Bug 1404636 (CVE-2017-1000097) - CVE-2017-1000097 golang: User's trust preferences for root certificates were not honored
Summary: CVE-2017-1000097 golang: User's trust preferences for root certificates were ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-1000097
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1404638 1404639 1418029 1418030 1470269 1470270 1470271 1470272
Blocks: 1404641
TreeView+ depends on / blocked
 
Reported: 2016-12-14 10:16 UTC by Adam Mariš
Modified: 2021-10-21 11:49 UTC (History)
28 users (show)

Fixed In Version: golang 1.6.4, golang 1.7.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-21 11:49:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2016-12-14 10:16:08 UTC 
It was found that user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.

Upstream bug:

https://github.com/golang/go/issues/18141

Upstream patch:

https://go-review.googlesource.com/#/c/33721/

External Reference:

https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ
Comment 1 Adam Mariš 2016-12-14 10:17:42 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 1404638]
Affects: epel-all [bug 1404639]
Note You need to log in before you can comment on or make changes to this bug.