traefik-2.10.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13007-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z traefik-2.10.1-1.1 on GA media These are all security issues fixed in the traefik-2.10.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13007 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-41724/ SUSE CVE CVE-2022-41724 page https://www.suse.com/security/cve/CVE-2023-24534/ SUSE CVE CVE-2023-24534 page https://www.suse.com/security/cve/CVE-2023-29013/ SUSE CVE CVE-2023-29013 page openSUSE Tumbleweed traefik-2.10.1-1.1 traefik-2.10.1-1.1 as a component of openSUSE Tumbleweed Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). CVE-2022-41724 openSUSE Tumbleweed:traefik-2.10.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41724.html CVE-2022-41724 https://bugzilla.suse.com/1208271 SUSE Bug 1208271 HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers. CVE-2023-24534 openSUSE Tumbleweed:traefik-2.10.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-24534.html CVE-2023-24534 https://bugzilla.suse.com/1210127 SUSE Bug 1210127 Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service. This issue has been patched in versions 2.9.10 and 2.10.0-rc2. CVE-2023-29013 openSUSE Tumbleweed:traefik-2.10.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-29013.html CVE-2023-29013 https://bugzilla.suse.com/1210505 SUSE Bug 1210505