Sign in Sign up
Explore Enterprise Education Gitee Premium Gitee AI
Scan WeChat QR to Pay
Cancel
Complete
Watch
Unwatch Watching Releases Only Ignoring
9 Star 1 Fork 22

src-openEuler / skopeo

Code Issues 4 Pull Requests 1 Wiki Insights Pipelines
Service
Issues
 / 详情

CVE-2022-41723

Done
CVE和安全问题
majun-bot
Opened this issue  
2024-02-01 08:50

一、漏洞信息
漏洞编号:CVE-2022-41723
漏洞归属组件:skopeo
漏洞归属的版本:1.1.0,1.5.2,1.8.0
CVSS V3.0分值:
BaseScore:7.5 High
Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
漏洞简述:
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
漏洞公开时间:2023-03-01 02:15:09
漏洞创建时间:2024-02-01 08:50:36
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2022-41723

更多参考(点击展开)
参考来源 参考链接 来源链接
security.golang.org https://go.dev/cl/468135
security.golang.org https://go.dev/cl/468295
security.golang.org https://go.dev/issue/57855
security.golang.org https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
security.golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
security.golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/
security.golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
security.golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/
security.golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/
security.golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
security.golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/
security.golang.org https://pkg.go.dev/vuln/GO-2023-1571
security.golang.org https://security.gentoo.org/glsa/202311-09
security.golang.org https://www.couchbase.com/alerts/
redhat_bugzilla https://go.dev/issue/57855 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://pkg.go.dev/vuln/GO-2023-1571 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:1326 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:1325 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3167 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3305 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3304 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3445 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3447 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3450 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3455 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3367 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3495 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3537 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3610 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3614 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3742 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3918 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:3943 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4003 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4112 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4113 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4090 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4091 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4225 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4226 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4293 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4335 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4456 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4627 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4603 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4664 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:4731 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:5233 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:5314 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:5672 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:5006 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:5007 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6235 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6248 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6251 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6346 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6363 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6402 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6473 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6474 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6832 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6938 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:6939 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:7058 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:7823 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2024:0198 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2024:0485 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2023:7198 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
redhat_bugzilla https://access.redhat.com/errata/RHSA-2024:0948 https://bugzilla.redhat.com/show_bug.cgi?id=2178358
ubuntu https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41723 https://ubuntu.com/security/CVE-2022-41723
ubuntu https://nvd.nist.gov/vuln/detail/CVE-2022-41723 https://ubuntu.com/security/CVE-2022-41723
ubuntu https://launchpad.net/bugs/cve/CVE-2022-41723 https://ubuntu.com/security/CVE-2022-41723
ubuntu https://security-tracker.debian.org/tracker/CVE-2022-41723 https://ubuntu.com/security/CVE-2022-41723
debian https://security-tracker.debian.org/tracker/CVE-2022-41723
gentoo https://security.gentoo.org/glsa/202311-09
anolis https://anas.openanolis.cn/cves/detail/CVE-2022-41723
cve_search https://go.dev/cl/468135
cve_search https://go.dev/issue/57855
cve_search https://go.dev/cl/468295
cve_search https://pkg.go.dev/vuln/GO-2023-1571
cve_search https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
cve_search https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/
cve_search https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/
github_advisory https://nvd.nist.gov/vuln/detail/CVE-2022-41723 https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
github_advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/ https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
github_advisory https://go.dev/issue/57855 https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
github_advisory https://go.dev/cl/468135 https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
github_advisory https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
github_advisory https://pkg.go.dev/vuln/GO-2023-1571 https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
github_advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/ https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
github_advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/ https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
github_advisory https://go.dev/cl/468295 https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
github_advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/ https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
github_advisory https://vuln.go.dev/ID/GO-2023-1571.json https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
mageia http://advisories.mageia.org/MGASA-2023-0109.html
go https://go.dev/issue/57855 https://github.com/golang/vulndb/blob/master/reports/GO-2023-1571.yaml
go https://go.dev/cl/468135 https://github.com/golang/vulndb/blob/master/reports/GO-2023-1571.yaml
go https://go.dev/cl/468295 https://github.com/golang/vulndb/blob/master/reports/GO-2023-1571.yaml
go https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://github.com/golang/vulndb/blob/master/reports/GO-2023-1571.yaml

