Bug 2268017 (CVE-2023-45290)
| Summary: | CVE-2023-45290 golang: net/http: golang: mime/multipart: golang: net/textproto: memory exhaustion in Request.ParseMultipartForm | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Robb Gatica <rgatica> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abishop, adudiak, akostadi, amasferr, amctagga, anjoseph, ansmith, aoconnor, asatyam, bdettelb, bniver, bodavis, brking, cbartlet, chazlett, danken, dbenoit, dfreiber, dhanak, dholler, diagrawa, dkenigsb, dmayorov, doconnor, dperaza, drow, dsimansk, dymurray, eaguilar, ebaron, eglynn, emachado, epacific, fdeutsch, flucifre, ganandan, gkamathe, gmeno, gparvin, gsuckevi, haoli, hkataria, ibolton, jaharrin, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jobarker, joelsmith, jpallich, jprabhak, jschluet, kaycoth, kholdawa, kingland, kshier, kverlaen, lbainbri, lchilton, lhh, lmadsen, lsvaty, mabashia, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mjaros, mkudlej, mmagr, mmakovy, mnewsome, mnovotny, mrajanna, mrunge, mwringe, njean, nobody, odf-bz-bot, omaciel, oramraz, owatkins, pahickey, pbraun, peholase, pgaikwad, pgrist, phoracek, pierdipi, pjindal, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, sabiswas, sakbas, saroy, sdawley, sfeifer, sfroberg, shbose, sidakwo, simaishi, sipoyare, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, teagle, tfister, thavo, tjochec, vereddy, vimartin, vkumar, whayutin, wtam, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | go 1.21.8, go 1.22.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was discovered in Go's net/http standard library package. When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2349082, 2268238, 2268239, 2268240, 2276382, 2276383, 2276384, 2276385, 2276386, 2276387, 2276388, 2276389, 2276390, 2276391, 2276392, 2276621, 2280889, 2292176, 2292177 | ||
| Bug Blocks: | 2268016 | ||
|
Description
Robb Gatica
2024-03-06 01:50:13 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2268239] Affects: fedora-all [bug 2268238] This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2724 https://access.redhat.com/errata/RHSA-2024:2724 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3259 https://access.redhat.com/errata/RHSA-2024:3259 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3346 https://access.redhat.com/errata/RHSA-2024:3346 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 3.2 Via RHSA-2024:3621 https://access.redhat.com/errata/RHSA-2024:3621 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781 This issue has been addressed in the following products: OADP-1.3-RHEL-9 Via RHSA-2024:3790 https://access.redhat.com/errata/RHSA-2024:3790 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3826 https://access.redhat.com/errata/RHSA-2024:3826 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3827 https://access.redhat.com/errata/RHSA-2024:3827 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3830 https://access.redhat.com/errata/RHSA-2024:3830 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3831 https://access.redhat.com/errata/RHSA-2024:3831 This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.6.0-RHEL-9 Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2024:4023 https://access.redhat.com/errata/RHSA-2024:4023 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:0045 https://access.redhat.com/errata/RHSA-2024:0045 This issue has been addressed in the following products: RODOO-1.1-RHEL-9 Via RHSA-2024:1616 https://access.redhat.com/errata/RHSA-2024:1616 This issue has been addressed in the following products: OSSO-1.3-RHEL-9 Via RHSA-2024:3637 https://access.redhat.com/errata/RHSA-2024:3637 This issue has been addressed in the following products: KDO-5.0-RHEL-9 Via RHSA-2024:3617 https://access.redhat.com/errata/RHSA-2024:3617 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2024:4520 https://access.redhat.com/errata/RHSA-2024:4520 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2024:4893 https://access.redhat.com/errata/RHSA-2024:4893 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:5075 https://access.redhat.com/errata/RHSA-2024:5075 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:5077 https://access.redhat.com/errata/RHSA-2024:5077 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5258 https://access.redhat.com/errata/RHSA-2024:5258 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:5202 https://access.redhat.com/errata/RHSA-2024:5202 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:5439 https://access.redhat.com/errata/RHSA-2024:5439 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:5444 https://access.redhat.com/errata/RHSA-2024:5444 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:5436 https://access.redhat.com/errata/RHSA-2024:5436 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:5442 https://access.redhat.com/errata/RHSA-2024:5442 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Ironic content for Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:5446 https://access.redhat.com/errata/RHSA-2024:5446 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:5808 https://access.redhat.com/errata/RHSA-2024:5808 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Ironic content for Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:5810 https://access.redhat.com/errata/RHSA-2024:5810 This issue has been addressed in the following products: OPENSHIFT-BUILDS-1.1-RHEL-8 Via RHSA-2024:6221 https://access.redhat.com/errata/RHSA-2024:6221 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6969 https://access.redhat.com/errata/RHSA-2024:6969 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:7174 https://access.redhat.com/errata/RHSA-2024:7174 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:8038 https://access.redhat.com/errata/RHSA-2024:8038 This issue has been addressed in the following products: RODOO-1.2-RHEL-9 Via RHSA-2024:7548 https://access.redhat.com/errata/RHSA-2024:7548 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2024:7922 https://access.redhat.com/errata/RHSA-2024:7922 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9135 https://access.redhat.com/errata/RHSA-2024:9135 This issue has been addressed in the following products: Red Hat OpenStack Services on OpenShift PODIFIED 1.0 Via RHSA-2024:9485 https://access.redhat.com/errata/RHSA-2024:9485 |