Описание
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| golang-1.18 | fixed | 1.18.3-1 | package | |
| golang-1.17 | fixed | 1.17.11-1 | package | |
| golang-1.15 | removed | package | ||
| golang-1.15 | no-dsa | bullseye | package | |
| golang-1.11 | removed | package | ||
| golang-1.11 | postponed | buster | package | |
| golang-1.8 | removed | package | ||
| golang-1.8 | not-affected | stretch | package | |
| golang-1.7 | removed | package | ||
| golang-1.7 | not-affected | stretch | package |
Примечания
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg
https://go.dev/issue/52814
https://github.com/golang/go/commit/c838098c327a1b6d63446f4722e943b02d235d78 (go1.18.3)
https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c (go1.17.11)
Связанные уязвимости
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
Session tickets lack random ticket_age_add in crypto/tls
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.