Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels. https://go.dev/cl/326012/26 https://go.dev/issue/20654 https://groups.google.com/g/golang-announce/c/QMK8IQALDvA https://people.redhat.com/~hkario/marvin/ https://pkg.go.dev/vuln/GO-2023-2375
Created golang tracking bugs for this issue: Affects: epel-all [bug 2253194] Affects: fedora-all [bug 2253195]
I see that there are bugs created for toolbox in RHEL 8, but not RHEL 9. Why is that? The code is exactly the same in both.
Thanks for highlighting that debarshir. Allow me to check internally.
is there any advisory which shows in which exact golang version this CVE is fixed?
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0748 https://access.redhat.com/errata/RHSA-2024:0748
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2023:7200 https://access.redhat.com/errata/RHSA-2023:7200
This issue has been addressed in the following products: RODOO-1.1-RHEL-9 Via RHSA-2024:0269 https://access.redhat.com/errata/RHSA-2024:0269
This issue has been addressed in the following products: STF-1.5-RHEL-8 Via RHSA-2024:1078 https://access.redhat.com/errata/RHSA-2024:1078
This issue has been addressed in the following products: OSSO-1.2-RHEL-9 Via RHSA-2024:0281 https://access.redhat.com/errata/RHSA-2024:0281
This issue has been addressed in the following products: OADP-1.3-RHEL-9 Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859
This issue has been addressed in the following products: Service Interconnect 1 for RHEL 9 Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2180 https://access.redhat.com/errata/RHSA-2024:2180
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2193 https://access.redhat.com/errata/RHSA-2024:2193
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2239 https://access.redhat.com/errata/RHSA-2024:2239
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2245 https://access.redhat.com/errata/RHSA-2024:2245
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2272 https://access.redhat.com/errata/RHSA-2024:2272
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 8 Via RHSA-2024:2767 https://access.redhat.com/errata/RHSA-2024:2767
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 9 Via RHSA-2024:2729 https://access.redhat.com/errata/RHSA-2024:2729
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 9 Via RHSA-2024:2730 https://access.redhat.com/errata/RHSA-2024:2730
This issue has been addressed in the following products: MTA-7.0-RHEL-9 MTA-7.0-RHEL-8 Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:4429 https://access.redhat.com/errata/RHSA-2024:4429