diff options
| author | Soumya Sambu <soumya.sambu@windriver.com> | 2024-02-08 06:51:50 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-02-15 03:51:56 -1000 |
| commit | 74f2c36c4df18e874422387f2e805a0c13e8448e (patch) | |
| tree | ac4828570ed6050878dd32b794a94f4c622531e6 /scripts/lib/checklayer/context.py | |
| parent | 555dadb56e20c4f38a8b06eeb05b6a0a65bebd46 (diff) | |
| download | poky-74f2c36c4df18e874422387f2e805a0c13e8448e.tar.gz | |
go: Fix CVE-2023-45285 and CVE-2023-45287
CVE-2023-45285:
Using go get to fetch a module with the ".git" suffix may unexpectedly
fallback to the insecure "git://" protocol if the module is unavailable
via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE
is not set for said module. This only affects users who are not using
the module proxy and are fetching modules directly (i.e. GOPROXY=off).
CVE-2023-45287:
Before Go 1.20, the RSA based TLS key exchanges used the math/big
library, which is not constant time. RSA blinding was applied to prevent
timing attacks, but analysis shows this may not have been fully effective.
In particular it appears as if the removal of PKCS#1 padding may leak
timing information, which in turn could be used to recover session key
bits. In Go 1.20, the crypto/tls library switched to a fully constant
time RSA implementation, which we do not believe exhibits any timing
side channels.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45285
https://nvd.nist.gov/vuln/detail/CVE-2023-45287
https://security-tracker.debian.org/tracker/CVE-2023-45285
https://security-tracker.debian.org/tracker/CVE-2023-45287
(From OE-Core rev: 616857b9918e8d2e576239b3db2f9f077d1a7222)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'scripts/lib/checklayer/context.py')
0 files changed, 0 insertions, 0 deletions