Bug 1215087 (CVE-2023-39321, CVE-2023-39322) - VUL-0: CVE-2023-39321: CVE-2023-39322: go1.21: crypto/tls: panic when processing post-handshake message on QUIC connections
Summary: VUL-0: CVE-2023-39321: CVE-2023-39322: go1.21: crypto/tls: panic when process...
Status: NEW
Alias: CVE-2023-39321, CVE-2023-39322
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/377582/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39321:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-06 23:25 UTC by Jeff Kowalczyk
Modified: 2024-04-19 10:05 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2023-09-06 23:25:04 UTC 
Processing an incomplete post-handshake message for a QUIC connection caused a panic.

Thanks to Marten Seemann for reporting this issue.

This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.
Comment 2 Maintenance Automation 2023-09-20 12:30:44 UTC 
SUSE-SU-2023:3701-1: An update that solves five vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1215084, 1215085, 1215086, 1215087, 1215090
CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322
Sources used:
Development Tools Module 15-SP5 (src): go1.21-1.21.1-150000.1.6.1
openSUSE Leap 15.4 (src): go1.21-1.21.1-150000.1.6.1
openSUSE Leap 15.5 (src): go1.21-1.21.1-150000.1.6.1
Development Tools Module 15-SP4 (src): go1.21-1.21.1-150000.1.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 OBSbugzilla Bot 2023-10-31 15:35:21 UTC 
This is an autogenerated message for OBS integration:
This bug (1215087) was mentioned in
https://build.opensuse.org/request/show/1121461 Backports:SLE-12 / go1.21
Comment 6 Marcus Meissner 2023-11-09 14:05:18 UTC 
openSUSE-SU-2023:0360-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109
CVE References: CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    go-1.21-41.1, go1.21-1.21.3-2.1
Comment 8 Maintenance Automation 2023-11-16 20:30:11 UTC 
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944
CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284
Jira References: SLE-18320
Sources used:
openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.