[Bug 1147324] New: CVE-2014-7189 golang: TLS client authentication issue fixed in version 1.3.2

28 Sep 2014


      https://bugzilla.redhat.com/show_bug.cgi?id=1147324
Bug ID: 1147324
           Summary: CVE-2014-7189 golang: TLS client authentication issue
                    fixed in version 1.3.2
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team@redhat.com
          Reporter: mmcallis@redhat.com
                CC: admiller@redhat.com, golang@lists.fedoraproject.org,
                    lemenkov@gmail.com, lsm5@fedoraproject.org,
                    renich@woralelandia.com, s@shk.io, vbatts@redhat.com
The Go 1.3.2 release fixes the following issue:
"The crpyto/tls fix addresses a security bug that affects programs that use
crypto/tls to implement a TLS server from Go 1.1 onwards. If the server enables
TLS client authentication using certificates (this is rare) and explicitly sets
SessionTicketsDisabled to true in the tls.Config, then a malicious client can
falsely assert ownership of any client certificate it wishes."
Upstream fix:
https://code.google.com/p/go/source/detail?r=eae0457c101512f59296538f0162749...
References:
http://seclists.org/oss-sec/2014/q3/749
-- 
You are receiving this mail because:
You are on the CC list for the bug.

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[Bug 1147324] New: CVE-2014-7189 golang: TLS client authentication issue fixed in version 1.3.2