Bug 2092918 (CVE-2022-30321)

Summary: CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, bdettelb, bmontgom, eclipseo, eglynn, eparis, go-sig, gparvin, gsuckevi, hfukumot, jburrell, jjoyce, jokerman, jramanat, lhh, mburns, njean, nstielau, pahickey, rdey, rhos-maint, rpittau, security-response-team, sponnaga, spower, stcannon, tsedovic, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: github.com/hashicorp/go-getter 1.6.1, github.com/hashicorp/go-getter 2.1.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-07 13:32:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2092922, 2100980, 2100981, 2100982, 2100983, 2100984, 2100985, 2100986, 2100987, 2100988, 2100989, 2100990, 2100991, 2100992, 2100993, 2100994, 2100995, 2100996, 2100997, 2100998, 2100999, 2101000, 2101001, 2101002, 2101003, 2101004, 2101005, 2101006, 2101007, 2101008, 2101009, 2101010, 2101011, 2101012, 2101013, 2101014, 2101015, 2101016, 2101017, 2101018, 2101026, 2101027, 2101028    
Bug Blocks: 2092556    

Description Guilherme de Almeida Suckevicz 2022-06-02 14:25:44 UTC 
HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 1 of 3).

References:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
https://github.com/hashicorp/go-getter/releases
Comment 1 Guilherme de Almeida Suckevicz 2022-06-02 14:30:37 UTC 
Created golang-github-yujunz-getter tracking bugs for this issue:

Affects: fedora-all [bug 2092922]
Comment 5 Maxwell G 2022-06-27 18:10:34 UTC 
What's the point of the three duplicate issues[1]? Is there something that I'm missing here?

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=2092918 https://bugzilla.redhat.com/show_bug.cgi?id=2092923 https://bugzilla.redhat.com/show_bug.cgi?id=2092925
Comment 6 Maxwell G 2022-06-27 18:12:42 UTC 
(In reply to Maxwell G from comment #5)
> What's the point of the three duplicate issues[1]? Is there something that
> I'm missing here?
> 
> [1]: https://bugzilla.redhat.com/show_bug.cgi?id=2092918
> https://bugzilla.redhat.com/show_bug.cgi?id=2092923
> https://bugzilla.redhat.com/show_bug.cgi?id=2092925

Ah, I guess there are three different CVEs surrounding unsafe downloads. I did not look closely at the CVE numbers. Feel free to disregard this.
Comment 7 errata-xmlrpc 2022-07-20 15:48:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5673 https://access.redhat.com/errata/RHSA-2022:5673
Comment 9 errata-xmlrpc 2022-08-10 10:35:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069
Comment 10 errata-xmlrpc 2022-08-31 12:33:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6133 https://access.redhat.com/errata/RHSA-2022:6133
Comment 11 errata-xmlrpc 2022-08-31 16:39:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:6147 https://access.redhat.com/errata/RHSA-2022:6147
Comment 12 errata-xmlrpc 2022-09-08 05:40:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6258 https://access.redhat.com/errata/RHSA-2022:6258
Comment 13 Maxwell G 2022-09-08 14:43:39 UTC 
I am removing myself from this issue. Please see https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/ETPDV57SDTABYN6P6MGRZWRRCXVFLPZD/ for a discussion on how prodsec can properly deal with Fedora vulnerabilities.
Comment 14 errata-xmlrpc 2022-09-14 20:38:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:6308 https://access.redhat.com/errata/RHSA-2022:6308
Comment 15 errata-xmlrpc 2022-10-12 08:14:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6805 https://access.redhat.com/errata/RHSA-2022:6805
Comment 16 errata-xmlrpc 2022-10-13 07:45:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:6801 https://access.redhat.com/errata/RHSA-2022:6801
Comment 17 errata-xmlrpc 2022-10-19 19:50:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:6905 https://access.redhat.com/errata/RHSA-2022:6905
Comment 19 errata-xmlrpc 2022-11-02 06:27:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:7201 https://access.redhat.com/errata/RHSA-2022:7201
Comment 20 errata-xmlrpc 2022-11-02 07:25:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:7211 https://access.redhat.com/errata/RHSA-2022:7211
Comment 21 errata-xmlrpc 2022-11-03 05:56:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:7216 https://access.redhat.com/errata/RHSA-2022:7216
Comment 22 errata-xmlrpc 2022-11-18 05:14:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:7874 https://access.redhat.com/errata/RHSA-2022:7874
Comment 24 Product Security DevOps Team 2022-12-07 13:32:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30321
Comment 26 errata-xmlrpc 2023-01-06 10:37:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:9111 https://access.redhat.com/errata/RHSA-2022:9111