GHSA-pxh5-6rrc-8rjv: OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server

When installing provider or module packages from attacker-controlled servers, the server may cause tofu initto enter an infinite loop sending garbage data to that server.

Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete successfully. Other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.

These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.