Bug 2341750 (CVE-2024-45341)

Summary: CVE-2024-45341 golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aazores, abrianik, adistefa, akostadi, alcohan, amasferr, amctagga, anjoseph, anpicker, ansmith, aoconnor, apjagtap, asatyam, bdettelb, bkabrda, bniver, bparees, brking, cbartlet, chazlett, ckandaga, cmah, danken, dhanak, diagrawa, dmayorov, doconnor, dsimansk, dymurray, eaguilar, ebaron, eglynn, ehelms, fdeutsch, flucifre, ggainey, gkamathe, gmeno, gparvin, haoli, hasun, hkataria, ibolton, jaharrin, jajackso, jburrell, jcammara, jcantril, jeder, jforrest, jfula, jjoyce, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jolong, jowilson, jprabhak, jschluet, juwatts, jwendell, kegrant, kingland, koliveir, kshier, kverlaen, lball, lchilton, lgamliel, lhh, lphiri, lsvaty, mabashia, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mkudlej, mmagr, mmakovy, mnovotny, mrunge, mwringe, ngough, njean, nmoumoul, nobody, nyancey, ometelka, oramraz, owatkins, pahickey, parichar, pbraun, pcreech, peholase, pgaikwad, pgrist, pierdipi, pjindal, ptisnovs, pvasanth, rcernich, rchan, rfreiman, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rojacob, sabiswas, sakbas, saroy, sdawley, sfeifer, sfroberg, shvarugh, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, syedriko, tasato, teagle, tfister, thason, thavo, tjochec, vereddy, veshanka, vimartin, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the crypto/x509 package of the Golang standard library. A certificate with a URI, which has a IPv6 address with a zone ID, may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI; this issue only affects users of private PKIs that make use of URIs.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-01-23 13:08:24 UTC 
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.

Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
Comment 4 errata-xmlrpc 2025-04-10 00:22:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3772 https://access.redhat.com/errata/RHSA-2025:3772
Comment 9 errata-xmlrpc 2025-05-13 15:56:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7466 https://access.redhat.com/errata/RHSA-2025:7466