Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2022-41724

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

Related bugs and status

CVE-2022-41724 (Candidate) is related to these bugs:

Bug #2007220: Sync golang-1.19 1.19.6-1 (main) from Debian unstable (main)

Summary				In	Importance	Status
	2007220	Sync golang-1.19 1.19.6-1 (main) from Debian unstable (main)		golang-1.19 (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: https://go.dev/cl/468125
MISC: https://go.dev/issue/5...
MISC: https://groups.google....
MISC: https://pkg.go.dev/vul...
GENTOO: GLSA-202311-09