Bug 1804533 (CVE-2020-9283)
| Summary: | CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abonas, adahiya, agarcial, alitke, amackenz, amasferr, aos-bugs, aos-storage-staff, asm, bbennett, bmontgom, bpeterse, chazlett, cnv-qe-bugs, deparker, dgoodwin, drieden, ecordell, eparis, fdeutsch, gbrown, hchiramm, hvyas, jburrell, jcantril, jesusr, jmulligan, jokerman, kconner, knewcome, madam, maszulik, mcooper, mfojtik, mkudlej, mpatel, nstielau, phoracek, puebele, rcernich, rhs-bugs, rphillips, sd-operator-metering, sfowler, sgott, shurley, sisharma, sponnaga, storage-qa-internal, sttts, tjelinek, tjochec, tsmetana, tstellar, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | golang.org/x/crypto 0.0.0-20200220183623-bac4c82f6975 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-07-07 01:27:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1806489, 1806494, 1808163, 1808164, 1808165, 1808166, 1808167, 1808168, 1808169, 1808170, 1808171, 1808172, 1808173, 1808174, 1808175, 1808176, 1808177, 1808178, 1808179, 1808180, 1808181, 1808182, 1808199, 1808200, 1808201, 1808202, 1808204, 1808205, 1808206, 1808207, 1808208, 1808209, 1808210, 1808211, 1808212, 1808213, 1808214, 1808215, 1808216, 1808217, 1808218, 1808219, 1808220, 1808221, 1808222, 1808223, 1808224, 1808225, 1808226, 1808227, 1808228, 1808229, 1808230, 1808231, 1808232, 1808233, 1808234, 1808243, 1808244, 1808246, 1808247, 1808248, 1808251, 1808252, 1821598, 1821623, 1837979, 1837987, 1843575, 1854385, 1857071, 1857612, 1857613, 1857614, 1857615, 1857616, 1857617, 1857618, 1857619, 1857620, 1857621, 1857622, 1857623, 1857624, 1857625, 1857626, 1857628, 1857629, 1857630, 1857631, 1857632, 1857633, 1857634, 1857635, 1857636, 1857637, 1857638, 1857639, 1857640, 1857641, 1857642, 1857643, 1857644, 1857645, 1857646, 1857647, 1857648 | ||
| Bug Blocks: | 1804534 | ||
|
Description
Sam Fowler
2020-02-19 04:20:25 UTC
External Reference: https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY Statement: OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2790 https://access.redhat.com/errata/RHSA-2020:2790 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2793 https://access.redhat.com/errata/RHSA-2020:2793 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2789 https://access.redhat.com/errata/RHSA-2020:2789 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-9283 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2878 https://access.redhat.com/errata/RHSA-2020:2878 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:3078 https://access.redhat.com/errata/RHSA-2020:3078 This issue has been addressed in the following products: Jaeger-1.17 Via RHSA-2020:3370 https://access.redhat.com/errata/RHSA-2020:3370 This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Openshift Service Mesh 1.1 Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369 This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:3372 https://access.redhat.com/errata/RHSA-2020:3372 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:3414 https://access.redhat.com/errata/RHSA-2020:3414 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3809 https://access.redhat.com/errata/RHSA-2020:3809 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:4264 https://access.redhat.com/errata/RHSA-2020:4264 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298 This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799 This issue has been addressed in the following products: 3scale API Management Via RHSA-2021:1129 https://access.redhat.com/errata/RHSA-2021:1129 |