oss-sec mailing list archives

CVE Request: Go crypto/tls vulnerability

From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Fri, 26 Sep 2014 09:00:42 -0400

Hello,

From the Go 1.3.2 release announcement:


"The crpyto/tls fix addresses a security bug that affects programs that use
crypto/tls to implement a TLS server from Go 1.1 onwards. If the server enables
TLS client authentication using certificates (this is rare) and explicitly sets
SessionTicketsDisabled to true in the tls.Config, then a malicious client can
falsely assert ownership of any client certificate it wishes."

https://groups.google.com/forum/#!msg/golang-nuts/eeOHNw_shwU/OHALUmroA5kJ

Could a CVE please be assigned to this issue?

Thanks,

Marc.

-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

Current thread:

CVE Request: Go crypto/tls vulnerability Marc Deslauriers (Sep 26)
- Re: CVE Request: Go crypto/tls vulnerability cve-assign (Sep 26)