Bug 1203185 (CVE-2022-27664) - VUL-0: CVE-2022-27664: go1.18,go1.19: net/http: handle server errors after sending GOAWAY
Summary: VUL-0: CVE-2022-27664: go1.18,go1.19: net/http: handle server errors after se...
Status: RESOLVED FIXED
: 1203293 (view as bug list)
Alias: CVE-2022-27664
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/341666/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-27664:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-06 23:23 UTC by Jeff Kowalczyk
Modified: 2024-03-27 14:40 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2022-09-06 23:23:03 UTC 
A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this.

This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.
Comment 1 OBSbugzilla Bot 2022-09-07 01:50:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1203185) was mentioned in
https://build.opensuse.org/request/show/1001533 Factory / go1.18
https://build.opensuse.org/request/show/1001534 Factory / go1.19
Comment 3 Ismael Luceno 2022-09-19 15:14:55 UTC 
*** Bug 1203293 has been marked as a duplicate of this bug. ***
Comment 4 Swamp Workflow Management 2022-09-21 16:20:57 UTC 
SUSE-SU-2022:3325-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1193742,1203185
CVE References: CVE-2022-27664
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.18-1.18.6-150000.1.31.1
openSUSE Leap 15.3 (src):    go1.18-1.18.6-150000.1.31.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.18-1.18.6-150000.1.31.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.18-1.18.6-150000.1.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-09-21 16:24:53 UTC 
SUSE-SU-2022:3326-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1200441,1203185,1203186
CVE References: CVE-2022-27664,CVE-2022-32190
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.19-1.19.1-150000.1.9.1
openSUSE Leap 15.3 (src):    go1.19-1.19.1-150000.1.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.19-1.19.1-150000.1.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.19-1.19.1-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Marcus Meissner 2022-12-05 14:19:56 UTC 
done
Comment 7 Maintenance Automation 2023-05-11 20:30:03 UTC 
SUSE-SU-2023:2187-1: An update that solves three vulnerabilities, contains one feature and has one fix can now be installed.

Category: security (moderate)
Bug References: 1197284, 1203185, 1208051, 1208064
CVE References: CVE-2022-27191, CVE-2022-27664, CVE-2022-46146
Jira References: PED-3578
Sources used:
openSUSE Leap 15.4 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.13.2, golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Manager Client Tools for SLE 15 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.13.2
SUSE Manager Client Tools for SLE Micro 5 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
Basesystem Module 15-SP4 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Manager Proxy 4.2 Module 4.2 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.13.2
SUSE Manager Proxy 4.3 Module 4.3 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.13.2
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Linux Enterprise Real Time 15 SP3 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Manager Proxy 4.2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Manager Retail Branch Server 4.2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Manager Server 4.2 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Enterprise Storage 7.1 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE Enterprise Storage 7 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2
SUSE CaaS Platform 4.0 (src): golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-05-11 20:30:06 UTC 
SUSE-SU-2023:2185-1: An update that solves three vulnerabilities, contains two features and has three fixes can now be installed.

Category: security (important)
Bug References: 1181400, 1197284, 1203185, 1208060, 1208064, 1208965
CVE References: CVE-2022-27191, CVE-2022-27664, CVE-2022-46146
Jira References: MSQA-663, MSQA-665
Sources used:
SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): prometheus-postgres_exporter-0.10.1-1.6.2, golang-github-prometheus-node_exporter-1.5.0-1.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-05-11 20:30:10 UTC 
SUSE-SU-2023:2183-1: An update that solves four vulnerabilities, contains four features and has eight fixes can now be installed.

Category: security (important)
Bug References: 1047218, 1197284, 1203185, 1203599, 1204023, 1208049, 1208051, 1208060, 1208062, 1208064, 1208965, 1209113
CVE References: CVE-2022-27191, CVE-2022-27664, CVE-2022-41715, CVE-2022-46146
Jira References: MSQA-663, MSQA-665, PED-3576, PED-3578
Sources used:
SUSE OpenStack Cloud 9 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE OpenStack Cloud Crowbar 9 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Manager Client Tools for SLE 12 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4, golang-github-prometheus-prometheus-2.37.6-1.44.3, prometheus-postgres_exporter-0.10.1-1.11.5, golang-github-prometheus-promu-0.14.0-1.12.1, golang-github-prometheus-alertmanager-0.23.0-1.18.3, prometheus-blackbox_exporter-0.19.0-1.17.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Linux Enterprise Server 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-05-30 08:30:07 UTC 
SUSE-SU-2023:2312-1: An update that solves 28 vulnerabilities, contains one feature and has three fixes can now be installed.

