On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Reference: https://github.com/golang/go/issues/36837
Created golang tracking bugs for this issue: Affects: epel-all [bug 1808042] Affects: fedora-all [bug 1808044]
The current version of ServiceMesh only supports x86_64 architectures and hence is not affected by this flaw. Reference: https://docs.openshift.com/container-platform/4.3/service_mesh/servicemesh-release-notes.html#ossm-supported-configurations_ossm-release-notes
Upstream Fixes: https://github.com/golang/go/commit/f938e06d0623d0e1de202575d16f1e126741f6e0 (1.13.7) https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574 (1.14)
Statement: Below products are only supported on 64bit architectures and are therefore not affected by this flaw: * OpenShift Container Platform * OpenShift Service Mesh * Red Hat Ceph Storage * Red Hat Gluster Storage * Container-native Virtualization
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7919