archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. Reference: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
Created golang tracking bugs for this issue: Affects: epel-all [bug 1937910] Affects: fedora-all [bug 1937911]
The vulnerable function `Reader.Open` was only introduced in Go 1.16 [1] Hence I suspect most RH products wont be affected. [1] - https://github.com/golang/go/issues/44916#issue-827996397
Indeed Reader.go:Open was added here https://github.com/golang/go/commit/1296ee6b4f9058be75c799513ccb488d2f2dd085#diff-0080ec4a6ff2467b5511020b725e4f633f08384e892e18103af78e4fe9912278 So that confirms that the vulnerable functions were only added in go 1.16
Removed Jaeger from whiteboard as it does not include any references to the archive/zip stdlib.
External References: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
Upstream fix: https://github.com/golang/go/commit/634d28d78ccbeb6e86f8bfeba030ea8be518f8fa
For OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) the components listed are what depend on the stdlib archive/zip. As they are compiled with an older version of golang (1.15 and earler) they have been marked not affected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27919