govulncheck-vulndb-0.0.20241218T202206-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14603-1 Final 1 1 2024-12-19T00:00:00Z current 2024-12-19T00:00:00Z 2024-12-19T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20241218T202206-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20241218T202206-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14603 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GN5BTYONDVDULOG3YURKUJNL2YZ2LDHU/ E-Mail link for openSUSE-SU-2024:14603-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-12289/ SUSE CVE CVE-2024-12289 page https://www.suse.com/security/cve/CVE-2024-28053/ SUSE CVE CVE-2024-28053 page https://www.suse.com/security/cve/CVE-2024-45338/ SUSE CVE CVE-2024-45338 page https://www.suse.com/security/cve/CVE-2024-48872/ SUSE CVE CVE-2024-48872 page https://www.suse.com/security/cve/CVE-2024-54083/ SUSE CVE CVE-2024-54083 page https://www.suse.com/security/cve/CVE-2024-54682/ SUSE CVE CVE-2024-54682 page https://www.suse.com/security/cve/CVE-2024-55885/ SUSE CVE CVE-2024-55885 page https://www.suse.com/security/cve/CVE-2024-55949/ SUSE CVE CVE-2024-55949 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20241218T202206-1.1 govulncheck-vulndb-0.0.20241218T202206-1.1 as a component of openSUSE Tumbleweed Boundary Community Edition and Boundary Enterprise ("Boundary") incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process. This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2. CVE-2024-12289 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241218T202206-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GN5BTYONDVDULOG3YURKUJNL2YZ2LDHU/ https://www.suse.com/security/cve/CVE-2024-12289.html CVE-2024-12289 Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server. CVE-2024-28053 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241218T202206-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GN5BTYONDVDULOG3YURKUJNL2YZ2LDHU/ https://www.suse.com/security/cve/CVE-2024-28053.html CVE-2024-28053 An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. CVE-2024-45338 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241218T202206-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GN5BTYONDVDULOG3YURKUJNL2YZ2LDHU/ https://www.suse.com/security/cve/CVE-2024-45338.html CVE-2024-45338 https://bugzilla.suse.com/1234794 SUSE Bug 1234794 Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests CVE-2024-48872 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241218T202206-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GN5BTYONDVDULOG3YURKUJNL2YZ2LDHU/ https://www.suse.com/security/cve/CVE-2024-48872.html CVE-2024-48872 Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post. CVE-2024-54083 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241218T202206-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GN5BTYONDVDULOG3YURKUJNL2YZ2LDHU/ https://www.suse.com/security/cve/CVE-2024-54083.html CVE-2024-54083 Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. CVE-2024-54682 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241218T202206-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GN5BTYONDVDULOG3YURKUJNL2YZ2LDHU/ https://www.suse.com/security/cve/CVE-2024-54682.html CVE-2024-54682 beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with SHA256. CVE-2024-55885 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241218T202206-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GN5BTYONDVDULOG3YURKUJNL2YZ2LDHU/ https://www.suse.com/security/cve/CVE-2024-55885.html CVE-2024-55885 MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately. CVE-2024-55949 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241218T202206-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GN5BTYONDVDULOG3YURKUJNL2YZ2LDHU/ https://www.suse.com/security/cve/CVE-2024-55949.html CVE-2024-55949