Security update for etcd SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1285-1 Final 1 1 2025-04-15T16:24:41Z current 2025-04-15T16:24:41Z 2025-04-15T16:24:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for etcd This update for etcd fixes the following issues: - Update to version 3.5.21: - CVE-2025-30204: Fixed a bug that could allow excessive memory allocation during header parsing in jwt-go. (bsc#1240515) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1285,openSUSE-SLE-15.6-2025-1285 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251285-1/ Link for SUSE-SU-2025:1285-1 https://lists.suse.com/pipermail/sle-updates/2025-April/039010.html E-Mail link for SUSE-SU-2025:1285-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1240515 SUSE Bug 1240515 https://www.suse.com/security/cve/CVE-2025-30204/ SUSE CVE CVE-2025-30204 page openSUSE Leap 15.6 etcd-3.5.21-150000.7.12.1 etcdctl-3.5.21-150000.7.12.1 etcdutl-3.5.21-150000.7.12.1 etcd-3.5.21-150000.7.12.1 as a component of openSUSE Leap 15.6 etcdctl-3.5.21-150000.7.12.1 as a component of openSUSE Leap 15.6 golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2. CVE-2025-30204 openSUSE Leap 15.6:etcd-3.5.21-150000.7.12.1 openSUSE Leap 15.6:etcdctl-3.5.21-150000.7.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251285-1/ https://www.suse.com/security/cve/CVE-2025-30204.html CVE-2025-30204 https://bugzilla.suse.com/1240442 SUSE Bug 1240442