Описание
Security update for libuv
This update for libuv fixes the following issues:
- CVE-2024-24806: Fixed improper Domain Lookup that potentially leads to SSRF attacks (bsc#1219724)
Список пакетов
Container containers/apache-pulsar:3.3
libuv1-1.44.2-150500.3.5.1
Container containers/open-webui:0
libuv1-1.44.2-150500.3.5.1
Container containers/pytorch:2-nvidia
libuv1-1.44.2-150500.3.5.1
Container containers/pytorch:2.5.0
libuv1-1.44.2-150500.3.5.1
Container suse/manager/5.0/x86_64/server:latest
libuv1-1.44.2-150500.3.5.1
Container suse/pcp:latest
libuv1-1.44.2-150500.3.5.1
Container suse/sles/15.7/libguestfs-tools:1.1.1
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Azure-3P
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Azure-Basic
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Azure-Standard
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-CHOST-BYOS-Aliyun
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-CHOST-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-CHOST-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-CHOST-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-CHOST-BYOS-GDC
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-CHOST-BYOS-SAP-CCloud
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-HPC-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-HPC-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-HPC-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-HPC-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Hardened-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Hardened-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Hardened-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Proxy-5-0-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Proxy-5-0-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Proxy-5-0-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Server-5-0
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Server-5-0-Azure-llc
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Server-5-0-Azure-ltd
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Server-5-0-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Server-5-0-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Server-5-0-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Server-5-0-EC2-llc
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Manager-Server-5-0-EC2-ltd
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Micro-5-5
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Micro-5-5-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Micro-5-5-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Micro-5-5-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Micro-5-5-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-Micro-5-5-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-Azure-3P
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-Azure-LI-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-Azure-LI-BYOS-Production
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-Azure-VLI-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-Hardened-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-Hardened-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-Hardened-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-Hardened-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAP-Hardened-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAPCAL-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAPCAL-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP5-SAPCAL-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-Azure-Basic
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-Azure-Standard
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-CHOST-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-CHOST-BYOS-Aliyun
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-CHOST-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-CHOST-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-CHOST-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-CHOST-BYOS-GDC
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-CHOST-BYOS-SAP-CCloud
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-EC2-ECS-HVM
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-HPC
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-HPC-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-HPC-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-HPC-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-HPC-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-HPC-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-HPC-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-HPC-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-Hardened-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-Hardened-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-Hardened-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-Hardened-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Azure-LI-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Azure-LI-BYOS-Production
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Azure-VLI-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Azure-VLI-BYOS-Production
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Hardened
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Hardened-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Hardened-BYOS
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Hardened-BYOS-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Hardened-BYOS-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Hardened-BYOS-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Hardened-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAP-Hardened-GCE
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAPCAL
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAPCAL-Azure
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAPCAL-EC2
libuv1-1.44.2-150500.3.5.1
Image SLES15-SP6-SAPCAL-GCE
libuv1-1.44.2-150500.3.5.1
Image ai_15_6
libuv1-1.44.2-150500.3.5.1
Image server-image
libuv1-1.44.2-150500.3.5.1
SUSE Linux Enterprise Micro 5.5
libuv-devel-1.44.2-150500.3.5.1
libuv1-1.44.2-150500.3.5.1
SUSE Linux Enterprise Module for Basesystem 15 SP5
libuv-devel-1.44.2-150500.3.5.1
libuv1-1.44.2-150500.3.5.1
SUSE Linux Enterprise Module for Basesystem 15 SP6
libuv-devel-1.44.2-150500.3.5.1
libuv1-1.44.2-150500.3.5.1
openSUSE Leap 15.5
libuv-devel-1.44.2-150500.3.5.1
libuv1-1.44.2-150500.3.5.1
libuv1-32bit-1.44.2-150500.3.5.1
openSUSE Leap 15.6
libuv-devel-1.44.2-150500.3.5.1
libuv1-1.44.2-150500.3.5.1
libuv1-32bit-1.44.2-150500.3.5.1
Ссылки
- Link for SUSE-SU-2024:4109-1
- E-Mail link for SUSE-SU-2024:4109-1
- SUSE Security Ratings
- SUSE Bug 1219724
- SUSE CVE CVE-2024-24806 page
Описание
libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Затронутые продукты
Container containers/apache-pulsar:3.3:libuv1-1.44.2-150500.3.5.1
Container containers/open-webui:0:libuv1-1.44.2-150500.3.5.1
Container containers/pytorch:2-nvidia:libuv1-1.44.2-150500.3.5.1
Container containers/pytorch:2.5.0:libuv1-1.44.2-150500.3.5.1
Ссылки
- CVE-2024-24806
- SUSE Bug 1219724
- SUSE Bug 1220056