RHCOS 4 : OpenShift Container Platform 4.6.42 (RHSA-2021:3009)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3009 advisory. - golang: net: lookup functions may return invalid host names CVE-2021-33195 - golang: net/http/httputil: ReverseProxy forwards...

RHCOS 4 : OpenShift Container Platform 4.6.23 (RHSA-2021:0956)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:0956 advisory. - golang: data race in certain net/http servers including ReverseProxy can lead to DoS CVE-2020-15586 - golang: ReadUvarint and...

RHCOS 4 / 8 : OpenShift Container Platform 4.11.0 (RHSA-2022:5068)

The remote Red Hat Enterprise Linux CoreOS 4 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:5068 advisory. - golang.org/x/crypto: empty plaintext packet causes panic CVE-2021-43565 - golang: net/http: improper sanitization of...

Astra Linux - уязвимость в golang-1.15

In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method...

Linux Distros Unpatched Vulnerability : CVE-2022-23772

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. CVE-2022-23772 Note th...

In Go before 1.15.13 and 1.16.x before 1.16.5 there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.

...

RHEL 8 : faq (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - golang: crypto/elliptic: IsOnCurve returns true for invalid field elements CVE-2022-23806 - Go before...

Oracle Linux 9 : skopeo (ELSA-2024-2239)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-2239 advisory. - rebuild for following CVEs: CVE-2022-41724 CVE-2022-41725 CVE-2023-24537 CVE-2023-24538 CVE-2023-24534 CVE-2023-24536 CVE-2022-41723 CVE-2023-24539...

RHEL 9 : containernetworking-plugins (RHSA-2024:2272)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:2272 advisory. The Container Network Interface CNI project consists of a specification and libraries for writing plug- ins for configuring network interfac...

RHEL 7 / 8 / 9 : OpenShift Virtualization 4.13.0 RPMs (RHSA-2023:3204)

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3204 advisory. OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory...

RHEL 8 : Red Hat OpenShift Data Foundation 4.11.0 (RHSA-2022:6155)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6155 advisory. Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Re...

RHEL 8 : Release of OpenShift Serverless Client kn 1.22.1 (Moderate) (RHSA-2022:4860)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:4860 advisory. The Red Hat OpenShift Serverless Client kn 1.22.1 provides a CLI to interact with Red Hat OpenShift Serverless 1.22.1. The kn CLI is deliver...

BIT-GOLANG-2022-23772

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption...

BIT-GOLANG-2022-32189 Panic when decoding Float and Rat types in math/big

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service...

BIT-GOLANG-2023-45287 Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS1 padding may leak timing...

RHEL 8 / 9 : OpenShift Container Platform 4.15.0 (RHSA-2023:7201)

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7201 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or...

Design/Logic Flaw

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS1 padding may leak timing...

CVE-2023-45287

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS1 padding may leak timing...

CVE-2023-45287

Summary of CVE-2023-45287 (Go): Before Go 1.20, RSA-based TLS key exchanges used math/big (not constant time). RSA blinding was applied but may not fully prevent timing leaks after removal of PKCS#1 padding, potentially enabling recovery of session key bits. Go 1.20+ switched crypto/tls to a full...

PT-2023-29487

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.20 Description The issue concerns the RSA-based TLS key exchanges in Go, which used the math/big library that is not constant time. Although RSA blinding was applied to prevent timing attacks, analysis suggests this may...