oss-sec mailing list archives
CVE Request: Go crypto/tls vulnerability
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Fri, 26 Sep 2014 09:00:42 -0400
Hello,
From the Go 1.3.2 release announcement:
"The crpyto/tls fix addresses a security bug that affects programs that use crypto/tls to implement a TLS server from Go 1.1 onwards. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes." https://groups.google.com/forum/#!msg/golang-nuts/eeOHNw_shwU/OHALUmroA5kJ Could a CVE please be assigned to this issue? Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Current thread:
- CVE Request: Go crypto/tls vulnerability Marc Deslauriers (Sep 26)
- Re: CVE Request: Go crypto/tls vulnerability cve-assign (Sep 26)