git: ea4ec27ac98d - main - security/vuxml: Document lang/go vulnerability

Dmitri Goutnik dmgk at FreeBSD.org
Tue Jul 13 12:02:10 UTC 2021 

The branch main has been updated by dmgk:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ea4ec27ac98d25b0d077fba948a1e900da3f606d

commit ea4ec27ac98d25b0d077fba948a1e900da3f606d
Author:     Dmitri Goutnik <dmgk at FreeBSD.org>
AuthorDate: 2021-07-13 12:00:55 +0000
Commit:     Dmitri Goutnik <dmgk at FreeBSD.org>
CommitDate: 2021-07-13 12:01:52 +0000

    security/vuxml: Document lang/go vulnerability
---
 security/vuxml/vuln-2021.xml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
index 6b3c968fe90e..c30f6e3a6eb5 100644
--- a/security/vuxml/vuln-2021.xml
+++ b/security/vuxml/vuln-2021.xml
@@ -1,3 +1,38 @@
+  <vuln vid="c365536d-e3cf-11eb-9d8d-b37b683944c2">
+    <topic>go -- crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters</topic>
+    <affects>
+      <package>
+	<name>go</name>
+	<range><lt>1.16.6,1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Go project reports:</p>
+	<blockquote cite="https://github.com/golang/go/issues/47143">
+		<p>crypto/tls clients can panic when provided a certificate of
+		 the wrong type for the negotiated parameters. net/http clients
+		 performing HTTPS requests are also affected. The panic can be
+		 triggered by an attacker in a privileged network position
+		 without access to the server certificate's private key, as
+		 long as a trusted ECDSA or Ed25519 certificate for the server
+		 exists (or can be issued), or the client is configured with
+		 Config.InsecureSkipVerify. Clients that disable all TLS_RSA
+		 cipher suites (that is, TLS 1.0–1.2 cipher suites without
+		 ECDHE), as well as TLS 1.3-only clients, are unaffected.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2021-34558</cvename>
+      <url>https://github.com/golang/go/issues/47143</url>
+    </references>
+    <dates>
+      <discovery>2021-07-07</discovery>
+      <entry>2021-07-12</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="9b1699ff-d84c-11eb-92d6-1b6ff3dfe4d3">
     <topic>mantis -- multiple vulnerabilities</topic>
     <affects>

More information about the dev-commits-ports-all mailing list