Candidate: CVE-2021-29923 PublicDate: 2021-08-07 17:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29923 https://github.com/golang/go/issues/30999 https://github.com/golang/go/issues/43389 https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md https://go-review.googlesource.com/c/go/+/325829/ https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis https://golang.org/pkg/net/#ParseCIDR Description: Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. Ubuntu-Description: Notes: mdeslaur> Packages built using golang need to be rebuilt once the mdeslaur> vulnerability has been fixed. This CVE entry does not mdeslaur> list packages that need rebuilding outside of the main mdeslaur> repository or the Ubuntu variants with PPA overlays. Mitigation: Bugs: Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH] Patches_golang: upstream_golang: needs-triage trusty_golang: ignored (out of standard support) trusty/esm_golang: DNE xenial_golang: DNE bionic_golang: DNE focal_golang: DNE hirsute_golang: DNE impish_golang: DNE jammy_golang: DNE devel_golang: DNE Patches_golang-1.6: upstream_golang-1.6: needs-triage trusty_golang-1.6: ignored (out of standard support) trusty/esm_golang-1.6: DNE xenial_golang-1.6: ignored (end of standard support, was needs-triage) esm-infra/xenial_golang-1.6: needs-triage bionic_golang-1.6: DNE focal_golang-1.6: DNE hirsute_golang-1.6: DNE impish_golang-1.6: DNE jammy_golang-1.6: DNE devel_golang-1.6: DNE Patches_golang-1.8: upstream_golang-1.8: needs-triage trusty_golang-1.8: DNE trusty/esm_golang-1.8: DNE xenial_golang-1.8: DNE bionic_golang-1.8: needs-triage focal_golang-1.8: DNE hirsute_golang-1.8: DNE impish_golang-1.8: DNE jammy_golang-1.8: DNE devel_golang-1.8: DNE Patches_golang-1.9: upstream_golang-1.9: needs-triage trusty_golang-1.9: DNE trusty/esm_golang-1.9: DNE xenial_golang-1.9: DNE bionic_golang-1.9: needs-triage focal_golang-1.9: DNE hirsute_golang-1.9: DNE impish_golang-1.9: DNE jammy_golang-1.9: DNE devel_golang-1.9: DNE Patches_golang-1.10: upstream_golang-1.10: needs-triage trusty_golang-1.10: ignored (out of standard support) trusty/esm_golang-1.10: needs-triage xenial_golang-1.10: ignored (end of standard support, was needs-triage) esm-infra/xenial_golang-1.10: needs-triage bionic_golang-1.10: needs-triage focal_golang-1.10: DNE hirsute_golang-1.10: DNE impish_golang-1.10: DNE jammy_golang-1.10: DNE devel_golang-1.10: DNE Patches_golang-1.13: upstream_golang-1.13: needs-triage trusty_golang-1.13: DNE trusty/esm_golang-1.13: DNE xenial_golang-1.13: ignored (end of standard support, was needs-triage) bionic_golang-1.13: needs-triage focal_golang-1.13: needs-triage hirsute_golang-1.13: ignored (reached end-of-life) impish_golang-1.13: needs-triage jammy_golang-1.13: needs-triage devel_golang-1.13: needs-triage Patches_golang-1.14: upstream_golang-1.14: needs-triage trusty_golang-1.14: DNE trusty/esm_golang-1.14: DNE xenial_golang-1.14: DNE bionic_golang-1.14: DNE focal_golang-1.14: needs-triage hirsute_golang-1.14: ignored (reached end-of-life) impish_golang-1.14: DNE jammy_golang-1.14: DNE devel_golang-1.14: DNE Patches_golang-1.15: upstream_golang-1.15: needs-triage trusty_golang-1.15: DNE trusty/esm_golang-1.15: DNE xenial_golang-1.15: DNE bionic_golang-1.15: DNE focal_golang-1.15: DNE hirsute_golang-1.15: ignored (reached end-of-life) impish_golang-1.15: needs-triage Patches_golang-1.16: upstream_golang-1.16: needs-triage trusty_golang-1.16: ignored (out of standard support) trusty/esm_golang-1.16: DNE xenial_golang-1.16: ignored (out of standard support) bionic_golang-1.16: DNE focal_golang-1.16: needs-triage hirsute_golang-1.16: ignored (reached end-of-life) impish_golang-1.16: needs-triage jammy_golang-1.16: DNE devel_golang-1.16: DNE