Security update for go1.21 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1161-1 Final 1 1 2024-04-08T11:28:23Z current 2024-04-08T11:28:23Z 2024-04-08T11:28:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.21 This update for go1.21 fixes the following issues: - CVE-2023-45288: Fixed denial of service via HTTP/2 continuation frames (bsc#1221400) Other changes: - go minor release upgrade to 1.21.9 (bsc#1212475) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1161,SUSE-SLE-SDK-12-SP5-2024-1161 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241161-1/ Link for SUSE-SU-2024:1161-1 https://lists.suse.com/pipermail/sle-updates/2024-April/034862.html E-Mail link for SUSE-SU-2024:1161-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1212475 SUSE Bug 1212475 https://bugzilla.suse.com/1221400 SUSE Bug 1221400 https://www.suse.com/security/cve/CVE-2023-45288/ SUSE CVE CVE-2023-45288 page SUSE Linux Enterprise Software Development Kit 12 SP5 go1.21-1.21.9-1.30.1 go1.21-doc-1.21.9-1.30.1 go1.21-1.21.9-1.30.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 go1.21-doc-1.21.9-1.30.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. CVE-2023-45288 SUSE Linux Enterprise Software Development Kit 12 SP5:go1.21-1.21.9-1.30.1 SUSE Linux Enterprise Software Development Kit 12 SP5:go1.21-doc-1.21.9-1.30.1 moderate 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241161-1/ https://www.suse.com/security/cve/CVE-2023-45288.html CVE-2023-45288 https://bugzilla.suse.com/1221400 SUSE Bug 1221400