Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package azure-storage-azcopy for
openSUSE:Factory checked in at 2026-05-24 19:35:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/azure-storage-azcopy (Old)
and /work/SRC/openSUSE:Factory/.azure-storage-azcopy.new.2084 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "azure-storage-azcopy"
Sun May 24 19:35:18 2026 rev:7 rq:1354944 version:10.32.2
Changes:
--------
---
/work/SRC/openSUSE:Factory/azure-storage-azcopy/azure-storage-azcopy.changes
2026-04-28 12:02:14.560143670 +0200
+++
/work/SRC/openSUSE:Factory/.azure-storage-azcopy.new.2084/azure-storage-azcopy.changes
2026-05-24 19:37:39.028186182 +0200
@@ -1,0 +2,6 @@
+Wed May 20 10:00:11 UTC 2026 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Add CVE-2026-33814.patch to fix hanging Transport in http2 code
+ due to bad SETTINGS frame (bsc#1265841, CVE-2026-33814)
+
+-------------------------------------------------------------------
New:
----
CVE-2026-33814.patch
----------(New B)----------
New:
- Add CVE-2026-33814.patch to fix hanging Transport in http2 code
due to bad SETTINGS frame (bsc#1265841, CVE-2026-33814)
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ azure-storage-azcopy.spec ++++++
--- /var/tmp/diff_new_pack.APxYQ8/_old 2026-05-24 19:37:39.604209797 +0200
+++ /var/tmp/diff_new_pack.APxYQ8/_new 2026-05-24 19:37:39.608209961 +0200
@@ -36,6 +36,8 @@
Patch1: CVE-2026-33186.patch
# PATCH-FIX-UPSTREAM - Fix crafted JWE input with a missing encrypted key can
lead to a denial of service
Patch2: CVE-2026-34986.patch
+# PATCH-FIX-UPSTREAM - net: http2: prevent hanging Transport due to bad
SETTINGS frame
+Patch3: CVE-2026-33814.patch
BuildRequires: golang-packaging
BuildRequires: go >= 1.24
# Building with -buildmode=pie is currently unsupported on armv7l, i586,
riscv64 and s390x
@@ -60,6 +62,9 @@
pushd vendor/github.com/go-jose/go-jose/v4
%patch -P2 -p1
popd
+pushd vendor/golang.org/x/net
+%patch -P3 -p1
+popd
%build
%goprep %{import_path}
++++++ CVE-2026-33814.patch ++++++
>From c41ab094fb2d1861c137572c9ef7a2a2f1de35bf Mon Sep 17 00:00:00 2001
From: "Nicholas S. Husin" <[email protected]>
Date: Tue, 31 Mar 2026 15:15:30 -0400
Subject: [PATCH] http2: prevent hanging Transport due to bad SETTINGS frame
This CL backports https://go.dev/cl/761581 to x/net.
Fixes golang/go#78476
Fixes CVE-2026-33814
Change-Id: Ied435a51fdd8664d41dae14d082c39c76a6a6964
Reviewed-on: https://go-review.googlesource.com/c/net/+/761640
LUCI-TryBot-Result: Go LUCI
<[email protected]>
Reviewed-by: Nicholas Husin <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
---
http2/transport.go | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/http2/transport.go b/http2/transport.go
index ccb87e6..305a032 100644
--- a/http2/transport.go
+++ b/http2/transport.go
@@ -2860,6 +2860,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f
*SettingsFrame) error {
var seenMaxConcurrentStreams bool
err := f.ForeachSetting(func(s Setting) error {
+ if err := s.Valid(); err != nil {
+ return err
+ }
switch s.ID {
case SettingMaxFrameSize:
cc.maxFrameSize = s.Val
@@ -2891,9 +2894,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f
*SettingsFrame) error {
cc.henc.SetMaxDynamicTableSize(s.Val)
cc.peerMaxHeaderTableSize = s.Val
case SettingEnableConnectProtocol:
- if err := s.Valid(); err != nil {
- return err
- }
// If the peer wants to send us
SETTINGS_ENABLE_CONNECT_PROTOCOL,
// we require that it do so in the first SETTINGS frame.
//
--
2.54.0
