rhsa-2025:7256
Vulnerability from csaf_redhat
Published
2025-05-13 08:49
Modified
2025-08-04 10:14
Summary
Red Hat Security Advisory: git-lfs security update
Notes
Topic
An update for git-lfs is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.
Security Fix(es):
* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)
* golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)
* golang: net: malformed DNS message can cause infinite loop (CVE-2024-24788)
* golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (CVE-2024-24790)
* net/http: Denial of service due to improper 100-continue handling in net/http (CVE-2024-24791)
* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9 Release Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for git-lfs is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.\n\nSecurity Fix(es):\n\n* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)\n\n* golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)\n\n* golang: net: malformed DNS message can cause infinite loop (CVE-2024-24788)\n\n* golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (CVE-2024-24790)\n\n* net/http: Denial of service due to improper 100-continue handling in net/http (CVE-2024-24791)\n\n* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:7256",
"url": "https://access.redhat.com/errata/RHSA-2025:7256"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.6_release_notes/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.6_release_notes/index"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2237777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237777"
},
{
"category": "external",
"summary": "2237778",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237778"
},
{
"category": "external",
"summary": "2279814",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279814"
},
{
"category": "external",
"summary": "2292787",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292787"
},
{
"category": "external",
"summary": "2295310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_7256.json"
}
],
"title": "Red Hat Security Advisory: git-lfs security update",
"tracking": {
"current_release_date": "2025-08-04T10:14:34+00:00",
"generator": {
"date": "2025-08-04T10:14:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:7256",
"initial_release_date": "2025-05-13T08:49:39+00:00",
"revision_history": [
{
"date": "2025-05-13T08:49:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-05-13T08:49:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-04T10:14:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-1.el9.src",
"product": {
"name": "git-lfs-0:3.6.1-1.el9.src",
"product_id": "git-lfs-0:3.6.1-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-1.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-1.el9.aarch64",
"product": {
"name": "git-lfs-0:3.6.1-1.el9.aarch64",
"product_id": "git-lfs-0:3.6.1-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"product_id": "git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"product_id": "git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-1.el9?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-1.el9.ppc64le",
"product": {
"name": "git-lfs-0:3.6.1-1.el9.ppc64le",
"product_id": "git-lfs-0:3.6.1-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"product_id": "git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"product_id": "git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-1.el9?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-1.el9.x86_64",
"product": {
"name": "git-lfs-0:3.6.1-1.el9.x86_64",
"product_id": "git-lfs-0:3.6.1-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-1.el9.x86_64",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-1.el9.x86_64",
"product_id": "git-lfs-debugsource-0:3.6.1-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"product_id": "git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-1.el9?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-1.el9.s390x",
"product": {
"name": "git-lfs-0:3.6.1-1.el9.s390x",
"product_id": "git-lfs-0:3.6.1-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"product_id": "git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"product_id": "git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-1.el9?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64"
},
"product_reference": "git-lfs-0:3.6.1-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le"
},
"product_reference": "git-lfs-0:3.6.1-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x"
},
"product_reference": "git-lfs-0:3.6.1-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-1.el9.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src"
},
"product_reference": "git-lfs-0:3.6.1-1.el9.src",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64"
},
"product_reference": "git-lfs-0:3.6.1-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Martin Seemann"
]
}
],
"cve": "CVE-2023-39321",
"discovery_date": "2023-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2237777"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang. Processing an incomplete post-handshake message for a QUIC connection caused a panic.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: panic when processing post-handshake message on QUIC connections",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39321"
},
{
"category": "external",
"summary": "RHBZ#2237777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237777"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39321"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39321",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39321"
},
{
"category": "external",
"summary": "https://go.dev/cl/523039",
"url": "https://go.dev/cl/523039"
},
{
"category": "external",
"summary": "https://go.dev/issue/62266",
"url": "https://go.dev/issue/62266"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-2044.json",
"url": "https://vuln.go.dev/ID/GO-2023-2044.json"
}
],
"release_date": "2023-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-13T08:49:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:7256"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: panic when processing post-handshake message on QUIC connections"
},
{
"acknowledgments": [
{
"names": [
"Marten Seemann"
]
}
],
"cve": "CVE-2023-39322",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2237778"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang. QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With the fix, connections now consistently reject messages larger than 65KiB in size.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: lack of a limit on buffered post-handshake",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39322"
},
{
"category": "external",
"summary": "RHBZ#2237778",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237778"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39322"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39322",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39322"
},
{
"category": "external",
"summary": "https://go.dev/cl/523039",
"url": "https://go.dev/cl/523039"
},
{
"category": "external",
"summary": "https://go.dev/issue/62266",
"url": "https://go.dev/issue/62266"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-2045.json",
"url": "https://vuln.go.dev/ID/GO-2023-2045.json"
}
],
"release_date": "2023-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-13T08:49:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:7256"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: lack of a limit on buffered post-handshake"
},