漏洞分析指导链接:
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
其它
漏洞补丁信息:

详情(点击展开)
影响的包 修复版本 修复补丁 问题引入补丁 来源
https://go.dev/cl/468135 nvd
https://go.dev/cl/468295 nvd
https://go.dev/issue/57855 nvd
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E nvd
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/ nvd
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/ nvd
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/ nvd
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/ nvd
https://pkg.go.dev/vuln/GO-2023-1571 nvd

二、漏洞分析结构反馈
影响性分析说明:
恶意制作的 HTTP/2 数据流会导致 HPACK 解码器的 CPU 消耗过多,足以通过少量小请求造成拒绝服务。
openEuler评分:
7.5
Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.openEuler-22.03-LTS(1.5.2):受影响
2.openEuler-22.03-LTS-Next(1.8.0):受影响
3.openEuler-22.03-LTS-SP1(1.5.2):受影响
4.openEuler-22.03-LTS-SP2(1.5.2):受影响
5.openEuler-22.03-LTS-SP3(1.8.0):受影响
6.master(1.8.0):不受影响
7.openEuler-20.03-LTS-SP1(1.1.0):不受影响
8.openEuler-20.03-LTS-SP4(1.1.0):不受影响
9.openEuler-24.03-LTS:不受影响
10.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否):
1.master(1.8.0):否
2.openEuler-20.03-LTS-SP1(1.1.0):否
3.openEuler-20.03-LTS-SP4(1.1.0):否
4.openEuler-22.03-LTS(1.5.2):否
5.openEuler-22.03-LTS-Next(1.8.0):否
6.openEuler-22.03-LTS-SP1(1.5.2):否
7.openEuler-22.03-LTS-SP2(1.5.2):否
8.openEuler-22.03-LTS-SP3(1.8.0):否
9.openEuler-24.03-LTS:否

三、漏洞修复
安全公告链接:https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-1581

Comments (11)

majun-bot createdCVE和安全问题
majun-bot added
 
CVE/UNFIXED
label
Expand operation logs

@haomintsai ,@yangzhao_kl ,@biannm ,@pixiake ,@haozi007 ,@Jianmin ,@weibaohui ,@leon wang ,@lijian
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.master(1.8.0):
2.openEuler-20.03-LTS-SP1(1.1.0):
3.openEuler-20.03-LTS-SP4:
4.openEuler-22.03-LTS(1.5.2):
5.openEuler-22.03-LTS-Next(1.5.2):
6.openEuler-22.03-LTS-SP1(1.5.2):
7.openEuler-22.03-LTS-SP2:
8.openEuler-22.03-LTS-SP3:

修复是否涉及abi变化(是/否):
1.master(1.8.0):
2.openEuler-20.03-LTS-SP1(1.1.0):
3.openEuler-20.03-LTS-SP4:
4.openEuler-22.03-LTS(1.5.2):
5.openEuler-22.03-LTS-Next(1.5.2):
6.openEuler-22.03-LTS-SP1(1.5.2):
7.openEuler-22.03-LTS-SP2:
8.openEuler-22.03-LTS-SP3:

issue处理具体操作请参考:
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

Hi openMajun_admin, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: sig-CloudNative, and any of the maintainers: @haomintsai , @yangzhao_kl , @biannm , @pixiake , @haozi007 , @Jianmin , @weibaohui , @leon wang , @lijian

