File _patchinfo of Package patchinfo.36071

<patchinfo incident="36071">
  <issue tracker="bnc" id="1095184">update etcd to version used in CaaSP</issue>
  <issue tracker="bnc" id="1118897">VUL-0: CVE-2018-16873: go: cmd/go: remote command execution</issue>
  <issue tracker="bnc" id="1118898">VUL-0: CVE-2018-16874: go: cmd/go: directory traversal</issue>
  <issue tracker="bnc" id="1118899">VUL-0: CVE-2018-16875: go: crypto/x509: CPU denial of service</issue>
  <issue tracker="bnc" id="1121850">VUL-0: CVE-2018-16886: etcd: Improper authentication issue when RBAC and client-cert-auth is enabled</issue>
  <issue tracker="bnc" id="1174951">VUL-0: CVE-2020-15106,CVE-2020-15112: etcd: a large slice causes panic in decodeRecord method and improper checks in  entry index</issue>
  <issue tracker="bnc" id="1181400">AUDIT-TASK: Evaluate systemd hardenings and get more services to use them</issue>
  <issue tracker="bnc" id="1183703">etcd not starting via systemd</issue>
  <issue tracker="bnc" id="1199031">AUDIT-FIND: etcd: static tmp directory in openSUSE packaging helper</issue>
  <issue tracker="bnc" id="1208270">VUL-0: TRACKERBUG: CVE-2022-41723: go1.19,go1.20: net/http: avoid quadratic complexity in HPACK decoding</issue>
  <issue tracker="bnc" id="1208297">VUL-0: CVE-2022-41723: etcd: go1.19,go1.20: net/http: avoid quadratic complexity in HPACK decoding</issue>
  <issue tracker="bnc" id="1210138">VUL-0: CVE-2021-28235: etcd: Information discosure via debug function</issue>
  <issue tracker="bnc" id="1213229">VUL-0: CVE-2023-29406: go1.19,go1.20: net/http: insufficient sanitization of Host header</issue>
  <issue tracker="bnc" id="1217070">VUL-0: CVE-2023-47108: TRACKERBUG: otelgrpc: DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics</issue>
  <issue tracker="bnc" id="1217950">VUL-0: CVE-2023-48795: openssh: prefix truncation breaking ssh channel integrity aka Terrapin Attack</issue>
  <issue tracker="bnc" id="1218150">VUL-0: CVE-2023-48795: golang.org/x/crypto/ssh: prefix truncation breaking ssh channel integrity</issue>
  <issue tracker="cve" id="2018-16873"/>
  <issue tracker="cve" id="2018-16874"/>
  <issue tracker="cve" id="2018-16875"/>
  <issue tracker="cve" id="2018-16886"/>
  <issue tracker="cve" id="2020-15106"/>
  <issue tracker="cve" id="2020-15112"/>
  <issue tracker="cve" id="2021-28235"/>
  <issue tracker="cve" id="2022-41723"/>
  <issue tracker="cve" id="2023-29406"/>
  <issue tracker="cve" id="2023-47108"/>
  <issue tracker="cve" id="2023-48795"/>
  <packager>psaggu</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for etcd</summary>
  <description>This update for etcd fixes the following issues:

Update to version 3.5.12:

Security fixes:

- CVE-2018-16873: Fixed remote command execution in cmd/go (bsc#1118897)
- CVE-2018-16874: Fixed directory traversal in cmd/go (bsc#1118898)
- CVE-2018-16875: Fixed CPU denial of service in crypto/x509 (bsc#1118899)
- CVE-2018-16886: Fixed improper authentication issue when RBAC and client-cert-auth is enabled (bsc#1121850)
- CVE-2020-15106: Fixed panic in decodeRecord method (bsc#1174951)
- CVE-2020-15112: Fixed improper checks in entry index (bsc#1174951)
- CVE-2021-28235: Fixed information discosure via debug function (bsc#1210138)
- CVE-2022-41723: Fixed quadratic complexity in HPACK decoding in net/http (bsc#1208270, bsc#1208297)
- CVE-2023-29406: Fixed insufficient sanitization of Host header in go net/http (bsc#1213229)
- CVE-2023-47108: Fixed DoS vulnerability in otelgrpc (bsc#1217070)
- CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (aka Terrapin Attack) in crypto/ssh (bsc#1217950, bsc#1218150)

Other changes:

- Added hardening to systemd service(s) (bsc#1181400)
- Fixed static /tmp file issue (bsc#1199031)
- Fixed systemd service not starting (bsc#1183703)

Full changelog:

https://github.com/etcd-io/etcd/compare/v3.3.1...v3.5.12
</description>
</patchinfo>