Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. https://go.dev/cl/515257 https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ https://pkg.go.dev/vuln/GO-2023-1987 https://go.dev/issue/61460
Created golang tracking bugs for this issue: Affects: epel-all [bug 2229620] Affects: fedora-all [bug 2229621]
Were the bugs for this CVE created correctly? I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2229077) and 4.0 (bug 2229071) module streams, but none for RHEL 9. In comparison, I found RHEL 9 bugs for podman (bug 2229091) and golang (bug 2229065). So, it seems like RHEL 9 is affected, but then why is there no RHEL 9 toolbox bug? There's no difference in toolbox across RHEL 8 and 9 that could be relevant to this CVE. I have seen this happen a few times recently: https://bugzilla.redhat.com/show_bug.cgi?id=2196026#c33 https://bugzilla.redhat.com/show_bug.cgi?id=2196027#c45 ... and it makes me wonder if there's something wrong with the process that's used to file these bugs.
In reply to comment #7: > Were the bugs for this CVE created correctly? > > I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2229077) and > 4.0 (bug 2229071) module streams, but none for RHEL 9. In comparison, I > found RHEL 9 bugs for podman (bug 2229091) and golang (bug 2229065). > > So, it seems like RHEL 9 is affected, but then why is there no RHEL 9 > toolbox bug? There's no difference in toolbox across RHEL 8 and 9 that > could be relevant to this CVE. > > I have seen this happen a few times recently: > https://bugzilla.redhat.com/show_bug.cgi?id=2196026#c33 > https://bugzilla.redhat.com/show_bug.cgi?id=2196027#c45 > > ... and it makes me wonder if there's something wrong with the process > that's used to file these bugs. Hi @debarshi, we are working on fixing this issue. I have filed a tracker for rhel-9/toolbox.
(In reply to Avinash Hanwate from comment #9) > ... we are working on fixing this issue. I have filed a tracker > for rhel-9/toolbox. That's fantastic, thanks!
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5738 https://access.redhat.com/errata/RHSA-2023:5738
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 8 Red Hat Ansible Automation Platform 2.4 for RHEL 9 Via RHSA-2023:5805 https://access.redhat.com/errata/RHSA-2023:5805
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:5935 https://access.redhat.com/errata/RHSA-2023:5935
This issue has been addressed in the following products: RHOL-5.6-RHEL-8 Via RHSA-2023:5541 https://access.redhat.com/errata/RHSA-2023:5541
This issue has been addressed in the following products: RHOL-5.7-RHEL-8 Via RHSA-2023:5530 https://access.redhat.com/errata/RHSA-2023:5530
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 Via RHSA-2023:5969 https://access.redhat.com/errata/RHSA-2023:5969
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:5965 https://access.redhat.com/errata/RHSA-2023:5965
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 Via RHSA-2023:5971 https://access.redhat.com/errata/RHSA-2023:5971
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964
This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.4.0-RHEL-9 Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974
This issue has been addressed in the following products: STF-1.5-RHEL-8 Via RHSA-2023:5976 https://access.redhat.com/errata/RHSA-2023:5976
This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2023:6031 https://access.redhat.com/errata/RHSA-2023:6031
This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.9 Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085
This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115
This issue has been addressed in the following products: RODOO-1.0-RHEL-8 Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947
This issue has been addressed in the following products: OSSO-1.1-RHEL-8 Via RHSA-2023:5933 https://access.redhat.com/errata/RHSA-2023:5933
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161
This issue has been addressed in the following products: Red Hat OpenShift Serverless 1.30 Via RHSA-2023:6296 https://access.redhat.com/errata/RHSA-2023:6296
This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2023:6298 https://access.redhat.com/errata/RHSA-2023:6298
This issue has been addressed in the following products: CERT-MANAGER-1.11-RHEL-9 Via RHSA-2023:6279 https://access.redhat.com/errata/RHSA-2023:6279
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7762 https://access.redhat.com/errata/RHSA-2023:7762
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7763 https://access.redhat.com/errata/RHSA-2023:7763
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7764 https://access.redhat.com/errata/RHSA-2023:7764
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7766 https://access.redhat.com/errata/RHSA-2023:7766
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7765 https://access.redhat.com/errata/RHSA-2023:7765
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0293 https://access.redhat.com/errata/RHSA-2024:0293
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0292 https://access.redhat.com/errata/RHSA-2024:0292
This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027