Bug 2196027 (CVE-2023-24540)
| Summary: | CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Anten Skrabec <askrabec> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abishop, adudiak, amasferr, amctagga, ansmith, aoconnor, asm, ataylor, bbaude, bbuckingham, bcourt, bdettelb, bniver, bodavis, chazlett, cwelton, davidn, dbenoit, debarshir, desktop-qa-list, dfreiber, dhellmann, dkenigsb, dperaza, dsimansk, dwalsh, dymurray, eglynn, ehelms, ellin, emachado, epacific, fdeutsch, flucifre, gmeno, gparvin, grafana-maint, ibolton, jburrell, jcammara, jcantril, jchui, jhardy, jjoyce, jkoehler, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jross, jsherril, jwendell, kshier, lball, lhh, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mgarciac, mhackett, mheon, mhulan, mkudlej, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmontero, nmoumoul, orabin, oramraz, osbuilders, owatkins, pahickey, pcreech, pehunt, pjindal, pthomas, rcernich, rchan, rhcos-sst, rhos-maint, rhuss, rjohnson, rkieley, rogbas, saroy, scorneli, sgott, shbose, simaishi, sipoyare, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, teagle, tfister, tjochec, tkral, trathi, tstellar, tsweeney, twalsh, umohnani, vereddy, vkumar, whayutin, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | golang 1.19.9, golang 1.20.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2196629, 2196630, 2203101, 2203102, 2203103, 2203104, 2203105, 2203106, 2203107, 2203108, 2203109, 2203110, 2203111, 2203112, 2203113, 2203114, 2203116, 2203117, 2203118, 2203119, 2203120, 2203121, 2203122, 2203123, 2203126, 2203127, 2203128, 2203129, 2203130, 2203260, 2203261, 2204471, 2204472, 2204473, 2204474, 2204475, 2204476, 2204477, 2207502, 2207503, 2207504, 2207505, 2207506, 2207507, 2207508, 2207509, 2207510, 2207511, 2207512, 2207513, 2207514, 2207515, 2207518, 2207519, 2207520, 2207521, 2207522, 2207523, 2207525, 2207526, 2208521, 2208523, 2208525, 2208539, 2208549, 2209068, 2221850, 2293106 | ||
| Bug Blocks: | 2193514 | ||
|
Description
Anten Skrabec
2023-05-07 16:35:35 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2196629] Affects: fedora-all [bug 2196630] Anten, is there a link to the upstream report? It's not clear from the description here in bugzilla how to reproduce the problem so I can't tell if MicroShift is actually affected. References: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU Go issue https://go.dev/issue/59721 Commits: https://github.com/golang/go/commit/a32232cb18ed07496ec77c1cf2dcefa1cb0ac057 [Master] https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797 [release-branch.go1.19] https://github.com/golang/go/commit/4a28cad66655ee01c6e944271e23c33cab021765 [release-branch.go1.20] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3318 https://access.redhat.com/errata/RHSA-2023:3318 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3319 https://access.redhat.com/errata/RHSA-2023:3319 This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2023:3323 https://access.redhat.com/errata/RHSA-2023:3323 This issue has been addressed in the following products: RHACS-3.73-RHEL-8 Via RHSA-2023:3379 https://access.redhat.com/errata/RHSA-2023:3379 This issue has been addressed in the following products: RHACS-4.0-RHEL-8 Via RHSA-2023:3415 https://access.redhat.com/errata/RHSA-2023:3415 This issue has been addressed in the following products: RHACS-3.74-RHEL-8 Via RHSA-2023:3435 https://access.redhat.com/errata/RHSA-2023:3435 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3367 https://access.redhat.com/errata/RHSA-2023:3367 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3366 https://access.redhat.com/errata/RHSA-2023:3366 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:3410 https://access.redhat.com/errata/RHSA-2023:3410 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:3409 https://access.redhat.com/errata/RHSA-2023:3409 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:3545 https://access.redhat.com/errata/RHSA-2023:3545 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:3624 https://access.redhat.com/errata/RHSA-2023:3624 This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.4 for RHEL 8 Via RHSA-2023:3644 https://access.redhat.com/errata/RHSA-2023:3644 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612 This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.3.0-RHEL-9 Via RHSA-2023:3905 https://access.redhat.com/errata/RHSA-2023:3905 This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:3918 https://access.redhat.com/errata/RHSA-2023:3918 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2023:3915 https://access.redhat.com/errata/RHSA-2023:3915 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:3911 https://access.redhat.com/errata/RHSA-2023:3911 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2023:3914 https://access.redhat.com/errata/RHSA-2023:3914 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:3910 https://access.redhat.com/errata/RHSA-2023:3910 Were the bugs for this CVE created correctly? I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2207514) and 4.0 (bug 2207509) module streams, but none for RHEL 9. In comparison, I found a RHEL 8 podman bug for the 4.0 module stream (bug 2207507) and one for RHEL 9 (bug 2207522). I also found a RHEL 9 bug for golang (bug 2204477). So, it seems like RHEL 9 is affected, but then why is there no RHEL 9 toolbox bug? There's no difference in toolbox across RHEL 8 and 9 that could be relevant to this CVE. @trathi: see comment #45 above about RHEL affects This issue has been addressed in the following products: OADP-1.0-RHEL-8 Via RHSA-2023:4289 https://access.redhat.com/errata/RHSA-2023:4289 This issue has been addressed in the following products: RHEL-8-CNV-4.12 RHEL-7-CNV-4.12 Via RHSA-2023:4420 https://access.redhat.com/errata/RHSA-2023:4420 This issue has been addressed in the following products: RHEL-8-CNV-4.12 Via RHSA-2023:4421 https://access.redhat.com/errata/RHSA-2023:4421 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.3 for RHEL 8 Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470 This issue has been addressed in the following products: CERT-MANAGER-1.10-RHEL-9 Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627 This issue has been addressed in the following products: RHEL-9-CNV-4.13 Via RHSA-2023:4664 https://access.redhat.com/errata/RHSA-2023:4664 This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:5376 https://access.redhat.com/errata/RHSA-2023:5376 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.3 for RHEL 8 Via RHSA-2023:5421 https://access.redhat.com/errata/RHSA-2023:5421 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8 Via RHSA-2023:5442 https://access.redhat.com/errata/RHSA-2023:5442 This issue has been addressed in the following products: RODOO-1.0-RHEL-8 Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944 This issue has been addressed in the following products: Red Hat Ceph Storage 5.3 Via RHSA-2024:4119 https://access.redhat.com/errata/RHSA-2024:4119 |