Bug 1808041 (CVE-2020-7919)
Summary: | CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | admiller, amurdaca, asm, bmontgom, bodavis, deparker, emachado, eparis, fdeutsch, hchiramm, hvyas, jburrell, jcajka, jmulligan, jokerman, jpadman, kconner, law, lemenkov, madam, mnewsome, nstielau, puebele, rcernich, renich, rhs-bugs, sfowler, sisharma, sponnaga, storage-qa-internal, tstellar, vbatts, vbellur |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | go 1.14, go 1.13.7, golang.org/x/crypto/cryptobyte v0.0.0-20200124225646-8b5121be2f68 | Doc Type: | If docs needed, set a value |
Doc Text: |
An integer overflow vulnerability was found in the Go crypto/x509 and golang.org/x/crypto/cryptobyte libraries on 32-bit architectures. A remote attacker could exploit this by supplying a crafted x.509 certificate, or other ASN.1 structure, as either a client or server to crash vulnerable Go applications.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-17 04:31:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1808042, 1808044 | ||
Bug Blocks: | 1808045 |
Description
Guilherme de Almeida Suckevicz
2020-02-27 16:52:00 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 1808042] Affects: fedora-all [bug 1808044] The current version of ServiceMesh only supports x86_64 architectures and hence is not affected by this flaw. Reference: https://docs.openshift.com/container-platform/4.3/service_mesh/servicemesh-release-notes.html#ossm-supported-configurations_ossm-release-notes Upstream Fixes: https://github.com/golang/go/commit/f938e06d0623d0e1de202575d16f1e126741f6e0 (1.13.7) https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574 (1.14) Statement: Below products are only supported on 64bit architectures and are therefore not affected by this flaw: * OpenShift Container Platform * OpenShift Service Mesh * Red Hat Ceph Storage * Red Hat Gluster Storage * Container-native Virtualization This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7919 |