data/reports/GO-2022-0171.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.6.4
       - introduced: 1.7.0
         fixed: 1.7.4
     vulnerable_at: 1.7.3
     packages:
       - package: crypto/x509
         goos:
           - darwin
         symbols:
           - FetchPEMRoots
           - execSecurityRoots
         skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
 description: |
     On Darwin, user's trust preferences for root certificates were not honored.
     If the user had a root certificate loaded in their Keychain that was
     explicitly not trusted, a Go program would still verify a connection using
     that root certificate.
 published: 2022-05-24T20:17:59Z
 cves:
   - CVE-2017-1000097
 credit: Xy Ziemba
 references:
   - fix: https://go.dev/cl/33721
   - fix: https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a
   - report: https://go.dev/issue/18141
   - web: https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ
	modules:
	- module: std
	versions:
	- fixed: 1.6.4
	- introduced: 1.7.0
	fixed: 1.7.4
	vulnerable_at: 1.7.3
	packages:
	- package: crypto/x509
	goos:
	- darwin
	symbols:
	- FetchPEMRoots
	- execSecurityRoots
	skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
	description: \|
	On Darwin, user's trust preferences for root certificates were not honored.
	If the user had a root certificate loaded in their Keychain that was
	explicitly not trusted, a Go program would still verify a connection using
	that root certificate.
	published: 2022-05-24T20:17:59Z
	cves:
	- CVE-2017-1000097
	credit: Xy Ziemba
	references:
	- fix: https://go.dev/cl/33721
	- fix: https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a
	- report: https://go.dev/issue/18141
	- web: https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