Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. References: https://groups.google.com/forum/#!topic/golang-announce/_ulYYcIWg3Q https://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo
Created golang tracking bugs for this issue: Affects: epel-all [bug 1867100] Affects: fedora-all [bug 1867101]
External References: https://groups.google.com/g/golang-announce/c/NyPIaucMgXo
upstream patch: https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258%5E%21/
golang-github-ulikunitz-xz is also affected and fix is included in 0.5.8.
FEDORA-2020-e384830a0d has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-deff052e7a has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.
Statement: OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization components are primarily written in Go, meaning that any component using the encoding/binary package includes the vulnerable code. The affected components are behind OpenShift OAuth authentication, therefore the impact is low. Red Hat Gluster Storage 3, Red Hat OpenShift Container Storage 4 and Red Hat Ceph Storage (3 and 4) components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3665 https://access.redhat.com/errata/RHSA-2020:3665
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-16845
This issue has been addressed in the following products: RHEL-8-CNV-2.4 RHEL-7-CNV-2.4 Via RHSA-2020:4201 https://access.redhat.com/errata/RHSA-2020:4201
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2020:4214 https://access.redhat.com/errata/RHSA-2020:4214
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:5119 https://access.redhat.com/errata/RHSA-2020:5119
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:5118 https://access.redhat.com/errata/RHSA-2020:5118
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:5159 https://access.redhat.com/errata/RHSA-2020:5159
This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.6.0 on RHEL-8 Via RHSA-2020:5606 https://access.redhat.com/errata/RHSA-2020:5606
This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.6.0 on RHEL-8 Via RHSA-2020:5605 https://access.redhat.com/errata/RHSA-2020:5605
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:5649 https://access.redhat.com/errata/RHSA-2020:5649
This issue has been addressed in the following products: OpenShift Serverless 1.9.0 Via RHSA-2021:0072 https://access.redhat.com/errata/RHSA-2021:0072
Used fixcvenames for http://127.0.0.1:5600/static/#/tracker/jboss/TRACING-1415 It seems the new golang-builder that was released in Nov 2020 actually fixed this: penshift-golang-builder-container-v1.14.0-202011132014.el7 It's misleading and is actually 1.14.9-2
This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:0713 https://access.redhat.com/errata/RHSA-2021:0713
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:0956 https://access.redhat.com/errata/RHSA-2021:0956
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:1016 https://access.redhat.com/errata/RHSA-2021:1016
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1366 https://access.redhat.com/errata/RHSA-2021:1366
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2122 https://access.redhat.com/errata/RHSA-2021:2122
This issue has been addressed in the following products: RHEL-7-CNV-4.9 RHEL-8-CNV-4.9 Via RHSA-2021:4103 https://access.redhat.com/errata/RHSA-2021:4103