Bug 1210505 (CVE-2023-29013) - VUL-0: CVE-2023-29013: traefik,traefik1.7: HTTP header parsing DoS
Summary: VUL-0: CVE-2023-29013: traefik,traefik1.7: HTTP header parsing DoS
Status: RESOLVED FIXED
Alias: CVE-2023-29013
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/363537/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-17 08:51 UTC by Carlos López
Modified: 2024-05-28 11:37 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-04-17 08:51:39 UTC 
CVE-2023-29013

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer
for deploying microservices. There is a vulnerability in Go when parsing the
HTTP headers, which impacts Traefik. HTTP header parsing could allocate
substantially more memory than required to hold the parsed headers. This
behavior could be exploited to cause a denial of service. This issue has been
patched in versions 2.9.10 and 2.10.0-rc2.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29013
https://www.cve.org/CVERecord?id=CVE-2023-29013
https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49
https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2
https://github.com/traefik/traefik/releases/tag/v2.9.10
https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92
Comment 1 Alexandre Vicenzi 2023-04-25 11:44:41 UTC 
Traefik 1.7 reached EOL in 2021, we should drop it from Factory.
Comment 2 Alexandre Vicenzi 2024-05-22 13:26:15 UTC 
This issue has been fixed in https://build.opensuse.org/request/show/1093393.

Traefik 1.7 is no longer available in Factory or Devel.
Comment 3 Carlos López 2024-05-28 11:37:45 UTC 
Done, closing.