|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2019-6486: go: DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Karol Babioch <karol> |
| Component: | Incidents | Assignee: | Containers Team <containers-bugowner> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Minor | ||
| Priority: | P3 - Medium | CC: | abergmann, asarai, containers-bugowner, fbergmann, fcastelli, jkowalczyk, jmassaguerpla, kkaempf, meissner, smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/223658/ | ||
| Whiteboard: | CVSSv3:SUSE:CVE-2019-6486:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Karol Babioch
2019-01-24 10:16:36 UTC
Assigning to containers team so the bug squad leader can plan for this one. @Florian, is there anything we need to do to have this in our backlog? Scanning Factory for packages that import this Go packages, yielded the following result: caasp-dex is importing crypto/elliptic chartmuseum is importing crypto/elliptic coredns is importing crypto/elliptic dex-oidc is importing crypto/elliptic etcd is importing crypto/elliptic golang-org-x-crypto is importing crypto/elliptic heapster is importing crypto/elliptic helm is importing crypto/elliptic kbfs is importing crypto/elliptic kubernetes-dashboard is importing crypto/elliptic kubernetes is importing crypto/elliptic kured is importing crypto/elliptic sonobuoy is importing crypto/elliptic syncthing is importing crypto/elliptic We should at least fix/rebuild those packages that are also used in our SLE products. Adding Jeff to CC, he's the maintainer of Go at SUSE. We can take care of the packages related with CaaSP, but not about the others (for example synchthing) Announcement: https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw Upstream issue: https://golang.org/issue/29903 Upstream fix: https://github.com/golang/go/commit/42b42f71 This is an autogenerated message for OBS integration: This bug (1123013) was mentioned in https://build.opensuse.org/request/show/679777 Factory / go1.11 SUSE-SU-2019:0651-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1123013 CVE References: CVE-2019-6486 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): go1.11-1.11.5-1.9.1 This is an autogenerated message for OBS integration: This bug (1123013) was mentioned in https://build.opensuse.org/request/show/688187 Factory / go1.12 openSUSE-SU-2019:1164-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 1123013
CVE References: CVE-2019-6486
Sources used:
openSUSE Leap 15.0 (src): go1.11-1.11.5-lp150.6.4
*** NOTE: This information is not intended to be used for external
communication, because this may only be a partial fix.
If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1234-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, go-1.12-3.10.1, go1.11-1.11.9-1.12.1, go1.12-1.12.4-1.9.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 SUSE Linux Enterprise Module for Containers 15 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2019:1264-1: An update that solves four vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-6486 Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.2.5-16.17.2, docker-18.09.6_ce-98.37.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-19.1 SUSE CaaS Platform 3.0 (src): containerd-kubic-1.2.5-16.17.2, docker-kubic-18.09.6_ce-98.37.1, docker-runc-kubic-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2726_872f0a83c98a-19.1 OpenStack Cloud Magnum Orchestration 7 (src): containerd-1.2.5-16.17.2, docker-18.09.6_ce-98.37.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2019:1499-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Sources used: openSUSE Leap 15.0 (src): containerd-1.2.5-lp150.4.14.3, docker-18.09.6_ce-lp150.5.17.2, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp150.5.21.2, go-1.12-lp150.2.11.1, go1.11-1.11.9-lp150.9.3, go1.12-1.12.4-lp150.2.2, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp150.3.14.1 SUSE-SU-2019:1234-2: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, go-1.12-3.10.1, go1.11-1.11.9-1.12.1, go1.12-1.12.4-1.9.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 SUSE Linux Enterprise Module for Containers 15-SP1 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. I think this can be now closed as fixed. closed This is an autogenerated message for OBS integration: This bug (1123013) was mentioned in https://build.opensuse.org/request/show/874754 Factory / go |