Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. https://go.dev/cl/515257 https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ https://pkg.go.dev/vuln/GO-2023-1987 https://go.dev/issue/61460
Created golang tracking bugs for this issue: Affects: epel-all [bug 2229620] Affects: fedora-all [bug 2229621]
Were the bugs for this CVE created correctly? I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2229077) and 4.0 (bug 2229071) module streams, but none for RHEL 9. In comparison, I found RHEL 9 bugs for podman (bug 2229091) and golang (bug 2229065). So, it seems like RHEL 9 is affected, but then why is there no RHEL 9 toolbox bug? There's no difference in toolbox across RHEL 8 and 9 that could be relevant to this CVE. I have seen this happen a few times recently: https://bugzilla.redhat.com/show_bug.cgi?id=2196026#c33 https://bugzilla.redhat.com/show_bug.cgi?id=2196027#c45 ... and it makes me wonder if there's something wrong with the process that's used to file these bugs.
In reply to comment #7: > Were the bugs for this CVE created correctly? > > I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2229077) and > 4.0 (bug 2229071) module streams, but none for RHEL 9. In comparison, I > found RHEL 9 bugs for podman (bug 2229091) and golang (bug 2229065). > > So, it seems like RHEL 9 is affected, but then why is there no RHEL 9 > toolbox bug? There's no difference in toolbox across RHEL 8 and 9 that > could be relevant to this CVE. > > I have seen this happen a few times recently: > https://bugzilla.redhat.com/show_bug.cgi?id=2196026#c33 > https://bugzilla.redhat.com/show_bug.cgi?id=2196027#c45 > > ... and it makes me wonder if there's something wrong with the process > that's used to file these bugs. Hi @debarshi, we are working on fixing this issue. I have filed a tracker for rhel-9/toolbox.
(In reply to Avinash Hanwate from comment #9) > ... we are working on fixing this issue. I have filed a tracker > for rhel-9/toolbox. That's fantastic, thanks!