Source: clickhouse X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for clickhouse. CVE-2024-6873[0]: | It is possible to crash or redirect the execution flow of the | ClickHouse server process from an unauthenticated vector by sending | a specially crafted request to the ClickHouse server native | interface. This redirection is limited to what is available within a | 256-byte range of memory at the time of execution, and no known | remote code execution (RCE) code has been produced or exploited. | Fixes have been merged to all currently supported version of | ClickHouse. If you are maintaining your own forked version of | ClickHouse or using an older version and cannot upgrade, the fix for | this vulnerability can be found in this commit | https://github.com/ClickHouse/ClickHouse/pull/64024 . https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-432f-r822-j66f https://github.com/ClickHouse/ClickHouse/pull/64024 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6873 https://www.cve.org/CVERecord?id=CVE-2024-6873 Please adjust the affected versions in the BTS as needed.
