teleport-15.2.4-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13903-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z teleport-15.2.4-1.1 on GA media These are all security issues fixed in the teleport-15.2.4-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13903 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-45288/ SUSE CVE CVE-2023-45288 page https://www.suse.com/security/cve/CVE-2024-29902/ SUSE CVE CVE-2024-29902 page https://www.suse.com/security/cve/CVE-2024-32650/ SUSE CVE CVE-2024-32650 page openSUSE Tumbleweed teleport-15.2.4-1.1 teleport-tbot-15.2.4-1.1 teleport-tctl-15.2.4-1.1 teleport-tsh-15.2.4-1.1 teleport-15.2.4-1.1 as a component of openSUSE Tumbleweed teleport-tbot-15.2.4-1.1 as a component of openSUSE Tumbleweed teleport-tctl-15.2.4-1.1 as a component of openSUSE Tumbleweed teleport-tsh-15.2.4-1.1 as a component of openSUSE Tumbleweed An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. CVE-2023-45288 openSUSE Tumbleweed:teleport-15.2.4-1.1 openSUSE Tumbleweed:teleport-tbot-15.2.4-1.1 openSUSE Tumbleweed:teleport-tctl-15.2.4-1.1 openSUSE Tumbleweed:teleport-tsh-15.2.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-45288.html CVE-2023-45288 https://bugzilla.suse.com/1221400 SUSE Bug 1221400 Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial. The root cause of this issue is that Cosign reads the attachment from a remote image entirely into memory without checking the size of the attachment first. As such, a large attachment can make Cosign read a large attachment into memory; If the attachments size is larger than the machine has memory available, the machine will be denied of service. The Go runtime will make a SigKill after a few seconds of system-wide denial. This issue can allow a supply-chain escalation from a compromised registry to the Cosign user: If an attacher has compromised a registry or the account of an image vendor, they can include a malicious attachment and hurt the image consumer. Version 2.2.4 contains a patch for the vulnerability. CVE-2024-29902 openSUSE Tumbleweed:teleport-15.2.4-1.1 openSUSE Tumbleweed:teleport-tbot-15.2.4-1.1 openSUSE Tumbleweed:teleport-tctl-15.2.4-1.1 openSUSE Tumbleweed:teleport-tsh-15.2.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-29902.html CVE-2024-29902 https://bugzilla.suse.com/1222835 SUSE Bug 1222835 Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11. CVE-2024-32650 openSUSE Tumbleweed:teleport-15.2.4-1.1 openSUSE Tumbleweed:teleport-tbot-15.2.4-1.1 openSUSE Tumbleweed:teleport-tctl-15.2.4-1.1 openSUSE Tumbleweed:teleport-tsh-15.2.4-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-32650.html CVE-2024-32650 https://bugzilla.suse.com/1223211 SUSE Bug 1223211