Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package amazon-ecs-init for openSUSE:Factory
checked in at 2026-05-24 19:35:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/amazon-ecs-init (Old)
and /work/SRC/openSUSE:Factory/.amazon-ecs-init.new.2084 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "amazon-ecs-init"
Sun May 24 19:35:27 2026 rev:18 rq:1354949 version:1.103.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/amazon-ecs-init/amazon-ecs-init.changes
2026-04-29 19:21:59.043254869 +0200
+++
/work/SRC/openSUSE:Factory/.amazon-ecs-init.new.2084/amazon-ecs-init.changes
2026-05-24 19:37:49.496615350 +0200
@@ -1,0 +2,6 @@
+Wed May 20 15:15:05 UTC 2026 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Add CVE-2026-33814.patch to fix hanging Transport in http2 code
+ due to bad SETTINGS frame (bsc#1265843, CVE-2026-33814)
+
+-------------------------------------------------------------------
New:
----
CVE-2026-33814.patch
----------(New B)----------
New:
- Add CVE-2026-33814.patch to fix hanging Transport in http2 code
due to bad SETTINGS frame (bsc#1265843, CVE-2026-33814)
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ amazon-ecs-init.spec ++++++
--- /var/tmp/diff_new_pack.nIkaVM/_old 2026-05-24 19:37:50.360650773 +0200
+++ /var/tmp/diff_new_pack.nIkaVM/_new 2026-05-24 19:37:50.360650773 +0200
@@ -28,6 +28,8 @@
Source1: %{short_name}.service
Source2: amazon-ecs-init.tmpfiles
Patch0: reproducible.patch
+# PATCH-FIX-UPSTREAM - net: http2: prevent hanging Transport due to bad
SETTINGS frame
+Patch1: CVE-2026-33814.patch
BuildRequires: go >= 1.25.9
BuildRequires: pkgconfig(systemd)
# We cannot handle cross module dependencies properly, i.e. one module can
@@ -140,6 +142,11 @@
%prep
%setup -q -n amazon-ecs-agent-%{version}
%patch -P0 -p1
+# As ecs-init uses x/net/http2 via ecs-agent,
+# we have to patch the vulnerability there
+pushd ecs-agent/vendor/golang.org/x/net
+%patch -P1 -p1
+popd
%build
env
++++++ CVE-2026-33814.patch ++++++
>From 15dea01d3589107750483d0ebdd17d7594fc44f3 Mon Sep 17 00:00:00 2001
From: "Nicholas S. Husin" <[email protected]>
Date: Tue, 31 Mar 2026 15:15:30 -0400
Subject: [PATCH] http2: prevent hanging Transport due to bad SETTINGS frame
This CL backports https://go.dev/cl/761581 to x/net.
Fixes golang/go#78476
Fixes CVE-2026-33814
Change-Id: Ied435a51fdd8664d41dae14d082c39c76a6a6964
Reviewed-on: https://go-review.googlesource.com/c/net/+/761640
LUCI-TryBot-Result: Go LUCI
<[email protected]>
Reviewed-by: Nicholas Husin <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
---
http2/transport.go | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/http2/transport.go b/http2/transport.go
index ccb87e6..305a032 100644
--- a/http2/transport.go
+++ b/http2/transport.go
@@ -2860,6 +2860,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f
*SettingsFrame) error {
var seenMaxConcurrentStreams bool
err := f.ForeachSetting(func(s Setting) error {
+ if err := s.Valid(); err != nil {
+ return err
+ }
switch s.ID {
case SettingMaxFrameSize:
cc.maxFrameSize = s.Val
@@ -2891,9 +2894,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f
*SettingsFrame) error {
cc.henc.SetMaxDynamicTableSize(s.Val)
cc.peerMaxHeaderTableSize = s.Val
case SettingEnableConnectProtocol:
- if err := s.Valid(); err != nil {
- return err
- }
// If the peer wants to send us
SETTINGS_ENABLE_CONNECT_PROTOCOL,
// we require that it do so in the first SETTINGS frame.
//
--
2.54.0
