update: go #1149

dongsupark · 2023-08-03T08:21:01Z

Name: go
CVEs: CVE-2023-29409
CVSSs: n/a
Action Needed: update to >= 1.20.7 or >= 1.19.12

Summary: Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

See also https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI.

refmap.gentoo: TBD

dongsupark added security security concerns advisory security advisory labels Aug 3, 2023

dongsupark added this to Flatcar tactical, release planning, and roadmap Aug 3, 2023

github-project-automation bot moved this to 📝 Needs Triage in Flatcar tactical, release planning, and roadmap Aug 3, 2023

dongsupark mentioned this issue Aug 2, 2023

Upgrade Go from 1.19.11 and 1.20.6 to 1.19.12 and 1.20.7 flatcar/scripts#1041

Merged

dongsupark closed this as completed in flatcar/scripts#1041 Aug 3, 2023

github-project-automation bot moved this from 📝 Needs Triage to Implemented in Flatcar tactical, release planning, and roadmap Aug 3, 2023

github-actions bot mentioned this issue Nov 10, 2023

Monthly contributions report 2023-07-22 - 2023-08-21 #1246

Closed

dongsupark removed this from Flatcar tactical, release planning, and roadmap Nov 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update: go #1149

update: go #1149

dongsupark commented Aug 3, 2023

update: go #1149

update: go #1149

Comments

dongsupark commented Aug 3, 2023