Bug 2268019 (CVE-2024-24783)
Summary: | CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Robb Gatica <rgatica> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aazores, abishop, adudiak, amasferr, amctagga, ansmith, aoconnor, apjagtap, asatyam, aveerama, bdettelb, bniver, bodavis, chazlett, davidn, dbenoit, dfreiber, dhanak, diagrawa, dkenigsb, dperaza, drow, dsimansk, dymurray, eaguilar, ebaron, eglynn, emachado, epacific, fdeutsch, flucifre, ganandan, gmeno, gparvin, ibolton, jaharrin, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jmatthew, jmontleo, jneedle, jobarker, joelsmith, jpallich, jschluet, kaycoth, kingland, kshier, kverlaen, lbainbri, lhh, lmadsen, lsvaty, mabashia, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mkudlej, mmagr, mnewsome, mnovotny, mrajanna, mrunge, mwringe, njean, nobody, odf-bz-bot, omaciel, oramraz, osapryki, owatkins, pahickey, peholase, periklis, pgrist, pierdipi, pjindal, rgarg, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, sabiswas, saroy, sdawley, sfroberg, shbose, sidakwo, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, teagle, tjochec, ubhargav, vereddy, vkareh, vkumar, whayutin, yguenane, zsadeh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | go 1.21.8, go 1.22.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Go's crypto/x509 standard library package. Verifying a certificate chain that contains a certificate with an unknown public key algorithm will cause a Certificate.Verify to panic. This issue affects all crypto/tls clients and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2268246, 2268247, 2268248, 2276443, 2276444, 2276445, 2276446, 2276447, 2276448, 2276449, 2276450, 2276451, 2276452, 2276453, 2276454, 2276455, 2276456, 2276621, 2276457, 2276458 | ||
Bug Blocks: | 2268016 |
Description
Robb Gatica
2024-03-06 01:57:37 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2268247] Affects: fedora-all [bug 2268246] This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2724 https://access.redhat.com/errata/RHSA-2024:2724 |