Source: golang-opentelemetry-otel Version: 1.43.0-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-opentelemetry-otel. CVE-2026-45287[0]: | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to | version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and | `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on | each successful `ParseFile` call. `ParseFile` opens the schema file | and passes it to `Parse` without closing it; repeated parsing in a | long-running process can exhaust the process file descriptor limit | and cause denial of service. Exploitation depends on a consuming | application exposing repeated schema parsing to an attacker- | controlled path. Version 0.0.17 contains a patch for the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-45287 https://www.cve.org/CVERecord?id=CVE-2026-45287 [1] https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m [2] https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d Please adjust the affected versions in the BTS as needed. Regards, Salvatore
