[GO-2023-1570] Panic on large handshake records in crypto/tls
Severity
High
Affected Packages
2
Fixed Packages
2
CVEs
1
Large handshake records may cause panics in crypto/tls.
Both clients and servers may send large TLS handshake records which cause
servers and clients, respectively, to panic when attempting to construct
responses.
This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable
session resumption (by setting Config.ClientSessionCache to a non-nil value),
and TLS 1.3 servers which request client certificates (by setting
Config.ClientAuth >= RequestClientCert).
Package | Affected Version |
---|---|
pkg:golang/crypto/tls | >= 1.20.0, < 1.19.6 |
pkg:golang/crypto/tls | >= 1.20.0, < 1.20.1 |
Package | Fixed Version |
---|---|
pkg:golang/crypto/tls | = 1.19.6 |
pkg:golang/crypto/tls | = 1.20.1 |
- ID
- GO-2023-1570
- Severity
- high
- Severity from
- CVE-2022-41724
- URL
- https://pkg.go.dev/vuln/GO-2023-1570
- Published
-
2023-02-16T21:12:45
(19 months ago) - Modified
-
2024-07-17T19:54:18
(2 months ago) - Other Advisories
-
- ALAS-2023-1731
- ALAS-2023-1848
- ALAS2-2023-2015
- ALAS2-2023-2163
- ALPINE:CVE-2022-41724
- ALSA-2023:3083
- ALSA-2023:6363
- ALSA-2023:6380
- ALSA-2023:6402
- ALSA-2023:6473
- ALSA-2023:6474
- ALSA-2023:6938
- ALSA-2023:6939
- ELSA-2023-3083
- ELSA-2023-6363
- ELSA-2023-6380
- ELSA-2023-6402
- ELSA-2023-6473
- ELSA-2023-6474
- ELSA-2023-6938
- ELSA-2023-6939
- FREEBSD:3D73E384-AD1F-11ED-983C-83FE35862E3A
- GLSA-202311-09
- RHBA-2023:2181
- RHSA-2023:3083
- RHSA-2023:6363
- RHSA-2023:6380
- RHSA-2023:6402
- RHSA-2023:6473
- RHSA-2023:6474
- RHSA-2023:6938
- RHSA-2023:6939
- SUSE-SU-2023:0733-1
- SUSE-SU-2023:0735-1
- SUSE-SU-2023:0869-1
- SUSE-SU-2023:0871-1
- SUSE-SU-2023:2312-1
- USN-6140-1
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:golang/crypto/tls | crypto | tls | = 1.19.6 | |||
Affected | pkg:golang/crypto/tls | crypto | tls | >= 1.20.0 < 1.19.6 | |||
Fixed | pkg:golang/crypto/tls | crypto | tls | = 1.20.1 | |||
Affected | pkg:golang/crypto/tls | crypto | tls | >= 1.20.0 < 1.20.1 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |