Source: golang-opentelemetry-otel Version: 1.43.0-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-opentelemetry-otel. CVE-2026-41178[0]: | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions | 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` | to process arbitrarily large/invalid baggage headers and log errors, | enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix | the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-41178 https://www.cve.org/CVERecord?id=CVE-2026-41178 [1] https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835 [2] https://github.com/open-telemetry/opentelemetry-go/pull/7880 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
