Описание
Security update for golang-github-prometheus-alertmanager
This update for golang-github-prometheus-alertmanager fixes the following issues:
- Security:
- CVE-2025-22870: Fix proxy bypassing using IPv6 zone IDs (bsc#1238686)
- CVE-2023-45288: Fix HTTP/2 CONTINUATION flood in net/http (bsc#1236516)
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP6
SUSE Linux Enterprise Module for Package Hub 15 SP7
SUSE Manager Client Tools 15
SUSE Manager Proxy Module 4.3
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:01992-1
- E-Mail link for SUSE-SU-2025:01992-1
- SUSE Security Ratings
- SUSE Bug 1236516
- SUSE Bug 1238686
- SUSE CVE CVE-2023-45288 page
- SUSE CVE CVE-2025-22870 page
Описание
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Затронутые продукты
Ссылки
- CVE-2023-45288
- SUSE Bug 1221400
Описание
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Затронутые продукты
Ссылки
- CVE-2025-22870
- SUSE Bug 1238572
- SUSE Bug 1238611