Bug 2237778 (CVE-2023-39322)
| Summary: | CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Sayan Biswas <sabiswas> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abishop, adudiak, aileenc, amasferr, amctagga, ansmith, aoconnor, apjagtap, asatyam, askrabec, aveerama, bbuckingham, bcourt, bdettelb, bniver, bodavis, chazlett, davidn, dbenoit, dcadzow, dfreiber, diagrawa, dkenigsb, dperaza, dsimansk, dymurray, eaguilar, ebaron, eglynn, ehelms, emachado, epacific, eric.wittmann, fdeutsch, flucifre, gmeno, gparvin, ibolton, jaharrin, janstey, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkoehler, jmatthew, jmontleo, jneedle, jobarker, jpallich, jschluet, jsherril, jwendell, kaycoth, kshier, lball, lhh, lmadsen, lzap, mabashia, matzew, mbenjamin, mburns, mcressma, mgarciac, mhackett, mhulan, mkudlej, mmagr, mnewsome, mrajanna, mrunge, mwringe, njean, nmoumoul, nobody, odf-bz-bot, orabin, oramraz, osapryki, owatkins, pahickey, pantinor, pcreech, peholase, periklis, pgrist, pjindal, rcernich, rchan, rhos-maint, rhuss, rjohnson, rogbas, saroy, sdawley, sfroberg, sgott, shbose, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, teagle, tfister, tjochec, twalsh, ubhargav, vereddy, vkumar, whayutin, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | golang 1.20.8, golang 1.21.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Golang. QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With the fix, connections now consistently reject messages larger than 65KiB in size.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2238077, 2238078, 2238079, 2238080, 2238084, 2238085, 2238086, 2238064, 2238065, 2238066, 2238067, 2238068, 2238069, 2238070, 2238071, 2238072, 2238073, 2238074, 2238075, 2238076, 2238081, 2238082, 2238083, 2238088, 2238089, 2238090, 2238091, 2238092, 2238093, 2238094, 2238095, 2238811, 2238812, 2280689 | ||
| Bug Blocks: | 2237770 | ||
|
Description
Patrick Del Bello
2023-09-06 20:24:39 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2238811] Affects: fedora-all [bug 2238812] This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.4.0-RHEL-9 Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974 This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2023:6031 https://access.redhat.com/errata/RHSA-2023:6031 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.9 Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085 This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.3 for RHEL 8 Via RHSA-2023:6119 https://access.redhat.com/errata/RHSA-2023:6119 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8 Via RHSA-2023:6122 https://access.redhat.com/errata/RHSA-2023:6122 This issue has been addressed in the following products: RODOO-1.0-RHEL-8 Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.2 for RHEL 8 Via RHSA-2023:6145 https://access.redhat.com/errata/RHSA-2023:6145 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8 Via RHSA-2023:6148 https://access.redhat.com/errata/RHSA-2023:6148 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.1 for RHEL 8 Via RHSA-2023:6200 https://access.redhat.com/errata/RHSA-2023:6200 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2023:6202 https://access.redhat.com/errata/RHSA-2023:6202 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009 This issue has been addressed in the following products: OSSO-1.2-RHEL-8 Via RHSA-2023:6154 https://access.redhat.com/errata/RHSA-2023:6154 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 8 Red Hat Ansible Automation Platform 2.4 for RHEL 9 Via RHSA-2023:7517 https://access.redhat.com/errata/RHSA-2023:7517 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7762 https://access.redhat.com/errata/RHSA-2023:7762 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7764 https://access.redhat.com/errata/RHSA-2023:7764 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7765 https://access.redhat.com/errata/RHSA-2023:7765 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7763 https://access.redhat.com/errata/RHSA-2023:7763 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7766 https://access.redhat.com/errata/RHSA-2023:7766 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121 This issue has been addressed in the following products: Service Interconnect 1 for RHEL 9 Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2024:3352 https://access.redhat.com/errata/RHSA-2024:3352 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2024:3467 https://access.redhat.com/errata/RHSA-2024:3467 |