Security update for envoy-proxy SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:0065-1 Final 1 1 2022-03-02T16:51:20Z current 2022-03-02T16:51:20Z 2022-03-02T16:51:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for envoy-proxy This update for envoy-proxy fixes the following issues: Update to 1.14.6: - CVE-2020-35471: Fixed a denial of service via dropped and truncated UDP datagrams (boo#1180121). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-65 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WUFXLLYPEPLGLE3CNOENBUDET76YJXPI/ E-Mail link for openSUSE-SU-2022:0065-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1167073 SUSE Bug 1167073 https://bugzilla.suse.com/1173559 SUSE Bug 1173559 https://bugzilla.suse.com/1180121 SUSE Bug 1180121 https://www.suse.com/security/cve/CVE-2020-12603/ SUSE CVE CVE-2020-12603 page https://www.suse.com/security/cve/CVE-2020-12604/ SUSE CVE CVE-2020-12604 page https://www.suse.com/security/cve/CVE-2020-12605/ SUSE CVE CVE-2020-12605 page https://www.suse.com/security/cve/CVE-2020-35471/ SUSE CVE CVE-2020-35471 page https://www.suse.com/security/cve/CVE-2020-8663/ SUSE CVE CVE-2020-8663 page SUSE Package Hub 15 SP3 openSUSE Leap 15.3 envoy-proxy-1.14.6-bp153.3.4.1 envoy-proxy-source-1.14.6-bp153.3.4.1 envoy-proxy-1.14.6-bp153.3.4.1 as a component of SUSE Package Hub 15 SP3 envoy-proxy-source-1.14.6-bp153.3.4.1 as a component of SUSE Package Hub 15 SP3 envoy-proxy-1.14.6-bp153.3.4.1 as a component of openSUSE Leap 15.3 envoy-proxy-source-1.14.6-bp153.3.4.1 as a component of openSUSE Leap 15.3 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (i.e. 1 byte) data frames. CVE-2020-12603 SUSE Package Hub 15 SP3:envoy-proxy-1.14.6-bp153.3.4.1 SUSE Package Hub 15 SP3:envoy-proxy-source-1.14.6-bp153.3.4.1 openSUSE Leap 15.3:envoy-proxy-1.14.6-bp153.3.4.1 openSUSE Leap 15.3:envoy-proxy-source-1.14.6-bp153.3.4.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WUFXLLYPEPLGLE3CNOENBUDET76YJXPI/ https://www.suse.com/security/cve/CVE-2020-12603.html CVE-2020-12603 https://bugzilla.suse.com/1173559 SUSE Bug 1173559 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. CVE-2020-12604 SUSE Package Hub 15 SP3:envoy-proxy-1.14.6-bp153.3.4.1 SUSE Package Hub 15 SP3:envoy-proxy-source-1.14.6-bp153.3.4.1 openSUSE Leap 15.3:envoy-proxy-1.14.6-bp153.3.4.1 openSUSE Leap 15.3:envoy-proxy-source-1.14.6-bp153.3.4.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WUFXLLYPEPLGLE3CNOENBUDET76YJXPI/ https://www.suse.com/security/cve/CVE-2020-12604.html CVE-2020-12604 https://bugzilla.suse.com/1173559 SUSE Bug 1173559 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs. CVE-2020-12605 SUSE Package Hub 15 SP3:envoy-proxy-1.14.6-bp153.3.4.1 SUSE Package Hub 15 SP3:envoy-proxy-source-1.14.6-bp153.3.4.1 openSUSE Leap 15.3:envoy-proxy-1.14.6-bp153.3.4.1 openSUSE Leap 15.3:envoy-proxy-source-1.14.6-bp153.3.4.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WUFXLLYPEPLGLE3CNOENBUDET76YJXPI/ https://www.suse.com/security/cve/CVE-2020-12605.html CVE-2020-12605 https://bugzilla.suse.com/1173559 SUSE Bug 1173559 Envoy before 1.16.1 mishandles dropped and truncated datagrams, as demonstrated by a segmentation fault for a UDP packet size larger than 1500. CVE-2020-35471 SUSE Package Hub 15 SP3:envoy-proxy-1.14.6-bp153.3.4.1 SUSE Package Hub 15 SP3:envoy-proxy-source-1.14.6-bp153.3.4.1 openSUSE Leap 15.3:envoy-proxy-1.14.6-bp153.3.4.1 openSUSE Leap 15.3:envoy-proxy-source-1.14.6-bp153.3.4.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WUFXLLYPEPLGLE3CNOENBUDET76YJXPI/ https://www.suse.com/security/cve/CVE-2020-35471.html CVE-2020-35471 https://bugzilla.suse.com/1180121 SUSE Bug 1180121 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections. CVE-2020-8663 SUSE Package Hub 15 SP3:envoy-proxy-1.14.6-bp153.3.4.1 SUSE Package Hub 15 SP3:envoy-proxy-source-1.14.6-bp153.3.4.1 openSUSE Leap 15.3:envoy-proxy-1.14.6-bp153.3.4.1 openSUSE Leap 15.3:envoy-proxy-source-1.14.6-bp153.3.4.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WUFXLLYPEPLGLE3CNOENBUDET76YJXPI/ https://www.suse.com/security/cve/CVE-2020-8663.html CVE-2020-8663 https://bugzilla.suse.com/1173559 SUSE Bug 1173559