2268019 – (CVE-2024-24783) CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm

Bug 2268019 (CVE-2024-24783) - CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm

Summary: CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unk...

Keywords:
Status:	NEW
Alias:	CVE-2024-24783
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2268246 2268247 2268248 2276443 2276444 2276445 2276446 2276447 2276448 2276449 2276450 2276451 2276452 2276453 2276454 2276455 2276456 2276457 2276458 2276621
Blocks:	2268016
TreeView+	depends on / blocked

Reported:	2024-03-06 01:57 UTC by Robb Gatica
Modified:	2024-04-30 14:39 UTC (History)
CC List:	113 users (show)
Fixed In Version:	go 1.21.8, go 1.22.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Go's crypto/x509 standard library package. Verifying a certificate chain that contains a certificate with an unknown public key algorithm will cause a Certificate.Verify to panic. This issue affects all crypto/tls clients and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:2088	0	None	None	None	2024-04-29 02:27:07 UTC
Red Hat Product Errata	RHSA-2024:2562	0	None	None	None	2024-04-30 14:39:50 UTC

Description Robb Gatica 2024-03-06 01:57:37 UTC

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

https://github.com/golang/go/issues/65390

Comment 4 Robb Gatica 2024-03-06 19:22:56 UTC

Created golang tracking bugs for this issue:

Affects: epel-all [bug 2268247]
Affects: fedora-all [bug 2268246]

Comment 18 errata-xmlrpc 2024-04-29 02:27:00 UTC

This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088

Comment 19 errata-xmlrpc 2024-04-30 14:39:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562

Note You need to log in before you can comment on or make changes to this bug.

aazores
abishop
adudiak
amasferr
amctagga
ansmith
aoconnor
apjagtap
asatyam
aveerama
bdettelb
bniver
bodavis
chazlett
davidn
dbenoit
dhanak
diagrawa
dkenigsb
dperaza
dsimansk
dymurray
eaguilar
ebaron
eglynn
emachado
epacific
fdeutsch
flucifre
ganandan
gmeno
gparvin
ibolton
jaharrin
jburrell
jcammara
jcantril
jchui
jeder
jhardy
jjoyce
jkang
jmatthew
jmontleo
jneedle
jobarker
joelsmith
jpallich
jschluet
kaycoth
kingland
kshier
kverlaen
lbainbri
lhh
lmadsen
lsvaty
mabashia
matzew
mbenjamin
mbocek
mburns
mgarciac
mhackett
mkudlej
mmagr
mnewsome
mnovotny
mrajanna
mrunge
mwringe
njean
nobody
odf-bz-bot
omaciel
oramraz
osapryki
owatkins
pahickey
peholase
periklis
pgrist
pierdipi
pjindal
rgarg
rguimara
rhaigner
rhos-maint
rhuss
rjohnson
sabiswas
saroy
sdawley
sfroberg
shbose
simaishi
sipoyare
skontopo
slucidi
smcdonal
smullick
sostapov
spandura
sseago
stcannon
teagle
tjochec
ubhargav
vereddy
vkareh
whayutin
yguenane
zsadeh