First Last Prev Next    This bug is not in your last search results.
Bug 1189162 - (CVE-2021-36221) VUL-0: CVE-2021-36221: go1.16,go1.15: go: net/http: panic due to racy read of persistConn after handler panic
(CVE-2021-36221)
VUL-0: CVE-2021-36221: go1.16,go1.15: go: net/http: panic due to racy read of...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/305899/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-06 03:13 UTC by Jeff Kowalczyk
Modified: 2021-09-10 13:14 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2021-08-06 03:13:08 UTC 
A net/http/httputil ReverseProxy can panic due to a race condition if its
Handler aborts with ErrAbortHandler, for example due to an error in copying the
response body. An attacker might be able to force the conditions leading to the
race condition.

This is issue https://golang.org/issue/46866 and CVE-2021-36221. Thanks to
Andrew Crump (VMware) for reporting this issue.
Comment 1 OBSbugzilla Bot 2021-08-06 06:10:15 UTC 
This is an autogenerated message for OBS integration:
This bug (1189162) was mentioned in
https://build.opensuse.org/request/show/910390 Factory / go1.15
https://build.opensuse.org/request/show/910391 Factory / go1.16
Comment 2 Gianluca Gabrielli 2021-08-06 10:25:21 UTC 
Thanks Jeff for having reported this issue, could you please also backport the patch to SUSE:SLE-15:Update/go1.15 [0] and SUSE:SLE-15:Update/go1.16 [1]. Thanks

[0] https://github.com/golang/go/commit/ba93baa74a52d57ae79313313ea990cc791ef50e
[1] https://github.com/golang/go/commit/accf363d5da864521c90b152fb734f3f15e00521
Comment 3 Jeff Kowalczyk 2021-08-06 17:59:27 UTC 
(In reply to Gianluca Gabrielli from comment #2)
> Thanks Jeff for having reported this issue, could you please also backport
> the patch to SUSE:SLE-15:Update/go1.15 [0] and SUSE:SLE-15:Update/go1.16
> [1]. Thanks

These are in now. I submit go releases as MRs to SLE-15:Update and SLE-12:Update ASAP once SRs accepted to openSUSE:Factory staging.
Comment 5 Swamp Workflow Management 2021-08-20 13:25:39 UTC 
# maintenance_jira_update_notice
SUSE-SU-2021:2788-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1189162
CVE References: CVE-2021-36221
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.16-1.16.7-1.23.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.16-1.16.7-1.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2021-08-20 13:31:08 UTC 
# maintenance_jira_update_notice
openSUSE-SU-2021:2788-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1189162
CVE References: CVE-2021-36221
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.16-1.16.7-1.23.1
Comment 7 Swamp Workflow Management 2021-08-20 13:45:12 UTC 
# maintenance_jira_update_notice
SUSE-SU-2021:2787-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1175132,1188906,1189162
CVE References: CVE-2021-36221
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    go1.15-1.15.15-1.39.1
SUSE Manager Retail Branch Server 4.0 (src):    go1.15-1.15.15-1.39.1
SUSE Manager Proxy 4.0 (src):    go1.15-1.15.15-1.39.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    go1.15-1.15.15-1.39.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    go1.15-1.15.15-1.39.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    go1.15-1.15.15-1.39.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.15-1.15.15-1.39.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.15-1.15.15-1.39.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    go1.15-1.15.15-1.39.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    go1.15-1.15.15-1.39.1
SUSE Enterprise Storage 6 (src):    go1.15-1.15.15-1.39.1
SUSE CaaS Platform 4.0 (src):    go1.15-1.15.15-1.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-08-20 13:48:47 UTC 
# maintenance_jira_update_notice
openSUSE-SU-2021:2787-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1175132,1188906,1189162
CVE References: CVE-2021-36221
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.15-1.15.15-1.39.1
Comment 9 Swamp Workflow Management 2021-08-26 01:21:06 UTC 
# maintenance_jira_update_notice
openSUSE-SU-2021:1199-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1189162
CVE References: CVE-2021-36221
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    go1.16-1.16.7-lp152.8.1
Comment 10 Swamp Workflow Management 2021-08-27 22:17:38 UTC 
# maintenance_jira_update_notice
openSUSE-SU-2021:1207-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1175132,1188906,1189162
CVE References: CVE-2021-36221
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    go1.15-1.15.15-lp152.26.1
Comment 11 Marcus Meissner 2021-09-10 13:14:47 UTC 
released
First Last Prev Next    This bug is not in your last search results.