Описание
Security update for protobuf
This update for protobuf fixes the following issues:
- CVE-2026-0994: Fixed google.protobuf.Any recursion depth bypass in Python json_format.ParseDict (bsc#1257173).
Список пакетов
SUSE Linux Enterprise Micro 5.3
libprotobuf-lite25_1_0-25.1-150400.9.19.1
SUSE Linux Enterprise Micro 5.4
libprotobuf-lite25_1_0-25.1-150400.9.19.1
SUSE Linux Enterprise Module for Public Cloud 15 SP4
python311-protobuf-4.25.1-150400.9.19.1
Ссылки
- Link for SUSE-SU-2026:0563-1
- E-Mail link for SUSE-SU-2026:0563-1
- SUSE Security Ratings
- SUSE Bug 1257173
- SUSE CVE CVE-2026-0994 page
Описание
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError.
Затронутые продукты
SUSE Linux Enterprise Micro 5.3:libprotobuf-lite25_1_0-25.1-150400.9.19.1
SUSE Linux Enterprise Micro 5.4:libprotobuf-lite25_1_0-25.1-150400.9.19.1
SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-protobuf-4.25.1-150400.9.19.1
Ссылки
- CVE-2026-0994
- SUSE Bug 1257173