afterburn-5.0.0-6.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11751 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z afterburn-5.0.0-6.1 on GA media These are all security issues fixed in the afterburn-5.0.0-6.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11751 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11751 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-35905/ SUSE CVE CVE-2020-35905 page https://www.suse.com/security/cve/CVE-2020-36465/ SUSE CVE CVE-2020-36465 page https://www.suse.com/security/cve/CVE-2021-27378/ SUSE CVE CVE-2021-27378 page https://www.suse.com/security/cve/CVE-2021-32714/ SUSE CVE CVE-2021-32714 page https://www.suse.com/security/cve/CVE-2021-32715/ SUSE CVE CVE-2021-32715 page https://www.suse.com/security/cve/CVE-2021-38191/ SUSE CVE CVE-2021-38191 page https://www.suse.com/security/cve/CVE-2021-45710/ SUSE CVE CVE-2021-45710 page openSUSE Tumbleweed afterburn-5.0.0-6.1 afterburn-dracut-5.0.0-6.1 afterburn-5.0.0-6.1 as a component of openSUSE Tumbleweed afterburn-dracut-5.0.0-6.1 as a component of openSUSE Tumbleweed An issue was discovered in the futures-util crate before 0.3.7 for Rust. MutexGuard::map can cause a data race for certain closure situations (in safe code). CVE-2020-35905 openSUSE Tumbleweed:afterburn-5.0.0-6.1 openSUSE Tumbleweed:afterburn-dracut-5.0.0-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35905.html CVE-2020-35905 An issue was discovered in the generic-array crate before 0.13.3 for Rust. It violates soundness by using the arr! macro to extend lifetimes. CVE-2020-36465 openSUSE Tumbleweed:afterburn-5.0.0-6.1 openSUSE Tumbleweed:afterburn-dracut-5.0.0-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-36465.html CVE-2020-36465 An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data. CVE-2021-27378 openSUSE Tumbleweed:afterburn-5.0.0-6.1 openSUSE Tumbleweed:afterburn-dracut-5.0.0-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-27378.html CVE-2021-27378 https://bugzilla.suse.com/1182432 SUSE Bug 1182432 hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks." The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a `Transfer-Encoding` header or ensure any upstream proxy rejects `Transfer-Encoding` chunk sizes greater than what fits in 64-bit unsigned integers. CVE-2021-32714 openSUSE Tumbleweed:afterburn-5.0.0-6.1 openSUSE Tumbleweed:afterburn-dracut-5.0.0-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32714.html CVE-2021-32714 https://bugzilla.suse.com/1188174 SUSE Bug 1188174 hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such `Content-Length` headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with `rustc` v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the `Content-Length` header or ensure any upstream proxy handles `Content-Length` headers with a plus sign prefix. CVE-2021-32715 openSUSE Tumbleweed:afterburn-5.0.0-6.1 openSUSE Tumbleweed:afterburn-dracut-5.0.0-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32715.html CVE-2021-32715 https://bugzilla.suse.com/1188173 SUSE Bug 1188173 An issue was discovered in the tokio crate before 1.8.1 for Rust. Upon a JoinHandle::abort, a Task may be dropped in the wrong thread. CVE-2021-38191 openSUSE Tumbleweed:afterburn-5.0.0-6.1 openSUSE Tumbleweed:afterburn-dracut-5.0.0-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-38191.html CVE-2021-38191 An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption. CVE-2021-45710 openSUSE Tumbleweed:afterburn-5.0.0-6.1 openSUSE Tumbleweed:afterburn-dracut-5.0.0-6.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-45710.html CVE-2021-45710 https://bugzilla.suse.com/1194119 SUSE Bug 1194119