5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
sig/sig-CloudNative
label
参考网址 关联pr 状态 补丁链接
https://ubuntu.com/security/CVE-2022-41723 None None https://discourse.ubuntu.com/c/ubuntu-pro
https://github.com/golang/net/commit/8e2b117aee74f6b86c207a808b0255de45c0a18a

说明:补丁链接仅供初步排查参考,实际可用性请人工再次确认,补丁下载验证可使用CVE补丁工具
若补丁不准确,烦请在此issue下评论 '/report-patch 参考网址 补丁链接1,补丁链接2' 反馈正确信息,便于我们不断优化工具,不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description
5329419 openeuler ci bot 1632792936
openeuler-ci-bot set start time to 2024-02-01
5329419 openeuler ci bot 1632792936
openeuler-ci-bot set deadline to 2024-03-02
5329419 openeuler ci bot 1632792936
openeuler-ci-bot set priority to Main
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed start time from 2024-02-01 to 2024-02-02
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed deadline from 2024-03-02 to 2024-02-16
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed start time from 2024-02-02 to 2024-02-11
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed deadline from 2024-02-16 to 2024-02-25

该CVE漏洞受依赖项golang的影响,目前golang仓针对该CVE漏洞,仅对openEuler-20.03-LTS-SP1、openEuler-20.03-LTS-SP3、openEuler-22.03-LTS、openEuler-22.03-LTS-SP1分支进行了修复,其余受影响分支未修复

5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description

影响性分析说明:
恶意制作的 HTTP/2 数据流会导致 HPACK 解码器的 CPU 消耗过多,足以通过少量小请求造成拒绝服务。
openEuler评分:
7.5
Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.master(2.15.0):不受影响
2.openEuler-20.03-LTS-SP1:不受影响
3.openEuler-20.03-LTS-SP4:不受影响
4.openEuler-22.03-LTS(2.14.0):受影响
5.openEuler-22.03-LTS-Next(2.14.0):受影响
6.openEuler-22.03-LTS-SP1(2.14.0):受影响
7.openEuler-22.03-LTS-SP2(2.14.0):受影响
8.openEuler-22.03-LTS-SP3:受影响
9.openEuler-24.03-LTS:不受影响

修复是否涉及abi变化(是/否):
1.master(2.15.0):否
2.openEuler-20.03-LTS-SP1:否
3.openEuler-20.03-LTS-SP4:否
4.openEuler-22.03-LTS(2.14.0):否
5.openEuler-22.03-LTS-Next(2.14.0):否
6.openEuler-22.03-LTS-SP1(2.14.0):否
7.openEuler-22.03-LTS-SP2(2.14.0):否
8.openEuler-22.03-LTS-SP3:否
9.openEuler-24.03-LTS:否

5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description

@ 经过 cve-manager 解析, 已分析的内容如下表所示:

状态 需分析 内容
已分析 1.影响性分析说明 恶意制作的 HTTP/2 数据流会导致 HPACK 解码器的 CPU 消耗过多,足以通过少量小请求造成拒绝服务。
已分析 2.openEulerScore 7.5
已分析 3.openEulerVector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
已分析 4.受影响版本排查 openEuler-22.03-LTS:受影响,openEuler-22.03-LTS-Next:受影响,openEuler-22.03-LTS-SP1:受影响,openEuler-22.03-LTS-SP2:受影响,openEuler-22.03-LTS-SP3:受影响,master:不受影响,openEuler-20.03-LTS-SP1:不受影响,openEuler-20.03-LTS-SP4:不受影响,openEuler-24.03-LTS:不受影响
已分析 5.修复是否涉及abi变化 master:否,openEuler-20.03-LTS-SP1:否,openEuler-20.03-LTS-SP4:否,openEuler-22.03-LTS:否,openEuler-22.03-LTS-Next:否,openEuler-22.03-LTS-SP1:否,openEuler-22.03-LTS-SP2:否,openEuler-22.03-LTS-SP3:否,openEuler-24.03-LTS:否

请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.

