150000.1.26.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.19-1.19.8-150000.1.26.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.19-1.19.8-150000.1.26.1 SUSE Enterprise Storage 7.1 (src): go1.19-1.19.8-150000.1.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1791-1: An update that solves four vulnerabilities, contains one feature and has one fix can now be installed. Category: security (important) Bug References: 1206346, 1210127, 1210128, 1210129, 1210130 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538 Jira References: PED-1962 Sources used: openSUSE Leap 15.4 (src): go1.20-1.20.3-150000.1.8.1 Development Tools Module 15-SP4 (src): go1.20-1.20.3-150000.1.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2105-1: An update that solves seven vulnerabilities and has three fixes can now be installed. Category: security (important) Bug References: 1206346, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400 Sources used: openSUSE Leap 15.4 (src): go1.20-1.20.4-150000.1.11.1 Development Tools Module 15-SP4 (src): go1.20-1.20.4-150000.1.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2127-1: An update that solves seven vulnerabilities, contains one feature and has four fixes can now be installed. Category: security (important) Bug References: 1200441, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031, 1211073 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400 Jira References: PED-1962 Sources used: openSUSE Leap 15.4 (src): go1.19-1.19.9-150000.1.31.1 Development Tools Module 15-SP4 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Enterprise Storage 7.1 (src): go1.19-1.19.9-150000.1.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2105-2: An update that solves seven vulnerabilities and has three fixes can now be installed. Category: security (important) Bug References: 1206346, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400 Sources used: SUSE Linux Enterprise Real Time 15 SP3 (src): go1.20-1.20.4-150000.1.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done, closing