Описание
Security update for containerized-data-importer
This update for containerized-data-importer fixes the following issues:
- Security: re-vendor Go dependencies to address CVEs tracked against
containerized-data-importer (backport of upstream PR #4110, post-v1.65.0).
Fixed by this update:
- google.golang.org/grpc 1.65.0 -> 1.79.3: bsc#1260295 (CVE-2026-33186)
- golang.org/x/net 0.33.0 -> 0.48.0: bsc#1238699 (CVE-2025-22870), bsc#1241838 (CVE-2025-22872), bsc#1251495 (CVE-2025-47911), bsc#1251689 (CVE-2025-58190)
- golang.org/x/crypto 0.31.0 -> 0.46.0: CVE-2025-22869, CVE-2025-47913, CVE-2025-47914, CVE-2025-58181 (no separate CDI bug filed)
- go.opentelemetry.io/otel 1.28.0 -> 1.41.0: CVE-2026-29181 (otel is pulled in transitively at 1.39.0 by the grpc bump; pinned to 1.41.0 so the update does not introduce it)
- Record CVEs already fixed by the x/net release vendored in 1.64.0 (x/net 0.33.0), not previously noted in the changelog: bsc#1236523 (CVE-2023-45288), bsc#1230323 (CVE-2023-39325)
Список пакетов
SUSE Linux Enterprise Module for Containers 15 SP7
Ссылки
- Link for SUSE-SU-2026:2493-1
- E-Mail link for SUSE-SU-2026:2493-1
- SUSE Security Ratings
- SUSE Bug 1230323
- SUSE Bug 1236523
- SUSE Bug 1238699
- SUSE Bug 1241838
- SUSE Bug 1251495
- SUSE Bug 1251689
- SUSE Bug 1260295
- SUSE CVE CVE-2023-39325 page
- SUSE CVE CVE-2023-45288 page
- SUSE CVE CVE-2025-22869 page
- SUSE CVE CVE-2025-22870 page
- SUSE CVE CVE-2025-22872 page
- SUSE CVE CVE-2025-47911 page
- SUSE CVE CVE-2025-47913 page
- SUSE CVE CVE-2025-47914 page
- SUSE CVE CVE-2025-58181 page
- SUSE CVE CVE-2025-58190 page
Описание
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Затронутые продукты
Ссылки
- CVE-2023-39325
- SUSE Bug 1216109
- SUSE Bug 1230323
Описание
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Затронутые продукты
Ссылки
- CVE-2023-45288
- SUSE Bug 1221400
Описание
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
Затронутые продукты
Ссылки
- CVE-2025-22869
- SUSE Bug 1239322
Описание
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Затронутые продукты
Ссылки
- CVE-2025-22870
- SUSE Bug 1238572
- SUSE Bug 1238611
Описание
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).
Затронутые продукты
Ссылки
- CVE-2025-22872
- SUSE Bug 1241710
- SUSE Bug 1265255
- SUSE Bug 1265256
- SUSE Bug 1265259
Описание
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Затронутые продукты
Ссылки
- CVE-2025-47911
- SUSE Bug 1251308
Описание
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
Затронутые продукты
Ссылки
- CVE-2025-47913
- SUSE Bug 1253506
Описание
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
Затронутые продукты
Ссылки
- CVE-2025-47914
- SUSE Bug 1253967
Описание
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Затронутые продукты
Ссылки
- CVE-2025-58181
- SUSE Bug 1253784
Описание
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Затронутые продукты
Ссылки
- CVE-2025-58190
- SUSE Bug 1251309
Описание
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
Затронутые продукты
Ссылки
- CVE-2026-29181
Описание
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Затронутые продукты
Ссылки
- CVE-2026-33186
- SUSE Bug 1260085
- SUSE Bug 1268676