Bug 1215087 (CVE-2023-39321, CVE-2023-39322)

Summary: VUL-0: CVE-2023-39321: CVE-2023-39322: go1.21: crypto/tls: panic when processing post-handshake message on QUIC connections
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andreas.taschner, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377582/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39321:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2023-39322:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2023-09-06 23:25:04 UTC 
Processing an incomplete post-handshake message for a QUIC connection caused a panic.

Thanks to Marten Seemann for reporting this issue.

This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.
Comment 2 Maintenance Automation 2023-09-20 12:30:44 UTC 
SUSE-SU-2023:3701-1: An update that solves five vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1215084, 1215085, 1215086, 1215087, 1215090
CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322
Sources used:
Development Tools Module 15-SP5 (src): go1.21-1.21.1-150000.1.6.1
openSUSE Leap 15.4 (src): go1.21-1.21.1-150000.1.6.1
openSUSE Leap 15.5 (src): go1.21-1.21.1-150000.1.6.1
Development Tools Module 15-SP4 (src): go1.21-1.21.1-150000.1.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 OBSbugzilla Bot 2023-10-31 15:35:21 UTC 
This is an autogenerated message for OBS integration:
This bug (1215087) was mentioned in
https://build.opensuse.org/request/show/1121461 Backports:SLE-12 / go1.21
Comment 6 Marcus Meissner 2023-11-09 14:05:18 UTC 
openSUSE-SU-2023:0360-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109
CVE References: CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    go-1.21-41.1, go1.21-1.21.3-2.1
Comment 8 Maintenance Automation 2023-11-16 20:30:11 UTC 
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944
CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284
Jira References: SLE-18320
Sources used:
openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.