A flaw was found in Go’s crypto/x509 standard library package. Verifying a certificate chain that contains a certificate with an unknown public key algorithm will cause a Certificate.Verify to panic. This issue affects all crypto/tls clients and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert.
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
www.openwall.com/lists/oss-security/2024/03/08/4
bugzilla.redhat.com/show_bug.cgi?id=2268019
github.com/advisories/GHSA-3q2c-pvp5-3cqp
go.dev/cl/569339
go.dev/issue/65390
groups.google.com/g/golang-announce/c/5pwGVUPoMbg
nvd.nist.gov/vuln/detail/CVE-2024-24783
pkg.go.dev/vuln/GO-2024-2598
security.netapp.com/advisory/ntap-20240329-0005
www.cve.org/CVERecord?id=CVE-2024-24783