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is specific to the Go language and only affects the test code in cri-o and conmon, not the production code. Since both projects use Go exclusively for testing purposes, this issue does not impact their production environment. Therefore, cri-o and conmon are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-13T08:49:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:7256"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
},
{
"cve": "CVE-2024-24788",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2024-05-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2279814"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net package of the Go stdlib. When a malformed DNS message is received as a response to a query, the Lookup functions within the net package can get stuck in an infinite loop. This issue can lead to resource exhaustion and denial of service (DoS) conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: malformed DNS message can cause infinite loop",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform enforces hardening guidelines to ensure the most restrictive setting needed for operational requirements. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention. This process ensures that audit logs are generated for specific events involving sensitive information, enabling capabilities like excessive CPU usage, long execution times, or processes consuming abnormal amounts of memory. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, preventing infinite loops caused by malformed or unexpected input, such as unbounded user input or unexpected null values that cause loops to never terminate. In the event of successful exploitation, process isolation limits the effect of an infinite loop to a single process rather than allowing it to consume all system resources.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24788"
},
{
"category": "external",
"summary": "RHBZ#2279814",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279814"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24788",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24788"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24788",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24788"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-2824",
"url": "https://pkg.go.dev/vuln/GO-2024-2824"
}
],
"release_date": "2024-05-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-13T08:49:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:7256"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: malformed DNS message can cause infinite loop"
},
{
"cve": "CVE-2024-24790",
"cwe": {
"id": "CWE-115",
"name": "Misinterpretation of Input"
},
"discovery_date": "2024-06-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2292787"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn\u0027t behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This CVE has been marked as moderate as for our products a network-based attack vector is simply impossible when it comes to golang code,apart from that as per CVE flaw analysis reported by golang, this only affects integrity and confidentiality and has no effect on availability, hence CVSS has been marked as such.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-115: Misinterpretation of Input vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nControls such as input validation and error handling mitigate input misinterpretation risks by enforcing strict validation rules and secure error management. Error handling ensures inputs are validated against predefined formats, preventing malformed data from being misinterpreted. Techniques like strong typing, allow listing, and proper encoding reduce the likelihood of injection attacks and unintended code execution. Input validation also ensures that errors do not expose sensitive system details or cause unpredictable behavior. Secure error handling prevents information leakage through detailed error messages while preserving system stability under malformed input conditions. Together, these controls reduce the attack surface by maintaining consistent input processing and preventing exploitable system states, strengthening the overall security posture.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24790"
},
{
"category": "external",
"summary": "RHBZ#2292787",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292787"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24790",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24790"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24790",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24790"
}
],
"release_date": "2024-06-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-13T08:49:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:7256"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses"
},
{
"cve": "CVE-2024-24791",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-07-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295310"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Denial of service due to improper 100-continue handling in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "An attacker would need to control a malicious server and induce a client to connect to it, requiring some amount of preparation outside of the attacker\u0027s control. This reduces the severity score of this flaw to Moderate.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-20: Improper Input Validation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. This minimizes the number of components that could be affected by input validation vulnerabilities. Security testing and evaluation standards are implemented within the environment to rigorously test input validation mechanisms during the development lifecycle, while static code analysis identifies potential input validation vulnerabilities by default. Process isolation ensures that processes handling potentially malicious or unvalidated inputs run in isolated environments by separating execution domains for each process. Malicious code protections, such as IPS/IDS and antimalware solutions, help detect and mitigate malicious payloads stemming from input validation vulnerabilities. Finally, robust input validation and error-handling mechanisms ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks further.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24791"
},
{
"category": "external",
"summary": "RHBZ#2295310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24791",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791"
},
{
"category": "external",
"summary": "https://go.dev/cl/591255",
"url": "https://go.dev/cl/591255"
},
{
"category": "external",
"summary": "https://go.dev/issue/67555",
"url": "https://go.dev/issue/67555"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
"url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ"
}
],
"release_date": "2024-07-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-13T08:49:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:7256"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.src",
"AppStream-9.6.0.GA:git-lfs-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debuginfo-0:3.6.1-1.el9.x86_64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.aarch64",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.ppc64le",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.s390x",
"AppStream-9.6.0.GA:git-lfs-debugsource-0:3.6.1-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Denial of service due to improper 100-continue handling in net/http"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…