1995656 – (CVE-2021-36221) CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic

Bug 1995656 (CVE-2021-36221) - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic

Summary: CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistCo...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-36221
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1993407 1995964 1995965 1995966 1995967 1995968 1995969 1995970 1995971 1995972 1995973 1995974 1995975 1995976 1995977 1995978 1995979 1995980 1995981 1995982 1995983 1995984 1995985 1995986 1995987 1995988 1995989 1995990 1995991 1995992 1995993 1995994 1995995 1995996 1995997 1995998 1995999 1996000 1996001 1996002 1996003 1996004 1996005 1996006 1996007 1996008 1996009 1996010 1996761 1996763 1996769 1996770 1996771 1996772 1996810 1997188 1997190 1997191 1997869 1997870 1997871 1997872 1997873 1997874 1997875 1997876 1997877 1998071 1998072 1998073 1998074 1998075 1998076 1998077 1998078 1998079 1998080 1998107 1998108 1998109 1998110 1998111 1999010 1999358 1999415 1999416 2000977 2000978 2000989 2000990 2000991 2000992 2000993 2000994 2057167
Blocks:	1995693
TreeView+	depends on / blocked

Reported:	2021-08-19 15:04 UTC by Marian Rehak
Modified:	2023-09-01 01:21 UTC (History)
CC List:	123 users (show)
Fixed In Version:	go 1.16.7, go 1.15.15
Clone Of:
Environment:
Last Closed:	2021-10-28 09:07:51 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4156	None	None	None	2021-11-09 17:25:54 UTC
Red Hat Product Errata	RHSA-2021:4765	None	None	None	2021-11-23 08:43:14 UTC
Red Hat Product Errata	RHSA-2021:4766	None	None	None	2021-11-23 10:48:37 UTC
Red Hat Product Errata	RHSA-2022:0318	None	None	None	2022-01-27 16:56:53 UTC
Red Hat Product Errata	RHSA-2022:0557	None	None	None	2022-02-23 12:51:29 UTC
Red Hat Product Errata	RHSA-2022:0561	None	None	None	2022-02-23 13:56:15 UTC
Red Hat Product Errata	RHSA-2022:0577	None	None	None	2022-03-28 09:36:30 UTC
Red Hat Product Errata	RHSA-2022:0855	None	None	None	2022-03-14 10:24:27 UTC
Red Hat Product Errata	RHSA-2022:0947	None	None	None	2022-03-16 15:50:16 UTC
Red Hat Product Errata	RHSA-2022:1276	None	None	None	2022-04-07 17:58:55 UTC
Red Hat Product Errata	RHSA-2022:1361	None	None	None	2022-04-13 15:30:54 UTC
Red Hat Product Errata	RHSA-2022:1372	None	None	None	2022-04-13 18:49:18 UTC
Red Hat Product Errata	RHSA-2022:1396	None	None	None	2022-04-19 10:21:50 UTC
Red Hat Product Errata	RHSA-2022:4668	None	None	None	2022-05-18 20:26:49 UTC
Red Hat Product Errata	RHSA-2022:7457	None	None	None	2022-11-08 09:11:30 UTC

Description Marian Rehak 2021-08-19 15:04:23 UTC

A race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.

Reference:

https://github.com/golang/go/issues/46866

Comment 3 Przemyslaw Roguski 2021-08-20 10:37:52 UTC

Upstream Go PRs:
https://github.com/golang/go/commit/accf363d5da864521c90b152fb734f3f15e00521 for Go 1.16
https://github.com/golang/go/commit/ba93baa74a52d57ae79313313ea990cc791ef50e for Go 1.15

Comment 11 Summer Long 2021-08-26 00:28:25 UTC

Created golang tracking bugs for this issue:

Affects: openstack-rdo [bug 1997874]

Comment 20 Marian Rehak 2021-08-31 07:12:28 UTC

Created golang tracking bugs for this issue:

Affects: epel-all [bug 1999416]
Affects: fedora-all [bug 1999415]

