Bug 2184483 (CVE-2023-24534) - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
Summary: CVE-2023-24534 golang: net/http, net/textproto: denial of service from excess...
Keywords:
Status: NEW
Alias: CVE-2023-24534
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2186209 2186210 2187359 2187360 2187361 2187362 2187363 2187364 2187365 2187366 2187367 2187368 2187375 2187376 2187383 2187384 2187385 2187400 2189057 2189058 2189062 2189065 2189068 2189071 2189073 2189075 2186211 2187354 2187355 2187356 2187357 2187358 2187372 2187373 2187374 2187377 2187378 2187381 2187382 2187386 2187397 2187398 2187399 2187401 2189059 2189060 2189061 2189063 2189064 2189066 2189067 2189069 2189070 2189072 2189074
Blocks: 2184485
TreeView+ depends on / blocked
 
Reported: 2023-04-04 20:24 UTC by Pedro Sampaio
Modified: 2023-08-16 14:09 UTC (History)
146 users (show)

Fixed In Version: golang 1.20.3, golang 1.19.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3167 0 None None None 2023-05-18 11:34:30 UTC
Red Hat Product Errata RHSA-2023:3367 0 None None None 2023-06-07 01:50:48 UTC
Red Hat Product Errata RHSA-2023:3445 0 None None None 2023-06-05 14:08:19 UTC
Red Hat Product Errata RHSA-2023:3450 0 None None None 2023-06-05 16:44:33 UTC
Red Hat Product Errata RHSA-2023:3455 0 None None None 2023-06-05 23:43:08 UTC
Red Hat Product Errata RHSA-2023:3540 0 None None None 2023-06-13 15:32:37 UTC
Red Hat Product Errata RHSA-2023:3612 0 None None None 2023-06-23 04:39:58 UTC
Red Hat Product Errata RHSA-2023:3624 0 None None None 2023-06-15 09:48:17 UTC
Red Hat Product Errata RHSA-2023:3918 0 None None None 2023-06-29 00:59:14 UTC
Red Hat Product Errata RHSA-2023:3943 0 None None None 2023-06-29 14:32:41 UTC
Red Hat Product Errata RHSA-2023:4003 0 None None None 2023-07-10 08:51:35 UTC
Red Hat Product Errata RHSA-2023:4093 0 None None None 2023-07-20 17:28:59 UTC
Red Hat Product Errata RHSA-2023:4335 0 None None None 2023-08-08 00:36:31 UTC
Red Hat Product Errata RHSA-2023:4470 0 None None None 2023-08-03 14:12:55 UTC
Red Hat Product Errata RHSA-2023:4627 0 None None None 2023-08-14 01:02:51 UTC
Red Hat Product Errata RHSA-2023:4664 0 None None None 2023-08-16 14:09:40 UTC

Description Pedro Sampaio 2023-04-04 20:24:47 UTC 
HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs.

References:

https://github.com/golang/go/issues/58975
https://github.com/golang/go/issues/59268
Comment 10 Avinash Hanwate 2023-04-24 05:27:18 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2189059]
Affects: fedora-all [bug 2189060]
Comment 17 errata-xmlrpc 2023-05-18 11:34:25 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167
Comment 19 errata-xmlrpc 2023-06-05 14:08:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
Comment 20 errata-xmlrpc 2023-06-05 16:44:27 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 21 errata-xmlrpc 2023-06-05 23:43:00 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 22 errata-xmlrpc 2023-06-07 01:50:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3367 https://access.redhat.com/errata/RHSA-2023:3367
Comment 23 errata-xmlrpc 2023-06-13 15:32:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3540 https://access.redhat.com/errata/RHSA-2023:3540
Comment 26 errata-xmlrpc 2023-06-15 09:48:11 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:3624 https://access.redhat.com/errata/RHSA-2023:3624
Comment 27 errata-xmlrpc 2023-06-23 04:39:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612
Comment 28 errata-xmlrpc 2023-06-29 00:59:08 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:3918 https://access.redhat.com/errata/RHSA-2023:3918
Comment 29 errata-xmlrpc 2023-06-29 14:32:33 UTC 
This issue has been addressed in the following products:

  RHACS-4.1-RHEL-8

Via RHSA-2023:3943 https://access.redhat.com/errata/RHSA-2023:3943
Comment 31 errata-xmlrpc 2023-07-10 08:51:29 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 34 errata-xmlrpc 2023-07-20 17:28:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4093
Comment 36 errata-xmlrpc 2023-08-03 14:12:49 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
Comment 37 errata-xmlrpc 2023-08-08 00:36:24 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
Comment 38 errata-xmlrpc 2023-08-14 01:02:44 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 39 errata-xmlrpc 2023-08-16 14:09:32 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:4664 https://access.redhat.com/errata/RHSA-2023:4664
Note You need to log in before you can comment on or make changes to this bug.