Bug 1498867 (CVE-2017-15042)

Summary: CVE-2017-15042 golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, amurdaca, apevec, bleanhar, ccoleman, chrisw, dedgar, dmcphers, jcajka, jgoulding, jjoyce, jkeck, jschluet, kbasil, lemenkov, lhh, lpeer, markmc, mburns, rbryant, renich, sclewis, slinaber, s, tdecacqu, ttomecek, vbatts
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.8.4, golang 1.9.1 Doc Type: If docs needed, set a value
Doc Text:
It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement properly. A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:26:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1498872, 1498873, 1499160, 1500587, 1522596, 1565784    
Bug Blocks: 1498774, 1498876    

Description Adam Mariš 2017-10-05 13:01:04 UTC 
It was found that smtp.PlainAuth scheme was vulnerable to man-in-the-middle attack. smtp.PlainAuth implementation would send the username and password to man-in-the-middle SMTP server that doesn’t advertise STARTTLS and does advertise that PLAIN auth is OK.

Upstream bug:

https://github.com/golang/go/issues/22134

Upstream patches:

Go 1.8: https://go-review.googlesource.com/c/go/+/68023
Go 1.9: https://go-review.googlesource.com/c/go/+/68210
Comment 1 Adam Mariš 2017-10-05 13:09:28 UTC 
Created golang tracking bugs for this issue:

Affects: epel-6 [bug 1498872]
Affects: fedora-all [bug 1498873]
Comment 2 Joshua Padman 2017-10-06 00:10:52 UTC 
github issue was updated to include CVE-2017-15042
Comment 5 errata-xmlrpc 2017-12-14 11:35:51 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2017:3463 https://access.redhat.com/errata/RHSA-2017:3463
Comment 6 errata-xmlrpc 2018-04-10 08:27:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0878 https://access.redhat.com/errata/RHSA-2018:0878