reports: add GO-2021-0223.yaml for CVE-2020-14039
Fixes golang/vulndb#223
Change-Id: Ie6b761a23a41868056fa6c09fd03f51debd73805
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377582
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/reports/GO-2021-0223.yaml b/reports/GO-2021-0223.yaml
new file mode 100644
index 0000000..31b3a2e
--- /dev/null
+++ b/reports/GO-2021-0223.yaml
@@ -0,0 +1,23 @@
+module: std
+package: crypto/x509
+versions:
+- fixed: go1.13.13
+- fixed: go1.14.5
+- fixed: go1.15.0
+description: |
+ On Windows, if VerifyOptions.Roots is nil, Certificate.Verify
+ does not check the EKU requirements specified in VerifyOptions.KeyUsages.
+ This may allow a certificate to be used for an unintended purpose.
+cves:
+- CVE-2020-14039
+credit: Niall Newman
+symbols:
+- Certificate.systemVerify
+os:
+- windows
+links:
+ pr: https://go.dev/cl/242597
+ commit: https://go.googlesource.com/go/+/82175e699a2e2cd83d3aa34949e9b922d66d52f5
+ context:
+ - https://go.dev/issue/39360
+ - https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w
