Bug 2253323 (CVE-2023-45285)

Summary: CVE-2023-45285 golang: cmd/go: Protocol Fallback when fetching modules
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bodavis, dbenoit, dfreiber, dkenigsb, drow, emachado, fdeutsch, ganandan, gsuckevi, jburrell, jwendell, mnewsome, oramraz, rcernich, sipoyare, smullick, twalsh, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.20.12, golang 1.21.0-0, golang 1.21.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Golang package cmd/go. This issue permits the fallback to insecure "git://" if trying to fetch a .git module that has no "https://" or "git+ssh://" available.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2253324, 2253325, 2253326, 2253327, 2253347    
Bug Blocks: 2253319    

Description Patrick Del Bello 2023-12-06 20:25:43 UTC 
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

https://go.dev/cl/540257
https://go.dev/issue/63845
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://pkg.go.dev/vuln/GO-2023-2383
Comment 1 Patrick Del Bello 2023-12-06 20:26:08 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2253324]
Affects: fedora-all [bug 2253325]
Comment 3 errata-xmlrpc 2024-02-20 12:30:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0887 https://access.redhat.com/errata/RHSA-2024:0887
Comment 4 errata-xmlrpc 2024-02-27 20:49:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
Comment 7 errata-xmlrpc 2024-02-29 09:03:54 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2024:1041 https://access.redhat.com/errata/RHSA-2024:1041
Comment 8 errata-xmlrpc 2024-03-05 18:11:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1131 https://access.redhat.com/errata/RHSA-2024:1131