Fluid Attacks Database

Description

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
go	stdlib	>=0 <1.21.8	1.21.8
rpm rhel8	go-toolset	<0:1.21.9-1.module+el8.10.0+21671+b35c3b78	0:1.21.9-1.module+el8.10.0+21671+b35c3b78
rpm rhel9	buildah	<2:1.33.7-4.el9_4	2:1.33.7-4.el9_4
rpm rhel9	golang	<0:1.21.9-2.el9_4	0:1.21.9-2.el9_4
rpm rhel9	runc	<4:1.1.12-4.el9_4	4:1.1.12-4.el9_4
rpm rhel9	osbuild-composer	-	-
rpm rhel9	weldr-client	-	-
rpm rhel9	skopeo	<2:1.14.5-1.el9_4	2:1.14.5-1.el9_4

1-10 of 23

Aliases

1. CVE-2024-247832. NVD-2024-247833. OSV-DEBIAN-2024-247834. OSV-2024-247835. OSV-GO-2024-25986. GCVE-2024-247837. SECURITY-TRACKER-CVE-2024-24783

References

1. https://go.dev/issue/653902. https://go.dev/cl/5693393. https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.