Bugzilla – Bug 1213880
VUL-0: CVE-2023-29409: go1.19,go1.20: crypto/tls: restrict RSA keys in certificates to <= 8192 bits
Last modified: 2024-05-14 12:02:48 UTC
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Thanks to Mateusz Poliwczak for reporting this issue. This is CVE-2023-29409 and Go issue https://go.dev/issue/61460.
This is an autogenerated message for OBS integration: This bug (1213880) was mentioned in https://build.opensuse.org/request/show/1101872 Factory / go1.19 https://build.opensuse.org/request/show/1101873 Factory / go1.20
Hi Jeff, could you please also submit (and start always submitting for the future) to SUSE:ALP:Source:Standard:1.0/go1.19 and SUSE:ALP:Source:Standard:1.0/go1.20 ? Thank you
SUSE-SU-2023:3181-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (important) Bug References: 1206346, 1213880 CVE References: CVE-2023-29409 Sources used: openSUSE Leap 15.5 (src): go1.20-1.20.7-150000.1.20.1 Development Tools Module 15-SP4 (src): go1.20-1.20.7-150000.1.20.1 Development Tools Module 15-SP5 (src): go1.20-1.20.7-150000.1.20.1 openSUSE Leap 15.4 (src): go1.20-1.20.7-150000.1.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3263-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (important) Bug References: 1200441, 1213880 CVE References: CVE-2023-29409 Sources used: openSUSE Leap 15.5 (src): go1.19-1.19.12-150000.1.40.1 Development Tools Module 15-SP4 (src): go1.19-1.19.12-150000.1.40.1 Development Tools Module 15-SP5 (src): go1.19-1.19.12-150000.1.40.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.19-1.19.12-150000.1.40.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.19-1.19.12-150000.1.40.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.19-1.19.12-150000.1.40.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.19-1.19.12-150000.1.40.1 SUSE Enterprise Storage 7.1 (src): go1.19-1.19.12-150000.1.40.1 openSUSE Leap 15.4 (src): go1.19-1.19.12-150000.1.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3475-1: An update that solves one vulnerability, contains one feature and has 19 fixes can now be installed. Category: security (important) Bug References: 1175823, 1208528, 1208577, 1209156, 1210103, 1210994, 1211100, 1211469, 1211650, 1211884, 1212032, 1212106, 1212416, 1212507, 1212589, 1212700, 1212943, 1213880, 1214187, 1214333 CVE References: CVE-2023-29409 Jira References: MSQA-698 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I think ALP:Source:Standard:1.0/go1.20 is still missing, could you have a look? Thanks :)
SUSE-SU-2023:3841-1: An update that solves two vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1200441, 1213229, 1213880, 1215090 CVE References: CVE-2023-29406, CVE-2023-29409 Sources used: openSUSE Leap 15.4 (src): go1.19-openssl-1.19.13.1-150000.1.8.1 openSUSE Leap 15.5 (src): go1.19-openssl-1.19.13.1-150000.1.8.1 Development Tools Module 15-SP4 (src): go1.19-openssl-1.19.13.1-150000.1.8.1 Development Tools Module 15-SP5 (src): go1.19-openssl-1.19.13.1-150000.1.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3840-1: An update that solves three vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1206346, 1213880, 1215084, 1215085, 1215090 CVE References: CVE-2023-29409, CVE-2023-39318, CVE-2023-39319 Sources used: openSUSE Leap 15.4 (src): go1.20-openssl-1.20.8.1-150000.1.11.1 openSUSE Leap 15.5 (src): go1.20-openssl-1.20.8.1-150000.1.11.1 Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.8.1-150000.1.11.1 Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.8.1-150000.1.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3886-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1213880 CVE References: CVE-2023-29409 Sources used: openSUSE Leap 15.4 (src): grafana-9.5.5-150200.3.47.1 openSUSE Leap 15.5 (src): grafana-9.5.5-150200.3.47.1 SUSE Package Hub 15 15-SP4 (src): grafana-9.5.5-150200.3.47.1 SUSE Package Hub 15 15-SP5 (src): grafana-9.5.5-150200.3.47.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3885-1: An update that solves six vulnerabilities, contains seven features and has 74 security fixes can now be installed. Category: security (important) Bug References: 1193948, 1193948, 1207330, 1207330, 1208692, 1208692, 1208692, 1210935, 1210935, 1211525, 1211525, 1211525, 1211874, 1211874, 1211884, 1211884, 1212246, 1212246, 1212730, 1212730, 1212814, 1212814, 1212827, 1212827, 1212856, 1212856, 1212856, 1212943, 1212943, 1212943, 1213009, 1213009, 1213077, 1213077, 1213288, 1213288, 1213441, 1213441, 1213445, 1213445, 1213445, 1213469, 1213469, 1213675, 1213675, 1213675, 1213716, 1213716, 1213880, 1213880, 1214002, 1214002, 1214121, 1214121, 1214124, 1214124, 1214187, 1214187, 1214266, 1214266, 1214280, 1214280, 1214796, 1214796, 1214797, 1214797, 1214889, 1214889, 1214982, 1214982, 1215352, 1215352, 1215362, 1215362, 1215413, 1215413, 1215497, 1215497, 1215756, 1215756 CVE References: CVE-2023-20897, CVE-2023-20897, CVE-2023-20898, CVE-2023-20898, CVE-2023-29409, CVE-2023-29409 Jira References: MSQA-699, MSQA-699, MSQA-699, SUMA-158, SUMA-158, SUMA-280, SUMA-280 Sources used: openSUSE Leap 15.4 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2, release-notes-susemanager-4.3.8-150400.3.77.1 SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2 SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2 SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.8-150400.3.77.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3875-1: An update that solves four vulnerabilities, contains four features and has one security fix can now be installed. Category: security (important) Bug References: 1204501, 1208046, 1208270, 1213691, 1213880 CVE References: CVE-2022-32149, CVE-2022-41723, CVE-2022-46146, CVE-2023-29409 Jira References: ECO-3319, MSQA-699, PED-5405, SLE-24791 Sources used: SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1, prometheus-postgres_exporter-0.10.1-1.9.2, golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1, golang-github-prometheus-node_exporter-1.5.0-1.9.2, spacecmd-4.3.23-1.18.2, scap-security-guide-0.1.69-1.12.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202306:15231-1: An update that solves one vulnerability, contains one feature and has one security fix can now be installed. Category: security (important) Bug References: 1208612, 1213880 CVE References: CVE-2023-29409 Jira References: MSQA-679 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202309:15230-1: An update that solves three vulnerabilities, contains two features and has 11 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213691, 1213880, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898, CVE-2023-29409 Jira References: ECO-3319, MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3868-1: An update that solves four vulnerabilities, contains three features and has three security fixes can now be installed. Category: security (important) Bug References: 1204501, 1208046, 1208270, 1208298, 1208692, 1211525, 1213880 CVE References: CVE-2022-32149, CVE-2022-41723, CVE-2022-46146, CVE-2023-29409 Jira References: MSQA-699, PED-5405, PED-5406 Sources used: openSUSE Leap 15.4 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-postgres_exporter-0.10.1-150000.1.14.3, spacecmd-4.3.23-150000.3.104.2, prometheus-blackbox_exporter-0.24.0-150000.1.23.3, supportutils-plugin-susemanager-client-4.3.3-150000.3.21.2 openSUSE Leap 