Bug 802054 (CVE-2021-34558)

Summary:	<dev-lang/go-{1.15.14,1.16.6}: Denial of service in crypto/tls (CVE-2021-34558)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	williamh
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [glsa+]
Package list:	dev-lang/go-1.15.14 dev-lang/go-1.16.6	Runtime testing required:	---

Description Sam James archtester

2021-07-13 20:18:58 UTC

Description:
"crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters.
net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker
in a privileged network position without access to the server certificate's private key, as long as a trusted
ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with
Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.

This is issue #47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this issue."

Please bump to 1.15.14, 1.16.6.

Comment 1 Larry the Git Cow gentoo-dev

2021-07-15 18:29:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be5ded95d291316974a51edb76f2bfa42a642b55

commit be5ded95d291316974a51edb76f2bfa42a642b55
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-07-15 18:26:00 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-07-15 18:29:47 +0000

    dev-lang/go: 1.15.14 and 1.16.6 security bump
    
    Tests passed on amd64, so I'm stabilizing.
    
    Bug: https://bugs.gentoo.org/802054
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 +
 dev-lang/go/go-1.15.14.ebuild | 189 ++++++++++++++++++++++++++++++++++++++++++
 dev-lang/go/go-1.16.6.ebuild  | 189 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 380 insertions(+)

Comment 2 William Hubbs gentoo-dev

2021-07-15 18:31:18 UTC

Please go ahead with stabilization.
Tests passed here so I stabilized on amd64.

Thanks,

William

Comment 3 John Helmert III archtester

2021-07-15 18:54:23 UTC

Thanks!

Comment 4 Agostino Sarubbo gentoo-dev

2021-07-16 06:51:55 UTC

x86 stable

Comment 5 Sam James archtester

2021-07-17 03:58:34 UTC

arm done

Comment 6 Sam James archtester

2021-07-17 04:59:43 UTC

arm64 done

Comment 7 Georgy Yakovlev archtester

2021-07-25 22:10:33 UTC

ppc64 done
last arch, please cleanup

Comment 8 Larry the Git Cow gentoo-dev

2021-07-26 02:42:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4eae5881b582037bef7f6fcb52295f67b0fcf3c

commit b4eae5881b582037bef7f6fcb52295f67b0fcf3c
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-07-26 02:38:44 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-07-26 02:41:55 +0000

    dev-lang/go: Remove 1.15.13 and 1.16.5
    
    Bug: https://bugs.gentoo.org/802054
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 -
 dev-lang/go/go-1.15.13.ebuild | 189 ------------------------------------------
 dev-lang/go/go-1.16.5.ebuild  | 189 ------------------------------------------
 3 files changed, 380 deletions(-)

Comment 9 NATTkA bot gentoo-dev

2021-08-20 19:00:27 UTC

Unable to check for sanity:

> no match for package: dev-lang/go-1.15.14

Comment 10 William Hubbs gentoo-dev

2021-12-15 18:33:08 UTC

The oldest version of go in the tree is 1.17.5.

Comment 11 Larry the Git Cow gentoo-dev

2022-08-04 14:02:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

Comment 12 John Helmert III archtester

2022-08-04 14:13:04 UTC

GLSA released, all done!