Bug 2134010 (CVE-2022-32149) - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Summary: CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-32149
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2134335 2134336 2134926 2134927 2134928 2134929 2134930 2134933 2134934 2135218 2135219 2135220 2135221 2135222 2135223 2149958 2217701 2217702
Blocks: 2134011
TreeView+ depends on / blocked
 
Reported: 2022-10-12 06:41 UTC by TEJ RATHI
Modified: 2024-03-27 21:23 UTC (History)
61 users (show)

Fixed In Version: golang.org/x/text 0.3.8
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.
Clone Of:
Environment:
Last Closed: 2023-03-06 22:24:43 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6882 0 None None None 2022-11-09 16:44:10 UTC
Red Hat Product Errata RHSA-2022:7407 0 None None None 2022-11-03 13:32:50 UTC
Red Hat Product Errata RHSA-2022:7434 0 None None None 2022-11-10 03:50:36 UTC
Red Hat Product Errata RHSA-2022:7435 0 None None None 2022-11-16 12:14:14 UTC
Red Hat Product Errata RHSA-2023:0481 0 None None None 2023-01-26 21:23:53 UTC
Red Hat Product Errata RHSA-2023:0692 0 None None None 2023-02-09 01:07:32 UTC
Red Hat Product Errata RHSA-2023:0693 0 None None None 2023-02-09 02:17:41 UTC
Red Hat Product Errata RHSA-2023:0795 0 None None None 2023-02-15 21:47:22 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:41:01 UTC
Red Hat Product Errata RHSA-2023:3204 0 None None None 2023-05-18 00:36:39 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:55:36 UTC
Red Hat Product Errata RHSA-2023:3613 0 None None None 2023-06-26 01:16:09 UTC

Description TEJ RATHI 2022-10-12 06:41:02 UTC
A vulnerability was found in golang.org/x/text/language package which could cause a denial of service. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Version v0.3.8 of golang.org/x/text fixes a vulnerability.

References:
https://groups.google.com/g/golang-dev/c/qfPIly0X7aU.
https://go.dev/issue/56152.

Upstream Commit:
https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c

Comment 6 errata-xmlrpc 2022-11-03 13:32:46 UTC
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.9

Via RHSA-2022:7407 https://access.redhat.com/errata/RHSA-2022:7407

Comment 7 errata-xmlrpc 2022-11-09 16:44:07 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:6882 https://access.redhat.com/errata/RHSA-2022:6882

Comment 8 errata-xmlrpc 2022-11-10 03:50:31 UTC
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:7434 https://access.redhat.com/errata/RHSA-2022:7434

Comment 9 errata-xmlrpc 2022-11-16 12:14:11 UTC
This issue has been addressed in the following products:

  Logging subsystem for Red Hat OpenShift 5.4

Via RHSA-2022:7435 https://access.redhat.com/errata/RHSA-2022:7435

Comment 21 errata-xmlrpc 2023-01-26 21:23:50 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2023:0481 https://access.redhat.com/errata/RHSA-2023:0481

Comment 27 errata-xmlrpc 2023-02-09 01:07:29 UTC
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2023:0692 https://access.redhat.com/errata/RHSA-2023:0692

Comment 28 errata-xmlrpc 2023-02-09 02:17:38 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693

Comment 29 errata-xmlrpc 2023-02-15 21:47:18 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:0795 https://access.redhat.com/errata/RHSA-2023:0795

Comment 31 errata-xmlrpc 2023-03-06 18:40:57 UTC
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042

Comment 32 Product Security DevOps Team 2023-03-06 22:24:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32149

Comment 34 errata-xmlrpc 2023-05-18 00:36:35 UTC
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13
  RHEL-7-CNV-4.13
  RHEL-8-CNV-4.13

Via RHSA-2023:3204 https://access.redhat.com/errata/RHSA-2023:3204

Comment 35 errata-xmlrpc 2023-05-18 02:55:33 UTC
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205

Comment 36 errata-xmlrpc 2023-06-26 01:16:06 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613

Comment 37 Dhananjay Arunesh 2023-06-26 23:22:51 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2217701]
Affects: fedora-all [bug 2217702]


Note You need to log in before you can comment on or make changes to this bug.