15.5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-postgres_exporter-0.10.1-150000.1.14.3, spacecmd-4.3.23-150000.3.104.2, prometheus-blackbox_exporter-0.24.0-150000.1.23.3, supportutils-plugin-susemanager-client-4.3.3-150000.3.21.2 SUSE Manager Client Tools for SLE 15 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-postgres_exporter-0.10.1-150000.1.14.3, spacecmd-4.3.23-150000.3.104.2, python-pyvmomi-6.7.3-150000.1.6.2, supportutils-plugin-susemanager-client-4.3.3-150000.3.21.2, grafana-9.5.5-150000.1.54.3, golang-github-prometheus-prometheus-2.45.0-150000.3.50.3, prometheus-blackbox_exporter-0.24.0-150000.1.23.3, uyuni-common-libs-4.3.9-150000.1.36.2 SUSE Manager Client Tools for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, prometheus-blackbox_exporter-0.24.0-150000.1.23.3 SUSE Manager Proxy 4.2 Module 4.2 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-blackbox_exporter-0.24.0-150000.1.23.3 SUSE Manager Proxy 4.3 Module 4.3 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-blackbox_exporter-0.24.0-150000.1.23.3 SUSE Manager Server 4.2 Module 4.2 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2, prometheus-postgres_exporter-0.10.1-150000.1.14.3 SUSE Manager Server 4.3 Module 4.3 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3867-1: An update that solves four vulnerabilities, contains three features and has three security fixes can now be installed. Category: security (important) Bug References: 1204501, 1208046, 1208270, 1208298, 1208692, 1211525, 1213880 CVE References: CVE-2022-32149, CVE-2022-41723, CVE-2022-46146, CVE-2023-29409 Jira References: MSQA-699, PED-5405, PED-5406 Sources used: SUSE Manager Client Tools for SLE 12 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-1.12.2, uyuni-common-libs-4.3.9-1.36.3, golang-github-prometheus-alertmanager-0.23.0-1.21.2, golang-github-prometheus-node_exporter-1.5.0-1.27.2, prometheus-postgres_exporter-0.10.1-1.14.3, supportutils-plugin-susemanager-client-4.3.3-6.27.2, spacecmd-4.3.23-38.127.3, golang-github-prometheus-prometheus-2.45.0-1.47.3, golang-github-lusitaniae-apache_exporter-1.0.0-1.18.2, prometheus-blackbox_exporter-0.24.0-1.23.2, grafana-9.5.5-1.54.3 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.27.2 SUSE Linux Enterprise Server 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.27.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.27.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3861-1: An update that solves two vulnerabilities, contains seven features and has 70 security fixes can now be installed. Category: security (important) Bug References: 1207330, 1207330, 1208692, 1208692, 1208692, 1210935, 1210935, 1211525, 1211525, 1211525, 1211874, 1211874, 1211884, 1211884, 1212246, 1212246, 1212730, 1212730, 1212814, 1212814, 1212827, 1212827, 1212856, 1212856, 1212856, 1212943, 1212943, 1212943, 1213009, 1213009, 1213077, 1213077, 1213288, 1213288, 1213445, 1213445, 1213445, 1213675, 1213675, 1213675, 1213716, 1213716, 1213880, 1213880, 1214002, 1214002, 1214121, 1214121, 1214124, 1214124, 1214187, 1214187, 1214266, 1214266, 1214280, 1214280, 1214889, 1214889, 1214982, 1214982, 1215352, 1215352, 1215362, 1215362, 1215373, 1215373, 1215413, 1215413, 1215497, 1215497, 1215756, 1215756 CVE References: CVE-2023-29409, CVE-2023-29409 Jira References: MSQA-699, MSQA-699, MSQA-699, SUMA-158, SUMA-158, SUMA-280, SUMA-280 Sources used: SUSE Manager Proxy 4.3 Module 4.3 (src): spacecmd-4.3.23-150400.3.24.13, spacewalk-certs-tools-4.3.19-150400.3.18.13, uyuni-common-libs-4.3.9-150400.3.15.13, spacewalk-web-4.3.33-150400.3.27.16, supportutils-plugin-susemanager-proxy-4.3.3-150400.3.3.13, supportutils-plugin-susemanager-client-4.3.3-150400.3.3.13, spacewalk-backend-4.3.23-150400.3.27.19 SUSE