Bug 1062087 - (CVE-2017-15042) VUL-0: CVE-2017-15042: go: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
(CVE-2017-15042)
VUL-0: CVE-2017-15042: go: smtp.PlainAuth susceptible to man-in-the-middle pa...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Thomas Hipp
Security Team bot
https://smash.suse.de/issue/192887/
CVSSv2:NVD:CVE-2017-15042:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-06 15:00 UTC by Alexander Bergmann
Modified: 2022-02-15 21:55 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-10-06 15:00:25 UTC
rh#1498867

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1.
RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on
network connections secured with TLS. The original implementation of
smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do
so. In 2013, upstream issue #5184, this was changed so that the server may
decide whether PLAIN is acceptable. The result is that if you set up a
man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise
that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and
password.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1498867
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15042
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15042.html
http://www.cvedetails.com/cve/CVE-2017-15042/
https://golang.org/cl/68210
https://golang.org/cl/68023
https://github.com/golang/go/issues/22134
Comment 1 Flavio Castelli 2017-10-06 15:03:07 UTC
Reassigning to Thomas who is charge of go packages.
Comment 2 Thomas Hipp 2017-10-11 15:13:01 UTC
All Go versions in IBS and OBS have been patched.
Comment 4 Swamp Workflow Management 2018-05-17 17:00:39 UTC
This is an autogenerated message for OBS integration:
This bug (1062087) was mentioned in
https://build.opensuse.org/request/show/610123 Factory / go1.10
Comment 12 Swamp Workflow Management 2018-12-15 08:40:46 UTC
This is an autogenerated message for OBS integration:
This bug (1062087) was mentioned in
https://build.opensuse.org/request/show/658307 Factory / go1.10
https://build.opensuse.org/request/show/658308 Factory / go1.11
Comment 14 Swamp Workflow Management 2018-12-17 15:41:07 UTC
This is an autogenerated message for OBS integration:
This bug (1062087) was mentioned in
https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11
Comment 15 Swamp Workflow Management 2019-02-27 11:00:45 UTC
This is an autogenerated message for OBS integration:
This bug (1062087) was mentioned in
https://build.opensuse.org/request/show/679777 Factory / go1.11
Comment 16 Swamp Workflow Management 2019-03-25 11:10:38 UTC
This is an autogenerated message for OBS integration:
This bug (1062087) was mentioned in
https://build.opensuse.org/request/show/688187 Factory / go1.12