git: ee448fc58af3 - main - security/vuxml: Document vulnerability in traefik before 2.9.9_1

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Thomas Zander <riggs_at_FreeBSD.org>
Date: Mon, 10 Apr 2023 21:39:57 UTC
The branch main has been updated by riggs:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ee448fc58af3d8cf3d9c311b121b1d29b9598767

commit ee448fc58af3d8cf3d9c311b121b1d29b9598767
Author:     Thomas Zander <riggs@FreeBSD.org>
AuthorDate: 2023-04-10 21:38:32 +0000
Commit:     Thomas Zander <riggs@FreeBSD.org>
CommitDate: 2023-04-10 21:39:54 +0000

    security/vuxml: Document vulnerability in traefik before 2.9.9_1
---
 security/vuxml/vuln/2023.xml | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index f98e21ff05c2..8659898633ca 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,41 @@
+  <vuln vid="02e51cb3-d7e4-11ed-9f7a-5404a68ad561">
+    <topic>traefik -- Use of vulnerable Go modules net/http, net/textproto</topic>
+    <affects>
+      <package>
+	<name>traefik</name>
+	<range><lt>2.9.9_1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Go project reports:</p>
+	<blockquote cite="https://pkg.go.dev/vuln/GO-2023-1704">
+	  <p>HTTP and MIME header parsing can allocate large amounts
+	     of memory, even when parsing small inputs, potentially
+	     leading to a denial of service. Certain unusual patterns
+	     of input data can cause the common function used to parse
+	     HTTP and MIME headers to allocate substantially more
+	     memory than required to hold the parsed headers. An
+	     attacker can exploit this behavior to cause an HTTP
+	     server to allocate large amounts of memory from a small
+	     request, potentially leading to memory exhaustion and a
+	     denial of service. With fix, header parsing now correctly
+	     allocates only the memory required to hold parsed headers.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2023-24534</cvename>
+      <url>https://www.cve.org/CVERecord?id=CVE-2023-24534</url>
+      <cvename>CVE-2023-29013</cvename>
+      <url>https://www.cve.org/CVERecord?id=CVE-2023-29013</url>
+    </references>
+    <dates>
+      <discovery>2023-03-10</discovery>
+      <entry>2023-04-07</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="f767d615-01db-47e9-b4ab-07bb8d3409fd">
     <topic>py39-cinder -- insecure-credentials flaw</topic>
     <affects>