Manager Server 4.3 Module 4.3 (src): susemanager-schema-4.3.20-150400.3.24.17, spacewalk-config-4.3.11-150400.3.9.13, prometheus-exporters-formula-1.3.0-150400.3.3.13, inter-server-sync-0.3.0-150400.3.21.15, image-sync-formula-0.1.1692188980.9aa0455-150400.3.15.13, spacewalk-admin-4.3.13-150400.3.12.13, billing-data-service-0.3-150400.10.6.13, spacewalk-java-4.3.66-150400.3.60.1, hub-xmlrpc-api-0.7-150400.5.9.15, spacewalk-backend-4.3.23-150400.3.27.19, spacecmd-4.3.23-150400.3.24.13, spacewalk-certs-tools-4.3.19-150400.3.18.13, susemanager-4.3.31-150400.3.36.12, supportutils-plugin-susemanager-4.3.9-150400.3.15.13, spacewalk-setup-4.3.18-150400.3.27.13, susemanager-docs_en-4.3-150400.9.38.2, uyuni-common-libs-4.3.9-150400.3.15.13, susemanager-sls-4.3.35-150400.3.31.12, grafana-formula-0.9.0-150400.3.12.1, saltboot-formula-0.1.1692188980.9aa0455-150400.3.12.13, cobbler-3.3.3-150400.5.33.13, spacewalk-web-4.3.33-150400.3.27.16, prometheus-postgres_exporter-0.10.1-150400.3.6.17 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3888-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1213880 CVE References: CVE-2023-29409 Sources used: openSUSE Leap 15.4 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.16.2, golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 openSUSE Leap 15.5 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.16.2, golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Manager Client Tools for SLE 15 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.16.2 SUSE Manager Client Tools for SLE Micro 5 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 Basesystem Module 15-SP4 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 Basesystem Module 15-SP5 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Package Hub 15 15-SP5 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.16.2 SUSE Manager Proxy 4.2 Module 4.2 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.16.2 SUSE Manager Proxy 4.3 Module 4.3 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.16.2 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Manager Proxy 4.2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Manager Retail Branch Server 4.2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Manager Server 4.2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE Enterprise Storage 7.1 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 SUSE CaaS Platform 4.0 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.26.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3474-1: An update that solves one vulnerability, contains one feature and has 19 security fixes can now be installed. Category: security (important) Bug References: 1175823, 1208528, 1208577, 1209156, 1210103, 1210994, 1211100, 1211469, 1211650, 1211884, 1212032, 1212106, 1212416, 1212507, 1212589, 1212700, 1212943, 1213880, 1214187, 1214333 CVE References: CVE-2023-29409 Jira References: MSQA-698 Sources used: SUSE Manager Proxy 4.2 Module 4.2 (src): spacewalk-backend-4.2.29-150300.4.44.5, spacewalk-web-4.2.36-150300.3.47.5, spacecmd-4.2.24-150300.4.42.3 SUSE Manager Server 4.2 Module 4.2 (src): spacewalk-setup-4.2.13-150300.3.21.3, spacewalk-web-4.2.36-150300.3.47.5, spacecmd-4.2.24-150300.4.42.3, hub-xmlrpc-api-0.7-150300.3.14.2, spacewalk-java-4.2.55-150300.3.73.2, spacewalk-reports-4.2.8-150300.3.12.3, susemanager-4.2.44-150300.3.59.1, susemanager-schema-4.2.29-150300.3.41.5, inter-server-sync-0.3.0-150300.8.36.1, susemanager-doc-indexes-4.2-150300.12.48.5, spacewalk-utils-4.2.20-150300.3.27.3, spacewalk-backend-4.2.29-150300.4.44.5, susemanager-sls-4.2.35-150300.3.54.3, susemanager-docs_en-4.2-150300.12.48.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done