Category: security (important)
Bug References: 1183043, 1193742, 1198423, 1198424, 1198427, 1199413, 1200134, 1200135, 1200136, 1200137, 1201434, 1201436, 1201437, 1201440, 1201443, 1201444, 1201445, 1201447, 1201448, 1202035, 1203185, 1204023, 1204024, 1204025, 1204941, 1206134, 1206135, 1208270, 1208271, 1208272, 1208491
CVE References: CVE-2022-1705, CVE-2022-1962, CVE-2022-24675, CVE-2022-27536, CVE-2022-27664, CVE-2022-28131, CVE-2022-28327, CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30634, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725
Jira References: PED-1962
Sources used:
openSUSE Leap 15.4 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
openSUSE Leap 15.5 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
Development Tools Module 15-SP4 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Enterprise Storage 7.1 (src): go1.18-openssl-1.18.10.1-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2023-06-21 12:30:43 UTC 
SUSE-SU-2023:2579-1: An update that solves 16 vulnerabilities, contains four features and has one fix can now be installed.

Category: security (moderate)
Bug References: 1047218, 1192154, 1192696, 1200480, 1201535, 1201539, 1203185, 1203596, 1203597, 1203599, 1204501, 1207830, 1208719, 1208965, 1209645, 1210458, 1210907
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2022-0155, CVE-2022-27191, CVE-2022-27664, CVE-2022-31097, CVE-2022-31107, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-41715, CVE-2022-46146, CVE-2023-1387, CVE-2023-1410
Jira References: MSQA-666, PED-3576, PED-3578, PED-3694
Sources used:
SUSE Manager Client Tools for SLE 12 (src): mgr-daemon-4.3.7-1.41.1, uyuni-common-libs-4.3.8-1.33.1, zypp-plugin-spacewalk-1.0.14-30.42.1, spacecmd-4.3.21-38.121.1, grafana-9.5.1-1.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2023-06-21 12:30:53 UTC 
SUSE-SU-2023:2578-1: An update that solves 15 vulnerabilities, contains three features and has one fix can now be installed.

Category: security (important)
Bug References: 1192154, 1192696, 1200480, 1201535, 1201539, 1203185, 1203596, 1203597, 1203599, 1204501, 1207830, 1208719, 1209645, 1210458, 1210640, 1210907
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2022-0155, CVE-2022-27664, CVE-2022-31097, CVE-2022-31107, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-41715, CVE-2022-46146, CVE-2023-1387, CVE-2023-1410
Jira References: MSQA-666, PED-3576, PED-3694
Sources used:
openSUSE Leap 15.4 (src): bind-9.16.6-150000.12.65.1, wire-0.5.0-150000.1.12.3, dracut-saltboot-0.1.1681904360.84ef141-150000.1.50.1, spacecmd-4.3.21-150000.3.98.1
openSUSE Leap 15.5 (src): wire-0.5.0-150000.1.12.3, dracut-saltboot-0.1.1681904360.84ef141-150000.1.50.1, spacecmd-4.3.21-150000.3.98.1
SUSE Manager Client Tools for SLE 15 (src): grafana-9.5.1-150000.1.48.5, spacecmd-4.3.21-150000.3.98.1, zypp-plugin-spacewalk-1.0.14-150000.3.35.1, uyuni-common-libs-4.3.8-150000.1.33.1, dracut-saltboot-0.1.1681904360.84ef141-150000.1.50.1, mgr-daemon-4.3.7-150000.1.41.1
SUSE Manager Client Tools for SLE Micro 5 (src): bind-9.16.6-150000.12.65.1, dracut-saltboot-0.1.1681904360.84ef141-150000.1.50.1
SUSE Manager Proxy 4.2 Module 4.2 (src): zypp-plugin-spacewalk-1.0.14-150000.3.35.1
SUSE Manager Proxy 4.3 Module 4.3 (src): zypp-plugin-spacewalk-1.0.14-150000.3.35.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): bind-9.16.6-150000.12.65.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): bind-9.16.6-150000.12.65.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): bind-9.16.6-150000.12.65.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): bind-9.16.6-150000.12.65.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): bind-9.16.6-150000.12.65.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): bind-9.16.6-150000.12.65.1
SUSE Enterprise Storage 7 (src): bind-9.16.6-150000.12.65.1
SUSE CaaS Platform 4.0 (src): bind-9.16.6-150000.12.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2023-06-21 12:31:05 UTC 
SUSE-SU-2023:2575-1: An update that solves 13 vulnerabilities and contains two features can now be installed.

Category: security (important)
Bug References: 1192154, 1192696, 1200480, 1201535, 1201539, 1203185, 1203596, 1203597, 1204501, 1209645, 1210907
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2022-0155, CVE-2022-27664, CVE-2022-31097, CVE-2022-31107, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2023-1387, CVE-2023-1410
Jira References: MSQA-666, PED-3694
Sources used:
SUSE Package Hub 15 15-SP4 (src): grafana-9.5.1-150200.3.41.3
SUSE Package Hub 15 15-SP5 (src): grafana-9.5.1-150200.3.41.3
openSUSE Leap 15.4 (src): grafana-9.5.1-150200.3.41.3
openSUSE Leap 15.5 (src): grafana-9.5.1-150200.3.41.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.