SUSE-SU-2024:2881-1

Опубликовано: 12 авг. 2024

Источник: suse-cvrf

Описание

Security update for python-gunicorn

This update for python-gunicorn fixes the following issues:

CVE-2024-1135: Fixed HTTP Request Smuggling due to improperly validate Transfer-Encoding headers (bsc#1222950)

Список пакетов

Image SLES15-SP3-BYOS-Azure

python3-gunicorn-19.7.1-150000.3.7.1

Image SLES15-SP3-HPC-BYOS-Azure

python3-gunicorn-19.7.1-150000.3.7.1

Image SLES15-SP3-SAP-BYOS-Azure

python3-gunicorn-19.7.1-150000.3.7.1

Image SLES15-SP3-SAPCAL-Azure

python3-gunicorn-19.7.1-150000.3.7.1

SUSE Linux Enterprise Module for Public Cloud 15 SP2

python3-gunicorn-19.7.1-150000.3.7.1

SUSE Linux Enterprise Module for Public Cloud 15 SP3

python3-gunicorn-19.7.1-150000.3.7.1

SUSE Linux Enterprise Module for Public Cloud 15 SP4

python3-gunicorn-19.7.1-150000.3.7.1

SUSE Linux Enterprise Module for Public Cloud 15 SP5

python3-gunicorn-19.7.1-150000.3.7.1

SUSE Linux Enterprise Module for Public Cloud 15 SP6

python3-gunicorn-19.7.1-150000.3.7.1

openSUSE Leap 15.5

python-gunicorn-doc-19.7.1-150000.3.7.1

python3-gunicorn-19.7.1-150000.3.7.1

Ссылки

https://www.suse.com/support/update/announcement/2024/suse-su-20242881-1/
Link for SUSE-SU-2024:2881-1
https://lists.suse.com/pipermail/sle-updates/2024-August/036409.html
E-Mail link for SUSE-SU-2024:2881-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1222950
SUSE Bug 1222950
https://www.suse.com/security/cve/CVE-2024-1135/
SUSE CVE CVE-2024-1135 page

Описание

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

Затронутые продукты

Image SLES15-SP3-BYOS-Azure:python3-gunicorn-19.7.1-150000.3.7.1

Image SLES15-SP3-HPC-BYOS-Azure:python3-gunicorn-19.7.1-150000.3.7.1

Image SLES15-SP3-SAP-BYOS-Azure:python3-gunicorn-19.7.1-150000.3.7.1

Image SLES15-SP3-SAPCAL-Azure:python3-gunicorn-19.7.1-150000.3.7.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-1135.html
CVE-2024-1135
https://bugzilla.suse.com/1222950
SUSE Bug 1222950

SUSE-SU-2024:2881-1

Описание

Список пакетов

Image SLES15-SP3-BYOS-Azure

Image SLES15-SP3-HPC-BYOS-Azure

Image SLES15-SP3-SAP-BYOS-Azure

Image SLES15-SP3-SAPCAL-Azure

SUSE Linux Enterprise Module for Public Cloud 15 SP2

SUSE Linux Enterprise Module for Public Cloud 15 SP3

SUSE Linux Enterprise Module for Public Cloud 15 SP4

SUSE Linux Enterprise Module for Public Cloud 15 SP5

SUSE Linux Enterprise Module for Public Cloud 15 SP6

openSUSE Leap 15.5

Ссылки

Уязвимость: CVE-2024-1135

Описание

Затронутые продукты

Ссылки