Bug 2184483 (CVE-2023-24534) - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
Summary: CVE-2023-24534 golang: net/http, net/textproto: denial of service from excess...
Keywords:
Status: NEW
Alias: CVE-2023-24534
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2186209 2186210 2186211 2187354 2187355 2187356 2187357 2187358 2187359 2187360 2187361 2187362 2187363 2187364 2187365 2187366 2187367 2187368 2187372 2187373 2187374 2187375 2187376 2187377 2187378 2187381 2187382 2187383 2187384 2187385 2187386 2187397 2187398 2187399 2187400 2187401 2189057 2189058 2189059 2189060 2189061 2189062 2189063 2189064 2189065 2189066 2189067 2189068 2189069 2189070 2189071 2189072 2189073 2189074 2189075
Blocks: 2184485
TreeView+ depends on / blocked
 
Reported: 2023-04-04 20:24 UTC by Pedro Sampaio
Modified: 2023-11-15 13:45 UTC (History)
146 users (show)

Fixed In Version: golang 1.20.3, golang 1.19.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6108 0 None None None 2023-10-25 12:15:38 UTC
Red Hat Product Errata RHSA-2023:3167 0 None None None 2023-05-18 11:34:30 UTC
Red Hat Product Errata RHSA-2023:3367 0 None None None 2023-06-07 01:50:48 UTC
Red Hat Product Errata RHSA-2023:3445 0 None None None 2023-06-05 14:08:19 UTC
Red Hat Product Errata RHSA-2023:3450 0 None None None 2023-06-05 16:44:33 UTC
Red Hat Product Errata RHSA-2023:3455 0 None None None 2023-06-05 23:43:08 UTC
Red Hat Product Errata RHSA-2023:3540 0 None None None 2023-06-13 15:32:37 UTC
Red Hat Product Errata RHSA-2023:3612 0 None None None 2023-06-23 04:39:58 UTC
Red Hat Product Errata RHSA-2023:3624 0 None None None 2023-06-15 09:48:17 UTC
Red Hat Product Errata RHSA-2023:3918 0 None None None 2023-06-29 00:59:14 UTC
Red Hat Product Errata RHSA-2023:3943 0 None None None 2023-06-29 14:32:41 UTC
Red Hat Product Errata RHSA-2023:4003 0 None None None 2023-07-10 08:51:35 UTC
Red Hat Product Errata RHSA-2023:4093 0 None None None 2023-07-20 17:28:59 UTC
Red Hat Product Errata RHSA-2023:4335 0 None None None 2023-08-08 00:36:31 UTC
Red Hat Product Errata RHSA-2023:4470 0 None None None 2023-08-03 14:12:55 UTC
Red Hat Product Errata RHSA-2023:4627 0 None None None 2023-08-14 01:02:51 UTC
Red Hat Product Errata RHSA-2023:4657 0 None None None 2023-08-23 00:18:03 UTC
Red Hat Product Errata RHSA-2023:4664 0 None None None 2023-08-16 14:09:40 UTC
Red Hat Product Errata RHSA-2023:4986 0 None None None 2023-09-06 07:56:25 UTC
Red Hat Product Errata RHSA-2023:5964 0 None None None 2023-10-20 14:57:19 UTC
Red Hat Product Errata RHSA-2023:5976 0 None None None 2023-10-20 17:18:42 UTC
Red Hat Product Errata RHSA-2023:6346 0 None None None 2023-11-07 08:13:31 UTC
Red Hat Product Errata RHSA-2023:6363 0 None None None 2023-11-07 08:14:08 UTC
Red Hat Product Errata RHSA-2023:6402 0 None None None 2023-11-07 08:15:54 UTC
Red Hat Product Errata RHSA-2023:6420 0 None None None 2023-11-07 08:16:30 UTC
Red Hat Product Errata RHSA-2023:6473 0 None None None 2023-11-07 08:17:15 UTC
Red Hat Product Errata RHSA-2023:6474 0 None None None 2023-11-07 08:17:42 UTC
Red Hat Product Errata RHSA-2023:6832 0 None None None 2023-11-08 18:49:30 UTC
Red Hat Product Errata RHSA-2023:6938 0 None None None 2023-11-14 15:16:39 UTC
Red Hat Product Errata RHSA-2023:6939 0 None None None 2023-11-14 15:17:20 UTC

Description Pedro Sampaio 2023-04-04 20:24:47 UTC
HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs.