TD北岸花园 throughsrc-openeuler/skopeo Pull Request !71 changed issue state from 待办的 to 已完成
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed issue state from 已完成 to 待办的

@TD北岸花园 请确认分支: openEuler-24.03-LTS-Next 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.

5329419 openeuler ci bot 1632792936
openeuler-ci-bot removed
 
CVE/UNFIXED
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot removed
 
sig/sig-CloudNative
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
CVE/UNFIXED
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
sig/sig-CloudNative
label
TD北岸花园 throughsrc-openeuler/skopeo Pull Request !76 changed issue state from 待办的 to 已完成
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed issue state from 已完成 to 待办的

@TD北岸花园 请确认分支: openEuler-24.03-LTS-Next 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.

5329419 openeuler ci bot 1632792936
openeuler-ci-bot removed
 
CVE/UNFIXED
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot removed
 
sig/sig-CloudNative
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
CVE/UNFIXED
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
sig/sig-CloudNative
label

影响性分析说明:
恶意制作的 HTTP/2 数据流会导致 HPACK 解码器的 CPU 消耗过多,足以通过少量小请求造成拒绝服务。
openEuler评分:
7.5
Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.master(2.15.0):不受影响
2.openEuler-20.03-LTS-SP1:不受影响
3.openEuler-20.03-LTS-SP4:不受影响
4.openEuler-22.03-LTS(2.14.0):受影响
5.openEuler-22.03-LTS-Next(2.14.0):受影响
6.openEuler-22.03-LTS-SP1(2.14.0):受影响
7.openEuler-22.03-LTS-SP2(2.14.0):受影响
8.openEuler-22.03-LTS-SP3:受影响
9.openEuler-24.03-LTS:不受影响
10.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否):
1.master(2.15.0):否
2.openEuler-20.03-LTS-SP1:否
3.openEuler-20.03-LTS-SP4:否
4.openEuler-22.03-LTS(2.14.0):否
5.openEuler-22.03-LTS-Next(2.14.0):否
6.openEuler-22.03-LTS-SP1(2.14.0):否
7.openEuler-22.03-LTS-SP2(2.14.0):否
8.openEuler-22.03-LTS-SP3:否
9.openEuler-24.03-LTS:否

@ 经过 cve-manager 解析, 已分析的内容如下表所示:

状态 需分析 内容
已分析 1.影响性分析说明 恶意制作的 HTTP/2 数据流会导致 HPACK 解码器的 CPU 消耗过多,足以通过少量小请求造成拒绝服务。
已分析 2.openEulerScore 7.5
已分析 3.openEulerVector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
已分析 4.受影响版本排查 openEuler-22.03-LTS:受影响,openEuler-22.03-LTS-Next:受影响,openEuler-22.03-LTS-SP1:受影响,openEuler-22.03-LTS-SP2:受影响,openEuler-22.03-LTS-SP3:受影响,master:不受影响,openEuler-20.03-LTS-SP1:不受影响,openEuler-20.03-LTS-SP4:不受影响,openEuler-24.03-LTS:不受影响,openEuler-24.03-LTS-Next:不受影响
已分析 5.修复是否涉及abi变化 master:否,openEuler-20.03-LTS-SP1:否,openEuler-20.03-LTS-SP4:否,openEuler-22.03-LTS:否,openEuler-22.03-LTS-Next:否,openEuler-22.03-LTS-SP1:否,openEuler-22.03-LTS-SP2:否,openEuler-22.03-LTS-SP3:否,openEuler-24.03-LTS:否

请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.

