Bug 1995656 (CVE-2021-36221)
Summary: | CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aadam, abishop, admiller, alitke, amctagga, amuller, amurdaca, anharris, anpicker, aos-bugs, asm, bbaude, bbennett, bdettelb, bmontgom, bniver, bodavis, caswilli, cnv-qe-bugs, dbecker, dbenoit, deparker, dornelas, dwalsh, dymurray, emachado, eparis, erooth, etamir, fcanogab, fdeutsch, fdupont, fjansen, flucifre, gmeno, godas, hchiramm, hvyas, ibolton, jakob, jarrpa, jburrell, jcajka, jcosta, jjoyce, jligon, jmatthew, jmontleo, jmulligan, jnakfour, jnovy, joelsmith, jokerman, jpadman, jschluet, jwendell, jwon, kaycoth, krathod, lball, lemenkov, lgamliel, lhh, lhinds, lmadsen, lmeyer, lpeer, lsm5, madam, maszulik, matzew, mbenjamin, mburns, mfilanov, mfojtik, mgarciac, mhackett, mheon, mmagr, mnewsome, mrunge, mrussell, mthoemme, mwringe, nalin, nbecker, nstielau, ocs-bugs, phoracek, pleimer, ploffay, pthomas, puebele, rcernich, rfreiman, rhcos-triage, rhs-bugs, rhuss, rphillips, rrajasek, rtalur, sabose, sbatsche, sclewis, sgott, slinaber, slucidi, sostapov, spasquie, sponnaga, sseago, stirabos, sttts, team-winc, tnielsen, tomckay, tstellar, tsweeney, twalsh, umohnani, vbatts, vereddy, xxia |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | go 1.16.7, go 1.15.15 | Doc Type: | If docs needed, set a value |
Doc Text: |
A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-28 09:07:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1997190, 1997874, 1993407, 1995964, 1995965, 1995966, 1995967, 1995968, 1995969, 1995970, 1995971, 1995972, 1995973, 1995974, 1995975, 1995976, 1995977, 1995978, 1995979, 1995980, 1995981, 1995982, 1995983, 1995984, 1995985, 1995986, 1995987, 1995988, 1995989, 1995990, 1995991, 1995992, 1995993, 1995994, 1995995, 1995996, 1995997, 1995998, 1995999, 1996000, 1996001, 1996002, 1996003, 1996004, 1996005, 1996006, 1996007, 1996008, 1996009, 1996010, 1996761, 1996763, 1996769, 1996770, 1996771, 1996772, 1996810, 1997188, 1997191, 1997869, 1997870, 1997871, 1997872, 1997873, 1997875, 1997876, 1997877, 1998071, 1998072, 1998073, 1998074, 1998075, 1998076, 1998077, 1998078, 1998079, 1998080, 1998107, 1998108, 1998109, 1998110, 1998111, 1999010, 1999358, 1999415, 1999416, 2000977, 2000978, 2000989, 2000990, 2000991, 2000992, 2000993, 2000994, 2057167 | ||
Bug Blocks: | 1995693 |
Description
Marian Rehak
2021-08-19 15:04:23 UTC
Upstream Go PRs: https://github.com/golang/go/commit/accf363d5da864521c90b152fb734f3f15e00521 for Go 1.16 https://github.com/golang/go/commit/ba93baa74a52d57ae79313313ea990cc791ef50e for Go 1.15 Created golang tracking bugs for this issue: Affects: openstack-rdo [bug 1997874] Created golang tracking bugs for this issue: Affects: epel-all [bug 1999416] Affects: fedora-all [bug 1999415] FEDORA-2021-38b51d9fd3 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4156 https://access.redhat.com/errata/RHSA-2021:4156 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2021:4765 https://access.redhat.com/errata/RHSA-2021:4765 This issue has been addressed in the following products: Openshift Serveless 1.19 Via RHSA-2021:4766 https://access.redhat.com/errata/RHSA-2021:4766 This issue has been addressed in the following products: Red Hat Openshit distributed tracing 2.1 Via RHSA-2022:0318 https://access.redhat.com/errata/RHSA-2022:0318 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:0557 https://access.redhat.com/errata/RHSA-2022:0557 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:0561 https://access.redhat.com/errata/RHSA-2022:0561 This issue has been addressed in the following products: OSE-OSC-1.2.0-RHEL-8 Via RHSA-2022:0855 https://access.redhat.com/errata/RHSA-2022:0855 This issue has been addressed in the following products: RHEL-8-CNV-4.10 Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577 This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276 This issue has been addressed in the following products: RHODF-4.10-RHEL-8 Via RHSA-2022:1361 https://access.redhat.com/errata/RHSA-2022:1361 This issue has been addressed in the following products: RHODF-4.10-RHEL-8 Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.5 Via RHSA-2022:1396 https://access.redhat.com/errata/RHSA-2022:1396 This issue has been addressed in the following products: RHEL-8-CNV-4.10 Via RHSA-2022:4668 https://access.redhat.com/errata/RHSA-2022:4668 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7457 https://access.redhat.com/errata/RHSA-2022:7457 |