Описание
Security update for protobuf
This update for protobuf fixes the following issues:
- CVE-2024-7254: Fixed stack overflow vulnerability in Protocol Buffer (bsc#1230778)
Список пакетов
Image SLES15-SP4-BYOS-Azure
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-HPC-BYOS
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-HPC-BYOS-Azure
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-Hardened-BYOS-Azure
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-Manager-Server-4-3
protobuf-java-25.1-150400.9.10.1
Image SLES15-SP4-Manager-Server-4-3-Azure-llc
protobuf-java-25.1-150400.9.10.1
Image SLES15-SP4-Manager-Server-4-3-Azure-ltd
protobuf-java-25.1-150400.9.10.1
Image SLES15-SP4-Manager-Server-4-3-BYOS
protobuf-java-25.1-150400.9.10.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure
protobuf-java-25.1-150400.9.10.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2
protobuf-java-25.1-150400.9.10.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE
protobuf-java-25.1-150400.9.10.1
Image SLES15-SP4-Manager-Server-4-3-EC2-llc
protobuf-java-25.1-150400.9.10.1
Image SLES15-SP4-Manager-Server-4-3-EC2-ltd
protobuf-java-25.1-150400.9.10.1
Image SLES15-SP4-SAP
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-SAP-Azure
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-SAP-BYOS-Azure
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-SAP-Hardened
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-SAP-Hardened-Azure
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-SAP-Hardened-BYOS-Azure
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-SAPCAL
python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-SAPCAL-Azure
python311-protobuf-4.25.1-150400.9.10.1
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
libprotobuf-lite25_1_0-25.1-150400.9.10.1
libprotobuf25_1_0-25.1-150400.9.10.1
libprotoc25_1_0-25.1-150400.9.10.1
protobuf-devel-25.1-150400.9.10.1
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
libprotobuf-lite25_1_0-25.1-150400.9.10.1
libprotobuf25_1_0-25.1-150400.9.10.1
libprotoc25_1_0-25.1-150400.9.10.1
protobuf-devel-25.1-150400.9.10.1
SUSE Linux Enterprise Installer Updates 15 SP4
libprotobuf-lite25_1_0-25.1-150400.9.10.1
SUSE Linux Enterprise Micro 5.3
libprotobuf-lite25_1_0-25.1-150400.9.10.1
SUSE Linux Enterprise Micro 5.4
libprotobuf-lite25_1_0-25.1-150400.9.10.1
SUSE Linux Enterprise Module for Public Cloud 15 SP4
python311-protobuf-4.25.1-150400.9.10.1
SUSE Linux Enterprise Server 15 SP4-LTSS
libprotobuf-lite25_1_0-25.1-150400.9.10.1
libprotobuf25_1_0-25.1-150400.9.10.1
libprotoc25_1_0-25.1-150400.9.10.1
protobuf-devel-25.1-150400.9.10.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4
libprotobuf-lite25_1_0-25.1-150400.9.10.1
libprotobuf25_1_0-25.1-150400.9.10.1
libprotoc25_1_0-25.1-150400.9.10.1
protobuf-devel-25.1-150400.9.10.1
SUSE Manager Server 4.3
libprotobuf-lite25_1_0-25.1-150400.9.10.1
libprotobuf25_1_0-25.1-150400.9.10.1
libprotoc25_1_0-25.1-150400.9.10.1
Ссылки
- Link for SUSE-SU-2024:3746-1
- E-Mail link for SUSE-SU-2024:3746-1
- SUSE Security Ratings
- SUSE Bug 1230778
- SUSE CVE CVE-2024-7254 page
Описание
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Затронутые продукты
Image SLES15-SP4-BYOS-Azure:python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-HPC-BYOS-Azure:python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-HPC-BYOS:python311-protobuf-4.25.1-150400.9.10.1
Image SLES15-SP4-Hardened-BYOS-Azure:python311-protobuf-4.25.1-150400.9.10.1
Ссылки
- CVE-2024-7254
- SUSE Bug 1230778