5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description
TD北岸花园 throughsrc-openeuler/skopeo Pull Request !75 changed issue state from 待办的 to 已完成

@haomintsai ,@lifeng_isula ,@haozi007 ,@LeonZhang ,@flyflyflypeng ,@TD北岸花园
关闭issue前,需要将受影响的分支在合并pr时关联上当前issue编号: #I90BQX:CVE-2022-41723
受影响分支: openEuler-22.03-LTS/openEuler-22.03-LTS-SP1
具体操作参考: https://gitee.com/help/articles/4142

5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed issue state from 已完成 to 待办的
5329419 openeuler ci bot 1632792936
openeuler-ci-bot removed
 
CVE/UNFIXED
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot removed
 
sig/sig-CloudNative
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
CVE/UNFIXED
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
sig/sig-CloudNative
label
TD北岸花园 throughsrc-openeuler/skopeo Pull Request !74 changed issue state from 待办的 to 已完成
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed issue state from 已完成 to 待办的

@haomintsai ,@lifeng_isula ,@haozi007 ,@LeonZhang ,@flyflyflypeng ,@TD北岸花园
关闭issue前,需要将受影响的分支在合并pr时关联上当前issue编号: #I90BQX:CVE-2022-41723
受影响分支: openEuler-22.03-LTS-SP1
具体操作参考: https://gitee.com/help/articles/4142

5329419 openeuler ci bot 1632792936
openeuler-ci-bot removed
 
CVE/UNFIXED
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot removed
 
sig/sig-CloudNative
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
CVE/UNFIXED
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
sig/sig-CloudNative
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed start time from 2024-02-11 to 2024-04-12
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed deadline from 2024-02-25 to 2024-04-26
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description
9955434 jianli 97 1670462542
lijian throughsrc-openeuler/skopeo Pull Request !79 changed issue state from 待办的 to 已完成
5329419 openeuler ci bot 1632792936
openeuler-ci-bot removed
 
CVE/UNFIXED
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot removed
 
sig/sig-CloudNative
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
CVE/FIXED
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
sig/sig-CloudNative
label
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description

Sign in to comment

Status
Assignees
Labels
CVE/FIXED
sig/sig-CloudNative
Projects
Unprojected
Unprojected
Milestones
No related milestones
No related milestones
Pull Requests
None yet
None yet
Successfully merging a pull request will close this issue.
Branches
No related branch
Branches (24)
Tags (17)
master
openEuler-22.03-LTS
openEuler-22.03-LTS-Next
openEuler-22.03-LTS-SP4
openEuler-22.03-LTS-SP1
openEuler-22.03-LTS-SP2
openEuler-22.03-LTS-SP3
openEuler-24.03-LTS-Next
openEuler-24.03-LTS
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP4
openEuler-20.03-LTS-SP3
openEuler-23.09
openEuler-23.03
openEuler-22.09
openEuler-20.09
openEuler-21.03
openEuler-21.09
openEuler-20.03-LTS
openEuler-20.03-LTS-SP2
openEuler-20.03-LTS-Next
sync-pr16-master-to-openEuler-20.09
openEuler1.0
openEuler1.0-base
openEuler-22.03-LTS-SP3-release
openEuler-23.09-rc5
openEuler-22.03-LTS-SP1-release
openEuler-22.09-release
openEuler-22.09-rc5
openEuler-22.09-20220829
openEuler-22.03-LTS-20220331
openEuler-22.03-LTS-round5
openEuler-22.03-LTS-round3
openEuler-22.03-LTS-round2
openEuler-22.03-LTS-round1
openEuler-20.03-LTS-SP3-release
openEuler-20.03-LTS-SP2-20210624
openEuler-21.03-20210330
openEuler-20.09-20200929
openEuler-20.03-LTS-20200606
openEuler-20.03-LTS-tag
Planed to start   -   Planed to end
-
Top level
Not Top
Top Level: High
Top Level: Medium
Top Level: Low
Priority
Not specified
Serious
Main
Secondary
Unimportant
Duration (hours)
参与者(4)
5329419 openeuler ci bot 1632792936
1
https://gitee.com/src-openeuler/skopeo.git
git@gitee.com:src-openeuler/skopeo.git
src-openeuler
skopeo
skopeo
Going to Help Center

Search

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
Repository Report
Back to the top