New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: randomly generate ticket_age_add [1.17 backport] #52832
Labels
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
Used during the release process for point releases
label
May 10, 2022
dmitshur
changed the title
crypto/tls: randomly generate ticket_age_add [freeze exception] [1.17 backport]
crypto/tls: randomly generate ticket_age_add [1.17 backport]
May 17, 2022
toothrot
added
the
CherryPickApproved
Used during the release process for point releases
label
May 25, 2022
Approved. This is a serious issue with no workaround. |
gopherbot
removed
the
CherryPickCandidate
Used during the release process for point releases
label
May 25, 2022
Change https://go.dev/cl/408574 mentions this issue: |
Closed by merging c15a8e2 to release-branch.go1.17. |
gopherbot
pushed a commit
that referenced
this issue
May 27, 2022
As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates #52814 Fixes #52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates golang#52814 Fixes golang#52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 14, 2022
As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates golang#52814 Fixes golang#52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 5, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@e25bfe0 Upstream Source Commit: golang@c15a8e2 # Original Information As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates golang#52814 Fixes golang#52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@e25bfe0 Upstream Source Commit: golang@c15a8e2 # Original Information As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates golang#52814 Fixes golang#52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@3beb7c1 Upstream Source Commit: golang@c15a8e2 # Original Information As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates golang#52814 Fixes golang#52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
@rolandshoemaker requested issue #52814 to be considered for backport to the next 1.17 minor release.
The text was updated successfully, but these errors were encountered: