Bugzilla – Bug 1040618
VUL-0: CVE-2017-8932: go: Elliptic curves carry propagation issue in x86-64 P-256
Last modified: 2019-05-07 10:55:21 UTC
https://github.com/golang/go/issues/20040 Cloudflare reported a carry bug in the P-256 implementation that they submitted for x86-64 in 7bacfc6. I can reproduce this via random testing against BoringSSL and, after applying the patch that they provided, can no longer do so, even after ~231 iterations. This issue is not obviously exploitable, although we cannot rule out the possibility of someone managing to squeeze something through this hole. (It would be a cool paper.) Thus this should be treated as something to fix, but not something on fire, based on what we currently know. https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c https://golang.org/cl/41070
which go compiled tools speak SSL/HTTPS ?
(In reply to Marcus Meissner from comment #1) > which go compiled tools speak SSL/HTTPS ? I can think of: * etcd * kubernetes apiserver * docker Right now the most vulnerable parts are etcd and the kubernetes api-server because they listen to incoming connection. This does not apply to our docker deployments. I'm going to assign the bug to Thomas Hipp who is following go packaging. I think upstream will publish patch releases of Go. We should update our packages to include the fix. Adding Jordi too, given he's involved with the release of quite some go-based packages.
Upstream has released version 1.8.2 which includes a patch for this issue.
All relevant go packages in IBS and OBS have been updated and include the upstream patch.
This is an autogenerated message for OBS integration: This bug (1040618) was mentioned in https://build.opensuse.org/request/show/499627 42.2+Backports:SLE-12+Backports:SLE-12-SP1 / go
openSUSE-SU-2017:1649-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1040618 CVE References: CVE-2017-8932 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): go-1.7.0-12.1, go-1.7.0-5.2
openSUSE-SU-2017:1650-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1040618 CVE References: CVE-2017-8932 Sources used: openSUSE Leap 42.2 (src): go-1.6.2-23.3.3
SUSE-RU-2017:1965-1: An update that solves one vulnerability and has 17 fixes is now available. Category: recommended (moderate) Bug References: 1026827,1028113,1028638,1028639,1030702,1032287,1032644,1032769,1034053,1034063,1037436,1037607,1038476,1038493,1040618,953182,964546,996303 CVE References: CVE-2017-8932 Sources used: SUSE OpenStack Cloud 6 (src): containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3 SUSE Linux Enterprise Module for Containers 12 (src): containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, docker-distribution-2.6.1-15.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3 OpenStack Cloud Magnum Orchestration 7 (src): containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3
closing as this has been released
This is an autogenerated message for OBS integration: This bug (1040618) was mentioned in https://build.opensuse.org/request/show/610123 Factory / go1.10
This is an autogenerated message for OBS integration: This bug (1040618) was mentioned in https://build.opensuse.org/request/show/658307 Factory / go1.10 https://build.opensuse.org/request/show/658308 Factory / go1.11
This is an autogenerated message for OBS integration: This bug (1040618) was mentioned in https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11
This is an autogenerated message for OBS integration: This bug (1040618) was mentioned in https://build.opensuse.org/request/show/679777 Factory / go1.11
This is an autogenerated message for OBS integration: This bug (1040618) was mentioned in https://build.opensuse.org/request/show/688187 Factory / go1.12