blob: ba92dc21adb148f4a19563a1efcb256889256e25 [file] [log] [blame]
id: GO-2021-0243
modules:
- module: std
versions:
- fixed: 1.15.14
- introduced: 1.16.0-0
- fixed: 1.16.6
vulnerable_at: 1.16.5
packages:
- package: crypto/tls
symbols:
- rsaKeyAgreement.generateClientKeyExchange
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Panic on certain certificates in crypto/tls
description: |-
crypto/tls clients can panic when provided a certificate of the wrong type for
the negotiated parameters. net/http clients performing HTTPS requests are also
affected.
published: 2022-02-17T17:32:57Z
cves:
- CVE-2021-34558
credits:
- Imre Rad
references:
- fix: https://go.dev/cl/334031
- fix: https://go.googlesource.com/go/+/a98589711da5e9d935e8d690cfca92892e86d557
- web: https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ
- report: https://go.dev/issue/47143
review_status: REVIEWED