data/reports/GO-2022-0535.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.12.16
       - introduced: 1.13.0
         fixed: 1.13.7
     vulnerable_at: 1.13.6
     packages:
       - package: crypto/x509
         goos:
           - windows
         symbols:
           - Certificate.systemVerify
 description: |
     A Windows vulnerability allows attackers to spoof valid certificate chains
     when the system root store is in use.

     A workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected
     users should additionally install the Windows security update to protect
     their system.

     See
     https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601
     for details on the Windows vulnerability.
 published: 2022-08-01T22:21:17Z
 cves:
   - CVE-2020-0601
 references:
   - fix: https://go.dev/cl/215905
   - fix: https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2
   - report: https://go.dev/issue/36834
   - web: https://groups.google.com/g/golang-announce/c/Hsw4mHYc470/m/WJeW5wguEgAJ
	modules:
	- module: std
	versions:
	- fixed: 1.12.16
	- introduced: 1.13.0
	fixed: 1.13.7
	vulnerable_at: 1.13.6
	packages:
	- package: crypto/x509
	goos:
	- windows
	symbols:
	- Certificate.systemVerify
	description: \|
	A Windows vulnerability allows attackers to spoof valid certificate chains
	when the system root store is in use.

	A workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected
	users should additionally install the Windows security update to protect
	their system.

	See
	https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601
	for details on the Windows vulnerability.
	published: 2022-08-01T22:21:17Z
	cves:
	- CVE-2020-0601
	references:
	- fix: https://go.dev/cl/215905
	- fix: https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2
	- report: https://go.dev/issue/36834
	- web: https://groups.google.com/g/golang-announce/c/Hsw4mHYc470/m/WJeW5wguEgAJ