Bug 1147324 (CVE-2014-7189)

Summary: CVE-2014-7189 golang: TLS client authentication issue fixed in version 1.3.2
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, golang-updates, lemenkov, lsm5, renich, s, vbatts
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Go 1.3.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-05 16:03:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1147325, 1147326, 1147327    
Bug Blocks:    

Description Murray McAllister 2014-09-29 03:04:40 UTC 
The Go 1.3.2 release fixes the following issue:

"The crpyto/tls fix addresses a security bug that affects programs that use
crypto/tls to implement a TLS server from Go 1.1 onwards. If the server enables
TLS client authentication using certificates (this is rare) and explicitly sets
SessionTicketsDisabled to true in the tls.Config, then a malicious client can
falsely assert ownership of any client certificate it wishes."

Upstream fix:

https://code.google.com/p/go/source/detail?r=eae0457c101512f59296538f0162749eba325892&name=release-branch.go1.3

References:

http://seclists.org/oss-sec/2014/q3/749
Comment 1 Murray McAllister 2014-09-29 03:05:39 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 1147325]
Affects: epel-6 [bug 1147326]
Affects: epel-7 [bug 1147327]
Comment 2 Vincent Batts 2014-09-29 13:00:41 UTC 
More information: https://groups.google.com/forum/#!msg/golang-nuts/eeOHNw_shwU/OHALUmroA5kJ

I'll start the process for getting go1.3.2 out for these releases
Comment 3 Fedora Update System 2014-10-11 06:59:53 UTC 
golang-1.3.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-10-11 07:03:20 UTC 
golang-1.3.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-10-17 17:38:22 UTC 
golang-1.3.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-10-17 17:39:46 UTC 
golang-1.3.3-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-11-10 06:42:12 UTC 
golang-1.3.3-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.