crypto/tls: randomly generate ticket_age_add [1.17 backport] #52832
Labels
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
dmitshur
changed the title
toothrot
added
the
CherryPickApproved
|
Approved. This is a serious issue with no workaround. |
gopherbot
removed
the
CherryPickCandidate
|
Change https://go.dev/cl/408574 mentions this issue: |
|
Closed by merging c15a8e2 to release-branch.go1.17. |
gopherbot
pushed a commit
that referenced
this issue
May 27, 2022
As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates #52814 Fixes #52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates golang#52814 Fixes golang#52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 14, 2022
As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates golang#52814 Fixes golang#52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 5, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@e25bfe0 Upstream Source Commit: golang@c15a8e2 # Original Information As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates golang#52814 Fixes golang#52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@e25bfe0 Upstream Source Commit: golang@c15a8e2 # Original Information As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates golang#52814 Fixes golang#52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@3beb7c1 Upstream Source Commit: golang@c15a8e2 # Original Information As required by RFC 8446, section 4.6.1, ticket_age_add now holds a random 32-bit value. Before this change, this value was always set to 0. This change also documents the reasoning for always setting ticket_nonce to 0. The value ticket_nonce must be unique per connection, but we only ever send one ticket per connection. Updates golang#52814 Fixes golang#52832 Fixes CVE-2022-30629 Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb Reviewed-on: https://go-review.googlesource.com/c/go/+/405994 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit fe4de36) Reviewed-on: https://go-review.googlesource.com/c/go/+/408574 Run-TryBot: Roland Shoemaker <roland@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
@rolandshoemaker requested issue #52814 to be considered for backport to the next 1.17 minor release.
The text was updated successfully, but these errors were encountered: