Bug 2092793 (CVE-2022-30629) - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
Summary: CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-30629
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2102700 2102701 2102702 2102704 2096696 2096697 2096698 2096699 2096700 2096701 2096702 2096704 2096705 2096706 2096707 2096708 2096709 2096710 2096711 2096712 2096713 2096714 2096715 2096716 2096717 2096718 2096719 2096720 2096721 2096722 2096723 2096724 2096725 2096726 2096727 2096728 2096729 2096730 2096731 2096732 2096733 2096734 2096735 2096736 2096737 2096738 2096739 2096740 2096741 2096742 2096743 2096744 2096745 2096746 2096747 2096748 2096749 2096750 2096751 2096752 2096753 2096754 2096755 2096756 2096757 2096759 2096760 2096761 2096762 2096763 2096764 2096765 2096766 2096767 2096768 2096769 2096770 2096771 2096772 2096773 2096774 2096775 2102703 2102958 2102959 2102963 2102964 2102965 2102966 2102967 2102968 2102969 2102970 2102971 2102972 2102973 2102974 2102975 2102976 2102977 2102978 2102979 2102980 2102981 2102982 2102983 2102984 2102985 2102986 2102987 2102988 2102989 2102990 2102991 2102992 2102993 2102994 2102995 2102996 2102997 2103001 2103002 2103003 2103255 2108767 2108768 2108769 2108770 2108771 2108772 2108773 2108774 2108775 2108776 2108777 2108778 2108779 2108780 2108781 2108782 2108783 2108784 2108785 2108786 2108787 2108788 2108789 2108790 2108791 2108792 2108793 2108794 2108795 2108796 2108797 2108798 2108799 2108800 2108801 2108802 2108806 2108807 2108808 2108809 2108810 2108811 2108812 2108813 2108814 2108815 2108816 2108817 2108819 2108820 2108821 2108822 2108823 2108824 2108825 2108826 2108827 2108828 2108829 2108831 2108832 2108833 2108834 2108835 2108836 2108837 2108838 2108839 2108840 2108841 2108842 2108843 2108844 2108845 2108846 2108847 2108848 2108849 2108850 2108851 2108852 2109278 2109279 2109306 2109307 2109308 2168805
Blocks: 2092875
TreeView+ depends on / blocked
 
Reported: 2022-06-02 09:22 UTC by TEJ RATHI
Modified: 2025-05-12 14:14 UTC (History)
232 users (show)

Fixed In Version: go 1.18.3, go 1.17.11
Clone Of:
Environment:
Last Closed: 2023-05-16 17:41:40 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:15:55 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:36:58 UTC
Red Hat Product Errata RHSA-2022:6102 0 None None None 2022-08-23 14:44:43 UTC
Red Hat Product Errata RHSA-2022:6103 0 None None None 2022-08-23 15:08:04 UTC
Red Hat Product Errata RHSA-2022:6152 0 None None None 2022-09-01 05:40:53 UTC
Red Hat Product Errata RHSA-2022:6277 0 None None None 2022-08-31 16:56:32 UTC
Red Hat Product Errata RHSA-2022:6290 0 None None None 2022-09-01 01:25:08 UTC
Red Hat Product Errata RHSA-2022:6345 0 None None None 2022-09-06 14:33:24 UTC
Red Hat Product Errata RHSA-2022:6346 0 None None None 2022-09-06 13:02:34 UTC
Red Hat Product Errata RHSA-2022:6347 0 None None None 2022-09-06 12:58:25 UTC
Red Hat Product Errata RHSA-2022:6348 0 None None None 2022-09-06 13:42:55 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:29:31 UTC
Red Hat Product Errata RHSA-2022:6430 0 None None None 2022-09-13 02:10:00 UTC
Red Hat Product Errata RHSA-2022:6535 0 None None None 2022-09-20 16:20:49 UTC
Red Hat Product Errata RHSA-2022:6696 0 None None None 2022-09-26 14:52:23 UTC
Red Hat Product Errata RHSA-2022:8750 0 None None None 2022-12-01 21:10:12 UTC
Red Hat Product Errata RHSA-2022:9047 0 None None None 2022-12-15 01:57:45 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:49:07 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:34:52 UTC
Red Hat Product Errata RHSA-2023:0630 0 None None None 2023-02-07 18:37:00 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:55:25 UTC
Red Hat Product Errata RHSA-2023:1529 0 None None None 2023-03-30 00:43:12 UTC
Red Hat Product Errata RHSA-2023:2253 0 None None None 2023-05-09 07:22:39 UTC
Red Hat Product Errata RHSA-2023:2282 0 None None None 2023-05-09 07:24:40 UTC
Red Hat Product Errata RHSA-2023:2283 0 None None None 2023-05-09 07:25:01 UTC
Red Hat Product Errata RHSA-2023:2367 0 None None None 2023-05-09 07:36:11 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:08:33 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:00:19 UTC
Red Hat Product Errata RHSA-2023:3914 0 None None None 2023-07-06 02:44:35 UTC
Red Hat Product Errata RHSA-2023:4488 0 None None None 2023-08-07 00:27:47 UTC