References:

https://github.com/golang/go/issues/58975
https://github.com/golang/go/issues/59268

Comment 10 Avinash Hanwate 2023-04-24 05:27:18 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2189059]
Affects: fedora-all [bug 2189060]

Comment 17 errata-xmlrpc 2023-05-18 11:34:25 UTC
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167

Comment 19 errata-xmlrpc 2023-06-05 14:08:11 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445

Comment 20 errata-xmlrpc 2023-06-05 16:44:27 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450

Comment 21 errata-xmlrpc 2023-06-05 23:43:00 UTC
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455

Comment 22 errata-xmlrpc 2023-06-07 01:50:41 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3367 https://access.redhat.com/errata/RHSA-2023:3367

Comment 23 errata-xmlrpc 2023-06-13 15:32:31 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3540 https://access.redhat.com/errata/RHSA-2023:3540

Comment 26 errata-xmlrpc 2023-06-15 09:48:11 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:3624 https://access.redhat.com/errata/RHSA-2023:3624

Comment 27 errata-xmlrpc 2023-06-23 04:39:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612

Comment 28 errata-xmlrpc 2023-06-29 00:59:08 UTC
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:3918 https://access.redhat.com/errata/RHSA-2023:3918

Comment 29 errata-xmlrpc 2023-06-29 14:32:33 UTC
This issue has been addressed in the following products:

  RHACS-4.1-RHEL-8

Via RHSA-2023:3943 https://access.redhat.com/errata/RHSA-2023:3943

Comment 31 errata-xmlrpc 2023-07-10 08:51:29 UTC
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003

Comment 34 errata-xmlrpc 2023-07-20 17:28:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4093

Comment 36 errata-xmlrpc 2023-08-03 14:12:49 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470

Comment 37 errata-xmlrpc 2023-08-08 00:36:24 UTC
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335

Comment 38 errata-xmlrpc 2023-08-14 01:02:44 UTC
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627

Comment 39 errata-xmlrpc 2023-08-16 14:09:32 UTC
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:4664 https://access.redhat.com/errata/RHSA-2023:4664

Comment 40 errata-xmlrpc 2023-08-23 00:17:57 UTC
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:4657 https://access.redhat.com/errata/RHSA-2023:4657

Comment 41 errata-xmlrpc 2023-09-06 07:56:18 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:4986 https://access.redhat.com/errata/RHSA-2023:4986

Comment 42 errata-xmlrpc 2023-10-20 14:57:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964

Comment 43 errata-xmlrpc 2023-10-20 17:18:35 UTC
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:5976 https://access.redhat.com/errata/RHSA-2023:5976

Comment 44 errata-xmlrpc 2023-11-07 08:13:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346

Comment 45 errata-xmlrpc 2023-11-07 08:13:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363

Comment 46 errata-xmlrpc 2023-11-07 08:15:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402

Comment 47 errata-xmlrpc 2023-11-07 08:16:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6420 https://access.redhat.com/errata/RHSA-2023:6420

Comment 48 errata-xmlrpc 2023-11-07 08:17:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473

Comment 49 errata-xmlrpc 2023-11-07 08:17:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474

Comment 50 errata-xmlrpc 2023-11-08 18:49:23 UTC
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2023:6832 https://access.redhat.com/errata/RHSA-2023:6832

Comment 51 errata-xmlrpc 2023-11-14 15:16:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938

Comment 52 errata-xmlrpc 2023-11-14 15:17:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939


Note You need to log in before you can comment on or make changes to this bug.