Описание
Security update for rustup
This update for rustup fixes the following issues:
- CVE-2022-31394: Fixed possible HTTP2 attacks by specifying the HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE (bsc#1208552).
- CVE-2023-26964: Fixed high memory and CPU usage when stream stacking occurs when H2 processes HTTP2 RST_STREAM frames (bsc#1210345).
Список пакетов
SUSE Linux Enterprise Module for Development Tools 15 SP4
rustup-1.26.0~0-150400.3.7.1
SUSE Linux Enterprise Module for Development Tools 15 SP5
rustup-1.26.0~0-150400.3.7.1
openSUSE Leap 15.4
rustup-1.26.0~0-150400.3.7.1
openSUSE Leap 15.5
rustup-1.26.0~0-150400.3.7.1
Ссылки
- Link for SUSE-SU-2023:2603-1
- E-Mail link for SUSE-SU-2023:2603-1
- SUSE Security Ratings
- SUSE Bug 1208552
- SUSE Bug 1210345
- SUSE CVE CVE-2022-31394 page
- SUSE CVE CVE-2023-26964 page
Описание
Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks.
Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP4:rustup-1.26.0~0-150400.3.7.1
SUSE Linux Enterprise Module for Development Tools 15 SP5:rustup-1.26.0~0-150400.3.7.1
openSUSE Leap 15.4:rustup-1.26.0~0-150400.3.7.1
openSUSE Leap 15.5:rustup-1.26.0~0-150400.3.7.1
Ссылки
- CVE-2022-31394
- SUSE Bug 1208551
Описание
An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).
Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP4:rustup-1.26.0~0-150400.3.7.1
SUSE Linux Enterprise Module for Development Tools 15 SP5:rustup-1.26.0~0-150400.3.7.1
openSUSE Leap 15.4:rustup-1.26.0~0-150400.3.7.1
openSUSE Leap 15.5:rustup-1.26.0~0-150400.3.7.1
Ссылки
- CVE-2023-26964
- SUSE Bug 1210339