Verifying a certificate chain which contains a certificate with an unknown
public key algorithm will cause Certificate.Verify to panic. This affects
all crypto/tls clients, and servers that set Config.ClientAuth to
VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior
is for TLS servers to not verify client certificates.
Author | Note |
---|---|
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. Warning: do not include nullboot in the list of no-change rebuilds after fixing an issue in golang. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | golang-1.10 | <Â any | UNKNOWN |
ubuntu | 14.04 | noarch | golang-1.10 | <Â any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.10 | <Â any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.13 | <Â any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.13 | <Â any | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.13 | <Â any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.13 | <Â any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.14 | <Â any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.16 | <Â any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.16 | <Â any | UNKNOWN |
github.com/golang/go/commit/337b8e9cbfa749d9d5c899e0dc358e2208d5e54f (go1.22.1)
github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0 (go1.21.8)
github.com/golang/go/issues/65390
go.dev/cl/569339
go.dev/issue/65390
groups.google.com/g/golang-announce/c/5pwGVUPoMbg
launchpad.net/bugs/cve/CVE-2024-24783
nvd.nist.gov/vuln/detail/CVE-2024-24783
pkg.go.dev/vuln/GO-2024-2598
security-tracker.debian.org/tracker/CVE-2024-24783
ubuntu.com/security/notices/USN-6886-1
www.cve.org/CVERecord?id=CVE-2024-24783