traefik-2.10.7-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13506 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z traefik-2.10.7-1.1 on GA media These are all security issues fixed in the traefik-2.10.7-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13506 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13506 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-39325/ SUSE CVE CVE-2023-39325 page https://www.suse.com/security/cve/CVE-2023-45283/ SUSE CVE CVE-2023-45283 page https://www.suse.com/security/cve/CVE-2023-45284/ SUSE CVE CVE-2023-45284 page https://www.suse.com/security/cve/CVE-2023-47106/ SUSE CVE CVE-2023-47106 page https://www.suse.com/security/cve/CVE-2023-47124/ SUSE CVE CVE-2023-47124 page https://www.suse.com/security/cve/CVE-2023-47633/ SUSE CVE CVE-2023-47633 page openSUSE Tumbleweed traefik-2.10.7-1.1 traefik-2.10.7-1.1 as a component of openSUSE Tumbleweed A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 openSUSE Tumbleweed:traefik-2.10.7-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-39325.html CVE-2023-39325 https://bugzilla.suse.com/1216109 SUSE Bug 1216109 The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored. CVE-2023-45283 openSUSE Tumbleweed:traefik-2.10.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-45283.html CVE-2023-45283 https://bugzilla.suse.com/1216943 SUSE Bug 1216943 On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local. CVE-2023-45284 openSUSE Tumbleweed:traefik-2.10.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-45284.html CVE-2023-45284 https://bugzilla.suse.com/1216944 SUSE Bug 1216944 Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions. This vulnerability has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-47106 openSUSE Tumbleweed:traefik-2.10.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-47106.html CVE-2023-47106 https://bugzilla.suse.com/1217804 SUSE Bug 1217804 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2023-47124 openSUSE Tumbleweed:traefik-2.10.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-47124.html CVE-2023-47124 https://bugzilla.suse.com/1217806 SUSE Bug 1217806 Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-47633 openSUSE Tumbleweed:traefik-2.10.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-47633.html CVE-2023-47633 https://bugzilla.suse.com/1217807 SUSE Bug 1217807