{"schema_version":"1.7.2","id":"OESA-2022-2012","modified":"2022-10-21T11:04:27Z","published":"2022-10-21T11:04:27Z","upstream":["CVE-2022-1941","CVE-2022-3171"],"summary":"protobuf security update","details":"\r\n\r\nSecurity Fix(es):\r\n\r\nA parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.(CVE-2022-1941)\r\n\r\nA parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.(CVE-2022-3171)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS","name":"protobuf","purl":"pkg:rpm/openEuler/protobuf\u0026distro=openEuler-22.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.14.0-6.oe2203"}]}],"ecosystem_specific":{"aarch64":["protobuf-debugsource-3.14.0-6.oe2203.aarch64.rpm","protobuf-lite-3.14.0-6.oe2203.aarch64.rpm","protobuf-lite-devel-3.14.0-6.oe2203.aarch64.rpm","protobuf-debuginfo-3.14.0-6.oe2203.aarch64.rpm","protobuf-compiler-3.14.0-6.oe2203.aarch64.rpm","protobuf-3.14.0-6.oe2203.aarch64.rpm","protobuf-devel-3.14.0-6.oe2203.aarch64.rpm"],"noarch":["protobuf-java-3.14.0-6.oe2203.noarch.rpm","python3-protobuf-3.14.0-6.oe2203.noarch.rpm","protobuf-javalite-3.14.0-6.oe2203.noarch.rpm","protobuf-parent-3.14.0-6.oe2203.noarch.rpm","protobuf-java-util-3.14.0-6.oe2203.noarch.rpm","protobuf-javadoc-3.14.0-6.oe2203.noarch.rpm","protobuf-bom-3.14.0-6.oe2203.noarch.rpm"],"src":["protobuf-3.14.0-6.oe2203.src.rpm"],"x86_64":["protobuf-lite-devel-3.14.0-6.oe2203.x86_64.rpm","protobuf-debuginfo-3.14.0-6.oe2203.x86_64.rpm","protobuf-3.14.0-6.oe2203.x86_64.rpm","protobuf-lite-3.14.0-6.oe2203.x86_64.rpm","protobuf-compiler-3.14.0-6.oe2203.x86_64.rpm","protobuf-devel-3.14.0-6.oe2203.x86_64.rpm","protobuf-debugsource-3.14.0-6.oe2203.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2012"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1941"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3171"}],"database_specific":{"severity":"High"}}