Bug 2292787 (CVE-2024-24790)
| Summary: | CVE-2024-24790 golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abarbaro, abishop, adudiak, akostadi, alcohan, amasferr, amctagga, anjoseph, ansmith, anthomas, aoconnor, apevec, asatyam, bbuckingham, bniver, bodavis, brking, cbartlet, chazlett, chfoley, cmah, crizzo, danken, dbenoit, dfreiber, dhanak, dholler, diagrawa, dkenigsb, dmayorov, dnakabaa, dperaza, drosa, drow, dsimansk, dymurray, eaguilar, ebaron, eglynn, ehelms, emachado, epacific, fdeutsch, flucifre, ganandan, ggainey, gkamathe, gmeno, gparvin, haoli, hkataria, ibolton, jaharrin, jajackso, jburrell, jcammara, jcantril, jchui, jeder, jforrest, jhardy, jhe, jjoyce, jkang, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jobarker, jolong, jpallich, jprabhak, jschluet, jscholz, juwatts, kaycoth, kegrant, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lbainbri, lchilton, lcouzens, lgamliel, lhh, lphiri, lsvaty, mabashia, manissin, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mmagr, mmakovy, mnewsome, mnovotny, mrajanna, mrunge, mskarbek, mwringe, nboldt, njean, nmoumoul, nobody, odf-bz-bot, omaciel, oramraz, osousa, owatkins, pahickey, pbraun, pcreech, peholase, pgaikwad, pgrist, phoracek, pierdipi, pjindal, psrna, rchan, rfreiman, rgarg, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rojacob, rtaniwa, sabiswas, sakbas, saroy, sausingh, sdawley, sfeifer, sfroberg, shvarugh, simaishi, sipoyare, slucidi, smallamp, smcdonal, smullick, sostapov, spandura, sseago, stcannon, stirabos, swoodman, teagle, tfister, thason, thavo, tjochec, tkral, tsweeney, vereddy, vimartin, vkumar, whayutin, wtam, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | golang 1.22.4, golang 1.21.11 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn't behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2292918, 2292919, 2292929, 2292931, 2292932, 2292933, 2292934, 2292935, 2292936, 2292937, 2292938, 2292939, 2292940, 2292941, 2292960, 2292963, 2292964, 2292965, 2292966, 2292967, 2292969, 2295971, 2349925, 2351367, 2351368, 2351370, 2351371 | ||
| Bug Blocks: | 2292754 | ||
|
Description
Marco Benatto
2024-06-17 22:04:09 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2292918] Affects: fedora-all [bug 2292919] This looks like it will be fixed in the next version of Golang 1.22 and 1.21. I believe that will be Go 1.22.5 and 1.21.12. Can someone from ProdSec or the Go team verify this, please, and add a "Fixed in Version" to this BZ? This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4212 https://access.redhat.com/errata/RHSA-2024:4212 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4237 https://access.redhat.com/errata/RHSA-2024:4237 This issue has been addressed in the following products: Cryostat 3 on RHEL 8 Via RHSA-2024:4697 https://access.redhat.com/errata/RHSA-2024:4697 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:4613 https://access.redhat.com/errata/RHSA-2024:4613 This issue has been addressed in the following products: RHOSS-1.33-RHEL-8 Via RHSA-2024:4872 https://access.redhat.com/errata/RHSA-2024:4872 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2024:4893 https://access.redhat.com/errata/RHSA-2024:4893 This issue has been addressed in the following products: OADP-1.3-RHEL-9 Via RHSA-2024:4982 https://access.redhat.com/errata/RHSA-2024:4982 This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.6.0-RHEL-9 Via RHSA-2024:4785 https://access.redhat.com/errata/RHSA-2024:4785 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:5075 https://access.redhat.com/errata/RHSA-2024:5075 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:5077 https://access.redhat.com/errata/RHSA-2024:5077 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5291 https://access.redhat.com/errata/RHSA-2024:5291 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:5202 https://access.redhat.com/errata/RHSA-2024:5202 This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2024:5547 https://access.redhat.com/errata/RHSA-2024:5547 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:5439 https://access.redhat.com/errata/RHSA-2024:5439 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:5444 https://access.redhat.com/errata/RHSA-2024:5444 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:5436 https://access.redhat.com/errata/RHSA-2024:5436 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:5442 https://access.redhat.com/errata/RHSA-2024:5442 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Ironic content for Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:5446 https://access.redhat.com/errata/RHSA-2024:5446 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:5808 https://access.redhat.com/errata/RHSA-2024:5808 This issue has been addressed in the following products: Cost Management for RHEL 8 Via RHSA-2024:6462 https://access.redhat.com/errata/RHSA-2024:6462 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:6765 https://access.redhat.com/errata/RHSA-2024:6765 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:7174 https://access.redhat.com/errata/RHSA-2024:7174 This issue has been addressed in the following products: Red Hat Satellite 6.15 for RHEL 8 Via RHSA-2024:7987 https://access.redhat.com/errata/RHSA-2024:7987 This issue has been addressed in the following products: KDO-5.1-RHEL-9 Via RHSA-2024:6341 https://access.redhat.com/errata/RHSA-2024:6341 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:8418 https://access.redhat.com/errata/RHSA-2024:8418 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:8876 https://access.redhat.com/errata/RHSA-2024:8876 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9115 https://access.redhat.com/errata/RHSA-2024:9115 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.4 Via RHSA-2024:9583 https://access.redhat.com/errata/RHSA-2024:9583 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.5 Via RHSA-2024:10186 https://access.redhat.com/errata/RHSA-2024:10186 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.6 Via RHSA-2024:10775 https://access.redhat.com/errata/RHSA-2024:10775 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.8 Via RHSA-2024:10906 https://access.redhat.com/errata/RHSA-2024:10906 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7256 https://access.redhat.com/errata/RHSA-2025:7256 This issue has been addressed in the following products: Red Hat Ceph Storage 8.1 Via RHSA-2025:9775 https://access.redhat.com/errata/RHSA-2025:9775 |