CVE-2022-41724

NameCVE-2022-41724
DescriptionLarge handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-1.11 (PTS)buster1.11.6-1+deb10u4fixed
buster (security)1.11.6-1+deb10u7fixed
golang-1.15 (PTS)bullseye1.15.15-1~deb11u4vulnerable
golang-1.19 (PTS)bookworm1.19.8-2fixed
golang-1.20 (PTS)trixie, sid1.20.14-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.11source(unstable)(not affected)
golang-1.15source(unstable)(unfixed)
golang-1.19sourceexperimental1.19.6-1
golang-1.19source(unstable)1.19.6-2
golang-1.20source(unstable)1.20.1-1

Notes

[bullseye] - golang-1.15 <no-dsa> (Minor issue)
- golang-1.11 <not-affected> (Vulnerable code introduced later)
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://go.dev/issue/58001
https://github.com/golang/go/commit/66c58b946beaa38de35241c3f64ec358f5ad03f1 (master)
Introduced by: https://github.com/golang/go/commit/4c8b09e9183390d6ab80d3f53a9fe5f6ace92f06 (go1.12beta1)
Introduced by: https://github.com/golang/go/commit/6435d0cfbf72f405f31430e60766add6d6762fe1 (go1.12beta1)

Search for package or bug name: Reporting problems