data/reports/GO-2021-0243.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.15.14
       - introduced: 1.16.0
         fixed: 1.16.6
     vulnerable_at: 1.16.5
     packages:
       - package: crypto/tls
         symbols:
           - rsaKeyAgreement.generateClientKeyExchange
         skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
 description: |
     crypto/tls clients can panic when provided a certificate of the
     wrong type for the negotiated parameters. net/http clients
     performing HTTPS requests are also affected.
 published: 2022-02-17T17:32:57Z
 cves:
   - CVE-2021-34558
 credit: Imre Rad
 references:
   - fix: https://go.dev/cl/334031
   - fix: https://go.googlesource.com/go/+/a98589711da5e9d935e8d690cfca92892e86d557
   - web: https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ
   - report: https://go.dev/issue/47143
	modules:
	- module: std
	versions:
	- fixed: 1.15.14
	- introduced: 1.16.0
	fixed: 1.16.6
	vulnerable_at: 1.16.5
	packages:
	- package: crypto/tls
	symbols:
	- rsaKeyAgreement.generateClientKeyExchange
	skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
	description: \|
	crypto/tls clients can panic when provided a certificate of the
	wrong type for the negotiated parameters. net/http clients
	performing HTTPS requests are also affected.
	published: 2022-02-17T17:32:57Z
	cves:
	- CVE-2021-34558
	credit: Imre Rad
	references:
	- fix: https://go.dev/cl/334031
	- fix: https://go.googlesource.com/go/+/a98589711da5e9d935e8d690cfca92892e86d557
	- web: https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ
	- report: https://go.dev/issue/47143