Bug 2222167 (CVE-2023-29406)
| Summary: | CVE-2023-29406 golang: net/http: insufficient sanitization of Host header | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abenaiss, abishop, adudiak, aileenc, amasferr, amctagga, ansmith, aoconnor, asm, bbaude, bbuckingham, bcl, bcourt, bniver, bodavis, chazlett, davidn, dbenoit, dcadzow, debarshir, desktop-qa-list, dfreiber, dhellmann, dhughes, dkenigsb, dperaza, dsimansk, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, emachado, epacific, eric.wittmann, fdeutsch, flucifre, gmeno, gparvin, grafana-maint, ibolton, jaharrin, janstey, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkoehler, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jpallich, jsherril, jwendell, kshier, lball, lhh, lmadsen, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mcressma, mgarciac, mhackett, mheon, mhulan, mkudlej, mmagr, mnewsome, mrunge, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmontero, nmoumoul, nobody, opohorel, orabin, oramraz, osbuilders, owatkins, pahickey, pantinor, pcreech, peholase, pehunt, pgrist, pjindal, pthomas, rcernich, rchan, rhcos-sst, rhos-maint, rhuss, rjohnson, rogbas, saroy, scorneli, sfroberg, sgott, shbose, simaishi, sipoyare, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, teagle, tfister, tjochec, tstellar, tsweeney, twalsh, umohnani, vereddy, vkumar, whayutin, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | golang 1.19.11, golang 1.20.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Golang, where it is vulnerable to HTTP header injection caused by improper content validation of the Host header by the HTTP/1 client. A remote attacker can inject arbitrary HTTP headers by persuading a victim to visit a specially crafted Web page. This flaw allows the attacker to conduct various attacks against the vulnerable system, including Cross-site scripting, cache poisoning, or session hijacking.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2222291, 2222293, 2222294, 2222295, 2222296, 2222297, 2222298, 2222299, 2222301, 2222302, 2222303, 2222304, 2222305, 2222306, 2222307, 2222308, 2222310, 2222312, 2222313, 2222314, 2222315, 2222316, 2222317, 2222318, 2222319, 2222320, 2222321, 2222322, 2222323, 2222324, 2222325, 2222326, 2222327, 2222328, 2222329, 2222330, 2222331, 2222332, 2222333, 2222334, 2222335, 2222336, 2222337, 2222338, 2222339, 2222340, 2222341, 2222342, 2222343, 2224490, 2224491, 2236647, 2236831 | ||
| Bug Blocks: | 2222178 | ||
|
Description
Avinash Hanwate
2023-07-12 06:04:15 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2224490] Affects: fedora-all [bug 2224491] I see that there are toolbox bugs for RHEL 8 (bug 2222320 and bug 2222325), but not for RHEL 9. Is that intentional? There's no real difference between the Toolbx code we ship across RHEL 8 and 9. We have been missing RHEL 9 CVE bugs for toolbox in recent times. So I wonder if a bug has crept into some script. This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:5935 https://access.redhat.com/errata/RHSA-2023:5935 This issue has been addressed in the following products: RHOL-5.6-RHEL-8 Via RHSA-2023:5541 https://access.redhat.com/errata/RHSA-2023:5541 This issue has been addressed in the following products: RHOL-5.7-RHEL-8 Via RHSA-2023:5530 https://access.redhat.com/errata/RHSA-2023:5530 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:5965 https://access.redhat.com/errata/RHSA-2023:5965 This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.4.0-RHEL-9 Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974 This issue has been addressed in the following products: STF-1.5-RHEL-8 Via RHSA-2023:5976 https://access.redhat.com/errata/RHSA-2023:5976 This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2023:6031 https://access.redhat.com/errata/RHSA-2023:6031 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.9 Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085 This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115 This issue has been addressed in the following products: RODOO-1.0-RHEL-8 Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947 This issue has been addressed in the following products: OSSO-1.1-RHEL-8 Via RHSA-2023:5933 https://access.redhat.com/errata/RHSA-2023:5933 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161 This issue has been addressed in the following products: Red Hat OpenShift Serverless 1.30 Via RHSA-2023:6296 https://access.redhat.com/errata/RHSA-2023:6296 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2023:6298 https://access.redhat.com/errata/RHSA-2023:6298 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474 This issue has been addressed in the following products: Red Hat Satellite 6.14 for RHEL 8 Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7202 https://access.redhat.com/errata/RHSA-2023:7202 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0293 https://access.redhat.com/errata/RHSA-2024:0293 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.4 Via RHSA-2024:1570 https://access.redhat.com/errata/RHSA-2024:1570 |