x/vulndb: add GO-2021-0154 for CVE-2014-7189

Fixes golang/vulndb#154

Change-Id: I1979ec22b21bb4ed7bd1bb28ee9cc79ff85eeffe
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/408275
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
diff --git a/reports/GO-2021-0154.yaml b/reports/GO-2021-0154.yaml
new file mode 100644
index 0000000..6b4d4c5
--- /dev/null
+++ b/reports/GO-2021-0154.yaml
@@ -0,0 +1,26 @@
+packages:
+  - module: std
+    package: crypto/tls
+    symbols:
+      - checkForResumption
+      - decryptTicket
+    versions:
+      - introduced: 1.1.0
+        fixed: 1.3.2
+description: |
+  When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
+  attackers to spoof clients via unspecified vectors.
+
+  If the server enables TLS client authentication using certificates (this is
+  rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
+  then a malicious client can falsely assert ownership of any client
+  certificate it wishes.
+cves:
+  - CVE-2014-7189
+credit: Go Team
+links:
+    pr: https://go.dev/cl/148080043
+    commit: https://go.googlesource.com/go/+/commit/64df53ed7f
+    context:
+      - https://go.dev/issue/53085
+      - https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