data/reports/GO-2021-0154.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - introduced: 1.1.0
         fixed: 1.3.2
     packages:
       - package: crypto/tls
         symbols:
           - checkForResumption
           - decryptTicket
         skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
 description: |
     When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
     attackers to spoof clients via unspecified vectors.

     If the server enables TLS client authentication using certificates (this is
     rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
     then a malicious client can falsely assert ownership of any client
     certificate it wishes.
 published: 2022-05-25T21:11:41Z
 cves:
   - CVE-2014-7189
 credit: Go Team
 references:
   - fix: https://go.dev/cl/148080043
   - fix: https://go.googlesource.com/go/+/commit/64df53ed7f
   - report: https://go.dev/issue/53085
   - web: https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ
	modules:
	- module: std
	versions:
	- introduced: 1.1.0
	fixed: 1.3.2
	packages:
	- package: crypto/tls
	symbols:
	- checkForResumption
	- decryptTicket
	skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
	description: \|
	When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
	attackers to spoof clients via unspecified vectors.

	If the server enables TLS client authentication using certificates (this is
	rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
	then a malicious client can falsely assert ownership of any client
	certificate it wishes.
	published: 2022-05-25T21:11:41Z
	cves:
	- CVE-2014-7189
	credit: Go Team
	references:
	- fix: https://go.dev/cl/148080043
	- fix: https://go.googlesource.com/go/+/commit/64df53ed7f
	- report: https://go.dev/issue/53085
	- web: https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