An update for protobuf is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1144 Final 1.0 1.0 2025-02-21 Initial 2025-02-21 2025-02-21 openEuler SA Tool V1.0 2025-02-21 protobuf security update An update for protobuf is now available for openEuler-24.03-LTS Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data. You can find protobuf's documentation on the Google Developers site. Security Fix(es): Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.(CVE-2024-7254) An update for protobuf is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High protobuf https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1144 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-7254 https://nvd.nist.gov/vuln/detail/CVE-2024-7254 openEuler-24.03-LTS protobuf-25.1-7.oe2403.src.rpm protobuf-25.1-7.oe2403.x86_64.rpm protobuf-compiler-25.1-7.oe2403.x86_64.rpm protobuf-debuginfo-25.1-7.oe2403.x86_64.rpm protobuf-debugsource-25.1-7.oe2403.x86_64.rpm protobuf-devel-25.1-7.oe2403.x86_64.rpm protobuf-lite-25.1-7.oe2403.x86_64.rpm protobuf-lite-devel-25.1-7.oe2403.x86_64.rpm protobuf-bom-25.1-7.oe2403.noarch.rpm protobuf-java-25.1-7.oe2403.noarch.rpm protobuf-java-util-25.1-7.oe2403.noarch.rpm protobuf-javadoc-25.1-7.oe2403.noarch.rpm protobuf-javalite-25.1-7.oe2403.noarch.rpm protobuf-parent-25.1-7.oe2403.noarch.rpm python3-protobuf-25.1-7.oe2403.noarch.rpm protobuf-25.1-7.oe2403.aarch64.rpm protobuf-compiler-25.1-7.oe2403.aarch64.rpm protobuf-debuginfo-25.1-7.oe2403.aarch64.rpm protobuf-debugsource-25.1-7.oe2403.aarch64.rpm protobuf-devel-25.1-7.oe2403.aarch64.rpm protobuf-lite-25.1-7.oe2403.aarch64.rpm protobuf-lite-devel-25.1-7.oe2403.aarch64.rpm Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. 2025-02-21 CVE-2024-7254 openEuler-24.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H protobuf security update 2025-02-21 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1144