Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 802054 (CVE-2021-34558) - <dev-lang/go-{1.15.14,1.16.6}: Denial of service in crypto/tls (CVE-2021-34558)
Summary: <dev-lang/go-{1.15.14,1.16.6}: Denial of service in crypto/tls (CVE-2021-34558)
Status: RESOLVED FIXED
Alias: CVE-2021-34558
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-13 20:18 UTC by Sam James
Modified: 2022-08-04 14:13 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/go-1.15.14 dev-lang/go-1.16.6
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 20:18:58 UTC
Description:
"crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters.
net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker
in a privileged network position without access to the server certificate's private key, as long as a trusted
ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with
Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.

This is issue #47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this issue."

Please bump to 1.15.14, 1.16.6.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-15 18:29:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be5ded95d291316974a51edb76f2bfa42a642b55

commit be5ded95d291316974a51edb76f2bfa42a642b55
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-07-15 18:26:00 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-07-15 18:29:47 +0000

    dev-lang/go: 1.15.14 and 1.16.6 security bump
    
    Tests passed on amd64, so I'm stabilizing.
    
    Bug: https://bugs.gentoo.org/802054
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 +
 dev-lang/go/go-1.15.14.ebuild | 189 ++++++++++++++++++++++++++++++++++++++++++
 dev-lang/go/go-1.16.6.ebuild  | 189 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 380 insertions(+)
Comment 2 William Hubbs gentoo-dev 2021-07-15 18:31:18 UTC
Please go ahead with stabilization.
Tests passed here so I stabilized on amd64.

Thanks,

William
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-15 18:54:23 UTC
Thanks!
Comment 4 Agostino Sarubbo gentoo-dev 2021-07-16 06:51:55 UTC
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 03:58:34 UTC
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 04:59:43 UTC
arm64 done
Comment 7 Georgy Yakovlev archtester gentoo-dev 2021-07-25 22:10:33 UTC
ppc64 done
last arch, please cleanup
Comment 8 Larry the Git Cow gentoo-dev 2021-07-26 02:42:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4eae5881b582037bef7f6fcb52295f67b0fcf3c

commit b4eae5881b582037bef7f6fcb52295f67b0fcf3c
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-07-26 02:38:44 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-07-26 02:41:55 +0000

    dev-lang/go: Remove 1.15.13 and 1.16.5
    
    Bug: https://bugs.gentoo.org/802054
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 -
 dev-lang/go/go-1.15.13.ebuild | 189 ------------------------------------------
 dev-lang/go/go-1.16.5.ebuild  | 189 ------------------------------------------
 3 files changed, 380 deletions(-)
Comment 9 NATTkA bot gentoo-dev 2021-08-20 19:00:27 UTC
Unable to check for sanity:

> no match for package: dev-lang/go-1.15.14
Comment 10 William Hubbs gentoo-dev 2021-12-15 18:33:08 UTC
The oldest version of go in the tree is 1.17.5.
Comment 11 Larry the Git Cow gentoo-dev 2022-08-04 14:02:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:13:04 UTC
GLSA released, all done!