Описание
Security update for etcd
This update for etcd fixes the following issues:
- Update to version 3.5.21:
- CVE-2025-30204: Fixed a bug that could allow excessive memory allocation during header parsing in jwt-go. (bsc#1240515)
Список пакетов
openSUSE Leap 15.6
etcd-3.5.21-150000.7.12.1
etcdctl-3.5.21-150000.7.12.1
Ссылки
- Link for SUSE-SU-2025:1285-1
- E-Mail link for SUSE-SU-2025:1285-1
- SUSE Security Ratings
- SUSE Bug 1240515
- SUSE CVE CVE-2025-30204 page
Описание
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
Затронутые продукты
openSUSE Leap 15.6:etcd-3.5.21-150000.7.12.1
openSUSE Leap 15.6:etcdctl-3.5.21-150000.7.12.1
Ссылки
- CVE-2025-30204
- SUSE Bug 1240442