Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2024-24783

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

Related bugs and status

CVE-2024-24783 (Candidate) is related to these bugs:

Bug #2056309: Sync golang-1.21 1.21.8-1 (main) from Debian unstable (main)

Summary				In	Importance	Status
	2056309	Sync golang-1.21 1.21.8-1 (main) from Debian unstable (main)		golang-1.21 (Ubuntu)	Wishlist	Fix Released

Bug #2056310: Sync golang-1.22 1.22.1-1 (main) from Debian unstable (main)

Summary				In	Importance	Status
	2056310	Sync golang-1.22 1.22.1-1 (main) from Debian unstable (main)		golang-1.22 (Ubuntu)	Wishlist	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: https://go.dev/cl/569339
MISC: https://go.dev/issue/6...
MISC: https://groups.google....
MISC: https://pkg.go.dev/vul...
CONFIRM: https://security.netap...
MLIST: [oss-security] 2024030...