Comment 29 Fedora Update System 2021-09-15 18:19:51 UTC

FEDORA-2021-38b51d9fd3 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 34 errata-xmlrpc 2021-11-09 17:25:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4156 https://access.redhat.com/errata/RHSA-2021:4156

Comment 35 errata-xmlrpc 2021-11-23 08:43:08 UTC

This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:4765 https://access.redhat.com/errata/RHSA-2021:4765

Comment 36 errata-xmlrpc 2021-11-23 10:48:32 UTC

This issue has been addressed in the following products:

  Openshift Serveless 1.19

Via RHSA-2021:4766 https://access.redhat.com/errata/RHSA-2021:4766

Comment 37 errata-xmlrpc 2022-01-27 16:56:48 UTC

This issue has been addressed in the following products:

  Red Hat Openshit distributed tracing 2.1

Via RHSA-2022:0318 https://access.redhat.com/errata/RHSA-2022:0318

Comment 39 errata-xmlrpc 2022-02-23 12:51:22 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0557 https://access.redhat.com/errata/RHSA-2022:0557

Comment 40 errata-xmlrpc 2022-02-23 13:56:10 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0561 https://access.redhat.com/errata/RHSA-2022:0561

Comment 41 errata-xmlrpc 2022-03-14 10:24:20 UTC

This issue has been addressed in the following products:

  OSE-OSC-1.2.0-RHEL-8

Via RHSA-2022:0855 https://access.redhat.com/errata/RHSA-2022:0855

Comment 42 errata-xmlrpc 2022-03-16 15:50:09 UTC

This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947

Comment 43 errata-xmlrpc 2022-03-28 09:36:24 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577

Comment 44 errata-xmlrpc 2022-04-07 17:58:49 UTC

This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276

Comment 45 errata-xmlrpc 2022-04-13 15:30:47 UTC

This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1361 https://access.redhat.com/errata/RHSA-2022:1361

Comment 46 errata-xmlrpc 2022-04-13 18:49:11 UTC

This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372

Comment 47 errata-xmlrpc 2022-04-19 10:21:44 UTC

This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.5

Via RHSA-2022:1396 https://access.redhat.com/errata/RHSA-2022:1396

Comment 49 errata-xmlrpc 2022-05-18 20:26:43 UTC

This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:4668 https://access.redhat.com/errata/RHSA-2022:4668

Comment 50 errata-xmlrpc 2022-11-08 09:11:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7457 https://access.redhat.com/errata/RHSA-2022:7457

Note You need to log in before you can comment on or make changes to this bug.

aadam
abishop
admiller
alitke
amctagga
amuller
amurdaca
anharris
anpicker
aos-bugs
asm
bbaude
bbennett
bdettelb
bmontgom
bniver
bodavis
caswilli
cnv-qe-bugs
dbecker
dbenoit
deparker
dornelas
dwalsh
dymurray
emachado
eparis
erooth
etamir
fcanogab
fdeutsch
fdupont
fjansen
flucifre
gmeno
godas
hchiramm
hvyas
ibolton
jakob
jarrpa
jburrell
jcajka
jcosta
jjoyce
jligon
jmatthew
jmontleo
jmulligan
jnakfour
jnovy
joelsmith
jokerman
jpadman
jschluet
jwendell
jwon
kaycoth
krathod
lball
lemenkov
lgamliel
lhh
lhinds
lmadsen
lmeyer
lpeer
lsm5
madam
maszulik
matzew
mbenjamin
mburns
mfilanov
mfojtik
mgarciac
mhackett
mheon
mmagr
mnewsome
mrunge
mrussell
mthoemme
mwringe
nalin
nbecker
nstielau
ocs-bugs
phoracek
pleimer
ploffay
pthomas
puebele
rcernich
rfreiman
rhcos-triage
rhs-bugs
rhuss
rphillips
rrajasek
rtalur
sabose
sbatsche
sclewis
sgott
slinaber
slucidi
sostapov
spasquie
sponnaga
sseago
stirabos
sttts
team-winc
tnielsen
tomckay
tstellar
tsweeney
twalsh
umohnani
vbatts
vereddy
xxia