An update for protobuf is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-2012 Final 1.0 1.0 2022-10-21 Initial 2022-10-21 2022-10-21 openEuler SA Tool V1.0 2022-10-21 protobuf security update An update for protobuf is now available for openEuler-22.03-LTS. Security Fix(es): A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.(CVE-2022-1941) A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.(CVE-2022-3171) An update for protobuf is now available for openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High protobuf https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2012 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1941 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-3171 https://nvd.nist.gov/vuln/detail/CVE-2022-1941 https://nvd.nist.gov/vuln/detail/CVE-2022-3171 openEuler-22.03-LTS protobuf-debugsource-3.14.0-6.oe2203.aarch64.rpm protobuf-lite-3.14.0-6.oe2203.aarch64.rpm protobuf-lite-devel-3.14.0-6.oe2203.aarch64.rpm protobuf-debuginfo-3.14.0-6.oe2203.aarch64.rpm protobuf-compiler-3.14.0-6.oe2203.aarch64.rpm protobuf-3.14.0-6.oe2203.aarch64.rpm protobuf-devel-3.14.0-6.oe2203.aarch64.rpm protobuf-java-3.14.0-6.oe2203.noarch.rpm python3-protobuf-3.14.0-6.oe2203.noarch.rpm protobuf-javalite-3.14.0-6.oe2203.noarch.rpm protobuf-parent-3.14.0-6.oe2203.noarch.rpm protobuf-java-util-3.14.0-6.oe2203.noarch.rpm protobuf-javadoc-3.14.0-6.oe2203.noarch.rpm protobuf-bom-3.14.0-6.oe2203.noarch.rpm protobuf-3.14.0-6.oe2203.src.rpm protobuf-lite-devel-3.14.0-6.oe2203.x86_64.rpm protobuf-debuginfo-3.14.0-6.oe2203.x86_64.rpm protobuf-3.14.0-6.oe2203.x86_64.rpm protobuf-lite-3.14.0-6.oe2203.x86_64.rpm protobuf-compiler-3.14.0-6.oe2203.x86_64.rpm protobuf-devel-3.14.0-6.oe2203.x86_64.rpm protobuf-debugsource-3.14.0-6.oe2203.x86_64.rpm A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated. 2022-10-21 CVE-2022-1941 openEuler-22.03-LTS High 7.5 AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H protobuf security update 2022-10-21 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2012 A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. 2022-10-21 CVE-2022-3171 openEuler-22.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H protobuf security update 2022-10-21 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2012