{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"brotli security update", "category":"general", "title":"Synopsis" }, { "text":"An update for brotli is now available for openEuler-24.03-LTS-SP1", "category":"general", "title":"Summary" }, { "text":"Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It is similar in speed with deflate but offers more dense compression.\n\nSecurity Fix(es):\n\nScrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.(CVE-2025-6176)", "category":"general", "title":"Description" }, { "text":"An update for brotli is now available for openEuler-24.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"brotli", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-2645", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2645" }, { "summary":"CVE-2025-6176", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-6176&packageName=brotli" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6176" }, { "summary":"openEuler-SA-2025-2645 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openEuler-SA-2025-2645.json" } ], "title":"An update for brotli is now available for openEuler-24.03-LTS-SP1", "tracking":{ "initial_release_date":"2025-11-12T14:57:10+08:00", "revision_history":[ { "date":"2025-11-12T14:57:10+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-11-12T14:57:10+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-11-12T14:57:10+08:00", "id":"openEuler-SA-2025-2645", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"openEuler-24.03-LTS-SP1", "name":"openEuler-24.03-LTS-SP1" }, "name":"openEuler-24.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"brotli-1.1.0-2.oe2403sp1.aarch64.rpm", "name":"brotli-1.1.0-2.oe2403sp1.aarch64.rpm" }, "name":"brotli-1.1.0-2.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"brotli-debuginfo-1.1.0-2.oe2403sp1.aarch64.rpm", "name":"brotli-debuginfo-1.1.0-2.oe2403sp1.aarch64.rpm" }, "name":"brotli-debuginfo-1.1.0-2.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"brotli-debugsource-1.1.0-2.oe2403sp1.aarch64.rpm", "name":"brotli-debugsource-1.1.0-2.oe2403sp1.aarch64.rpm" }, "name":"brotli-debugsource-1.1.0-2.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"brotli-devel-1.1.0-2.oe2403sp1.aarch64.rpm", "name":"brotli-devel-1.1.0-2.oe2403sp1.aarch64.rpm" }, "name":"brotli-devel-1.1.0-2.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"python3-brotli-1.1.0-2.oe2403sp1.aarch64.rpm", "name":"python3-brotli-1.1.0-2.oe2403sp1.aarch64.rpm" }, "name":"python3-brotli-1.1.0-2.oe2403sp1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"brotli-1.1.0-2.oe2403sp1.src.rpm", "name":"brotli-1.1.0-2.oe2403sp1.src.rpm" }, "name":"brotli-1.1.0-2.oe2403sp1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"brotli-1.1.0-2.oe2403sp1.x86_64.rpm", "name":"brotli-1.1.0-2.oe2403sp1.x86_64.rpm" }, "name":"brotli-1.1.0-2.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"brotli-debuginfo-1.1.0-2.oe2403sp1.x86_64.rpm", "name":"brotli-debuginfo-1.1.0-2.oe2403sp1.x86_64.rpm" }, "name":"brotli-debuginfo-1.1.0-2.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"brotli-debugsource-1.1.0-2.oe2403sp1.x86_64.rpm", "name":"brotli-debugsource-1.1.0-2.oe2403sp1.x86_64.rpm" }, "name":"brotli-debugsource-1.1.0-2.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"brotli-devel-1.1.0-2.oe2403sp1.x86_64.rpm", "name":"brotli-devel-1.1.0-2.oe2403sp1.x86_64.rpm" }, "name":"brotli-devel-1.1.0-2.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"python3-brotli-1.1.0-2.oe2403sp1.x86_64.rpm", "name":"python3-brotli-1.1.0-2.oe2403sp1.x86_64.rpm" }, "name":"python3-brotli-1.1.0-2.oe2403sp1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"brotli-help-1.1.0-2.oe2403sp1.noarch.rpm", "name":"brotli-help-1.1.0-2.oe2403sp1.noarch.rpm" }, "name":"brotli-help-1.1.0-2.oe2403sp1.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"brotli-1.1.0-2.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.aarch64", "name":"brotli-1.1.0-2.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"brotli-debuginfo-1.1.0-2.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:brotli-debuginfo-1.1.0-2.oe2403sp1.aarch64", "name":"brotli-debuginfo-1.1.0-2.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"brotli-debugsource-1.1.0-2.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:brotli-debugsource-1.1.0-2.oe2403sp1.aarch64", "name":"brotli-debugsource-1.1.0-2.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"brotli-devel-1.1.0-2.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:brotli-devel-1.1.0-2.oe2403sp1.aarch64", "name":"brotli-devel-1.1.0-2.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"python3-brotli-1.1.0-2.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:python3-brotli-1.1.0-2.oe2403sp1.aarch64", "name":"python3-brotli-1.1.0-2.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"brotli-1.1.0-2.oe2403sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.src", "name":"brotli-1.1.0-2.oe2403sp1.src as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"brotli-1.1.0-2.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.x86_64", "name":"brotli-1.1.0-2.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"brotli-debuginfo-1.1.0-2.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:brotli-debuginfo-1.1.0-2.oe2403sp1.x86_64", "name":"brotli-debuginfo-1.1.0-2.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"brotli-debugsource-1.1.0-2.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:brotli-debugsource-1.1.0-2.oe2403sp1.x86_64", "name":"brotli-debugsource-1.1.0-2.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"brotli-devel-1.1.0-2.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:brotli-devel-1.1.0-2.oe2403sp1.x86_64", "name":"brotli-devel-1.1.0-2.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"python3-brotli-1.1.0-2.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:python3-brotli-1.1.0-2.oe2403sp1.x86_64", "name":"python3-brotli-1.1.0-2.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"brotli-help-1.1.0-2.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:brotli-help-1.1.0-2.oe2403sp1.noarch", "name":"brotli-help-1.1.0-2.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-6176", "notes":[ { "text":"Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-debuginfo-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-debugsource-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-devel-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:python3-brotli-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.src", "openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-debuginfo-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-debugsource-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-devel-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:python3-brotli-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-help-1.1.0-2.oe2403sp1.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-debuginfo-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-debugsource-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-devel-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:python3-brotli-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.src", "openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-debuginfo-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-debugsource-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-devel-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:python3-brotli-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-help-1.1.0-2.oe2403sp1.noarch" ], "details":"brotli security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2645" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-debuginfo-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-debugsource-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-devel-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:python3-brotli-1.1.0-2.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.src", "openEuler-24.03-LTS-SP1:brotli-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-debuginfo-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-debugsource-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-devel-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:python3-brotli-1.1.0-2.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:brotli-help-1.1.0-2.oe2403sp1.noarch" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2025-6176" } ] }