All errata/sisyphus/ALT-PU-2024-7595-2
ALT-PU-2024-7595-2

Package update traefik in branch sisyphus

Version2.11.2-alt1
Task#347710
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (6)

BDU:2024-02688
MEDIUM5.3

Уязвимость библиотек net/http и net/http2 языка программирования Go, связана с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-04-06Modified: 2024-11-15
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2024-03542
HIGH7.5

Уязвимость обратного прокси сервера Containous Traefik, связанная с недостаточной обработкой исключительных состояний, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-05-07
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
CVE-2023-45288
HIGH7.5

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Published: 2024-04-04Modified: 2026-04-15
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2024-28869
HIGH7.5

Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.11.2 and 3.0.0-rc5. Users are advised to upgrade. For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.

Published: 2024-04-12Modified: 2025-11-26
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-4v7x-pqxf-cx7m
MEDIUM5.3

net/http, x/net/http2: close connections when receiving too many headers

Published: 2024-04-05Modified: 2025-11-05
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
GHSA-4vwx-54mw-vqfw
HIGH7.5

Traefik vulnerable to denial of service with Content-length header

Published: 2024-04-12Modified: 2024-04-15
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References