Description TEJ RATHI 2022-06-02 09:22:04 UTC 
We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

* crypto/tls: session tickets lack random ticket_age_add

Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

References:
https://go.dev/issue/52814
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg

Upstream Commits:
Master : https://github.com/golang/go/commit/fe4de36198794c447fbd9d7cc2d7199a506c76a5
Branch.go1.17 : https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c
Branch.go1.18 : https://github.com/golang/go/commit/c838098c327a1b6d63446f4722e943b02d235d78
Comment 7 TEJ RATHI 2022-07-01 06:47:45 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2102959]
Affects: fedora-all [bug 2102958]
Comment 10 Sage McTaggart 2022-07-01 20:05:31 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2103255]
Comment 23 errata-xmlrpc 2022-08-10 11:36:49 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 24 errata-xmlrpc 2022-08-10 13:15:45 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 36 errata-xmlrpc 2022-08-23 14:44:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6102 https://access.redhat.com/errata/RHSA-2022:6102
Comment 37 errata-xmlrpc 2022-08-23 15:07:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6103 https://access.redhat.com/errata/RHSA-2022:6103
Comment 38 errata-xmlrpc 2022-08-31 16:56:22 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277
Comment 39 errata-xmlrpc 2022-09-01 01:24:58 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2022:6290 https://access.redhat.com/errata/RHSA-2022:6290
Comment 40 errata-xmlrpc 2022-09-01 05:40:46 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152
Comment 41 errata-xmlrpc 2022-09-06 12:58:18 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347
Comment 42 errata-xmlrpc 2022-09-06 13:02:24 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346
Comment 43 errata-xmlrpc 2022-09-06 13:42:46 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348
Comment 44 errata-xmlrpc 2022-09-06 14:33:17 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345
Comment 45 errata-xmlrpc 2022-09-06 22:29:21 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370
Comment 46 errata-xmlrpc 2022-09-13 02:09:52 UTC 
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:6430 https://access.redhat.com/errata/RHSA-2022:6430
Comment 47 errata-xmlrpc 2022-09-20 16:20:42 UTC 
This issue has been addressed in the following products:

  Ironic content for Red Hat OpenShift Container Platform 4.11
  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6535 https://access.redhat.com/errata/RHSA-2022:6535
Comment 49 errata-xmlrpc 2022-09-26 14:52:13 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:6696 https://access.redhat.com/errata/RHSA-2022:6696
Comment 57 errata-xmlrpc 2022-12-01 21:10:06 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:8750 https://access.redhat.com/errata/RHSA-2022:8750
Comment 58 errata-xmlrpc 2022-12-15 01:57:37 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047
Comment 74 errata-xmlrpc 2023-01-24 12:48:58 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 75 errata-xmlrpc 2023-01-24 13:34:42 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 83 errata-xmlrpc 2023-02-07 18:36:52 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:0630 https://access.redhat.com/errata/RHSA-2023:0630
Comment 85 errata-xmlrpc 2023-03-15 19:55:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 87 errata-xmlrpc 2023-03-30 00:43:05 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529
Comment 89 errata-xmlrpc 2023-05-09 07:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2253 https://access.redhat.com/errata/RHSA-2023:2253
Comment 90 errata-xmlrpc 2023-05-09 07:24:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2282 https://access.redhat.com/errata/RHSA-2023:2282
Comment 91 errata-xmlrpc 2023-05-09 07:24:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2283 https://access.redhat.com/errata/RHSA-2023:2283
Comment 92 errata-xmlrpc 2023-05-09 07:36:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2367 https://access.redhat.com/errata/RHSA-2023:2367
Comment 94 errata-xmlrpc 2023-05-16 08:08:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 95 Product Security DevOps Team 2023-05-16 17:41:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30629
Comment 96 errata-xmlrpc 2023-06-15 16:00:08 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 97 errata-xmlrpc 2023-07-06 02:44:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:3914 https://access.redhat.com/errata/RHSA-2023:3914
Comment 100 errata-xmlrpc 2023-08-07 00:27:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:4488 https://access.redhat.com/errata/RHSA-2023:4488
Note You need to log in before you can comment on or make changes to this bug.