| packages: |
| - module: std |
| package: crypto/x509 |
| symbols: |
| - FetchPEMRoots |
| - execSecurityRoots |
| versions: |
| - fixed: 1.6.4 |
| - introduced: 1.7.0 |
| fixed: 1.7.4 |
| description: | |
| On Darwin, user's trust preferences for root certificates were not honored. |
| If the user had a root certificate loaded in their Keychain that was |
| explicitly not trusted, a Go program would still verify a connection using |
| that root certificate. |
| cves: |
| - CVE-2017-1000097 |
| credit: Xy Ziemba |
| os: |
| - darwin |
| links: |
| pr: https://go.dev/cl/33721 |
| commit: https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a |
| context: |
| - https://go.dev/issue/18141 |
| - https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ |