)]}'
{
  "commit": "953bc8f391a63adf00bac2515dba62abe8a1e2c2",
  "tree": "49be0108054034a92c417ee51ca22aa3a6260391",
  "parents": [
    "ace25f82df0a27eb26a518e1883eb56c1bec6c5e"
  ],
  "author": {
    "name": "Filippo Valsorda",
    "email": "filippo@golang.org",
    "time": "Tue Jan 21 14:45:15 2020 -0500"
  },
  "committer": {
    "name": "Filippo Valsorda",
    "email": "filippo@golang.org",
    "time": "Thu Jan 23 22:31:25 2020 +0000"
  },
  "message": "crypto/x509: mitigate CVE-2020-0601 verification bypass on Windows\n\nAn attacker can trick the Windows system verifier to use a poisoned set\nof elliptic curve parameters for a trusted root, allowing it to generate\nspoofed signatures. When this happens, the returned chain will present\nthe unmodified original root, so the actual signatures won\u0027t verify (as\nthey are invalid for the correct parameters). Simply double check them\nas a safety measure and mitigation.\n\nWindows users should still install the system security patch ASAP.\n\nThis is the same mitigation adopted by Chromium:\n\nhttps://chromium-review.googlesource.com/c/chromium/src/+/1994434\n\nChange-Id: I2c734f6fb2cb51d906c7fd77034318ffeeb3e146\nReviewed-on: https://go-review.googlesource.com/c/go/+/215905\nRun-TryBot: Filippo Valsorda \u003cfilippo@golang.org\u003e\nTryBot-Result: Gobot Gobot \u003cgobot@golang.org\u003e\nReviewed-by: Ryan Sleevi \u003csleevi@google.com\u003e\nReviewed-by: Katie Hockman \u003ckatie@golang.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "54ab1dcf9c27226f497acd17c1f8fc792b758fe8",
      "old_mode": 33188,
      "old_path": "src/crypto/x509/root_windows.go",
      "new_id": "34d585318d480f83096203807c556cbea565ae87",
      "new_mode": 33188,
      "new_path": "src/crypto/x509/root_windows.go"
    }
  ]
}
