Debian Bug report logs -
#1059261
clickhouse: CVE-2023-48298 CVE-2023-47118 CVE-2022-44011 CVE-2022-44010
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Alexander GQ Gerasiov <gq@debian.org>
:
Bug#1059261
; Package src:clickhouse
.
(Fri, 22 Dec 2023 09:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Alexander GQ Gerasiov <gq@debian.org>
.
(Fri, 22 Dec 2023 09:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: clickhouse
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for clickhouse.
CVE-2023-48298[0]:
| ClickHouse® is an open-source column-oriented database management
| system that allows generating analytical data reports in real-time.
| This vulnerability is an integer underflow resulting in crash due to
| stack buffer overflow in decompression of FPC codec. It can be
| triggered and exploited by an unauthenticated attacker. The
| vulnerability is very similar to CVE-2023-47118 with how the
| vulnerable function can be exploited.
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938
https://github.com/ClickHouse/ClickHouse/pull/56795
CVE-2023-47118[1]:
| ClickHouse® is an open-source column-oriented database management
| system that allows generating analytical data reports in real-time.
| A heap buffer overflow issue was discovered in ClickHouse server. An
| attacker could send a specially crafted payload to the native
| interface exposed by default on port 9000/tcp, triggering a bug in
| the decompression logic of T64 codec that crashes the ClickHouse
| server process. This attack does not require authentication. Note
| that this exploit can also be triggered via HTTP protocol, however,
| the attacker will need a valid credential as the HTTP authentication
| take places first. This issue has been fixed in version
| 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts and
| 23.3.16.7-lts.
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v
CVE-2022-44011[2]:
| An issue was discovered in ClickHouse before 22.9.1.2603. An
| authenticated user (with the ability to load data) could cause a
| heap buffer overflow and crash the server by inserting a malformed
| CapnProto object. The fixed versions are 22.9.1.2603, 22.8.2.11,
| 22.7.4.16, 22.6.6.16, and 22.3.12.19.
https://github.com/ClickHouse/ClickHouse/pull/40241
CVE-2022-44010[3]:
| An issue was discovered in ClickHouse before 22.9.1.2603. An
| attacker could send a crafted HTTP request to the HTTP Endpoint
| (usually listening on port 8123 by default), causing a heap-based
| buffer overflow that crashes the process. This does not require
| authentication. The fixed versions are 22.9.1.2603, 22.8.2.11,
| 22.7.4.16, 22.6.6.16, and 22.3.12.19.
https://github.com/ClickHouse/ClickHouse/pull/40292
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48298
https://www.cve.org/CVERecord?id=CVE-2023-48298
[1] https://security-tracker.debian.org/tracker/CVE-2023-47118
https://www.cve.org/CVERecord?id=CVE-2023-47118
[2] https://security-tracker.debian.org/tracker/CVE-2022-44011
https://www.cve.org/CVERecord?id=CVE-2022-44011
[3] https://security-tracker.debian.org/tracker/CVE-2022-44010
https://www.cve.org/CVERecord?id=CVE-2022-44010
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 22 Dec 2023 20:09:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Dec 23 08:18:51 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.