blob: 5a109a230874f6abd03f2302365a69da27b07124 [file] [log] [blame]
id: GO-2022-0171
modules:
- module: std
versions:
- fixed: 1.6.4
- introduced: 1.7.0-0
- fixed: 1.7.4
vulnerable_at: 1.7.3
packages:
- package: crypto/x509
goos:
- darwin
symbols:
- FetchPEMRoots
- execSecurityRoots
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Mishandled trust preferences for root certificates on Darwin in crypto/x509
description: |-
On Darwin, user's trust preferences for root certificates were not honored. If
the user had a root certificate loaded in their Keychain that was explicitly not
trusted, a Go program would still verify a connection using that root
certificate.
published: 2022-05-24T20:17:59Z
cves:
- CVE-2017-1000097
credits:
- Xy Ziemba
references:
- fix: https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a
- report: https://go.dev/issue/18141
- web: https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ
review_status: REVIEWED