Skip to content

Commit

Permalink
data/reports: update GO-2024-3167
Browse files Browse the repository at this point in the history
  - data/reports/GO-2024-3167.yaml

Updates #3167
Fixes #3229

Change-Id: I289eb4e5b94c275a3157e6c580b0ea649ac50914
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/623935
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
  • Loading branch information
tatianab authored and gopherbot committed Nov 5, 2024
1 parent c65acd9 commit b05c7fc
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 45 deletions.
39 changes: 5 additions & 34 deletions data/osv/GO-2024-3167.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"GHSA-3h3x-2hwv-hr52"
],
"summary": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl",
"details": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl",
"details": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.",
"affected": [
{
"package": {
Expand All @@ -26,23 +26,6 @@
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/golang-fips/openssl/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {}
}
],
"references": [
Expand All @@ -51,28 +34,16 @@
"url": "https://github.com/advisories/GHSA-3h3x-2hwv-hr52"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:7502"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:7550"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
"type": "FIX",
"url": "https://github.com/golang-fips/openssl/pull/198"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
"url": "https://github.com/github/advisory-database/pull/4950"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3167",
"review_status": "UNREVIEWED"
"review_status": "REVIEWED"
}
}
24 changes: 13 additions & 11 deletions data/reports/GO-2024-3167.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,25 @@ id: GO-2024-3167
modules:
- module: github.com/golang-fips/openssl
vulnerable_at: 0.0.0-20230605154532-724e32b0f4b8
- module: github.com/golang-fips/openssl/v2
unsupported_versions:
- last_affected: 2.0.3
vulnerable_at: 2.0.3
summary: Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl
description: |-
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious
user to randomly cause an uninitialized buffer length variable with a zeroed
buffer to be returned in FIPS mode. It may also be possible to force a false
positive match between non-equal hashes when comparing a trusted computed hmac
sum to an untrusted input sum if an attacker can send a zeroed buffer in place
of a pre-computed sum. It is also possible to force a derived key to be all
zeros instead of an unpredictable value. This may have follow-on implications
for the Go TLS stack.
cves:
- CVE-2024-9355
ghsas:
- GHSA-3h3x-2hwv-hr52
references:
- advisory: https://github.com/advisories/GHSA-3h3x-2hwv-hr52
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9355
- web: https://access.redhat.com/errata/RHSA-2024:7502
- web: https://access.redhat.com/errata/RHSA-2024:7550
- web: https://access.redhat.com/security/cve/CVE-2024-9355
- web: https://bugzilla.redhat.com/show_bug.cgi?id=2315719
- fix: https://github.com/golang-fips/openssl/pull/198
- web: https://github.com/github/advisory-database/pull/4950
source:
id: GHSA-3h3x-2hwv-hr52
created: 2024-10-08T10:58:05.90723-04:00
review_status: UNREVIEWED
created: 2024-10-31T09:56:02.572206-04:00
review_status: REVIEWED

0 comments on commit b05c7fc

Please sign in to comment.