Date: Tue, 13 Jul 2021 12:02:10 GMT From: Dmitri Goutnik <dmgk@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: ea4ec27ac98d - main - security/vuxml: Document lang/go vulnerability Message-ID: <202107131202.16DC2AKw043090@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by dmgk: URL: https://cgit.FreeBSD.org/ports/commit/?id=ea4ec27ac98d25b0d077fba948a1e900da3f606d commit ea4ec27ac98d25b0d077fba948a1e900da3f606d Author: Dmitri Goutnik <dmgk@FreeBSD.org> AuthorDate: 2021-07-13 12:00:55 +0000 Commit: Dmitri Goutnik <dmgk@FreeBSD.org> CommitDate: 2021-07-13 12:01:52 +0000 security/vuxml: Document lang/go vulnerability --- security/vuxml/vuln-2021.xml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 6b3c968fe90e..c30f6e3a6eb5 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,38 @@ + <vuln vid="c365536d-e3cf-11eb-9d8d-b37b683944c2"> + <topic>go -- crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters</topic> + <affects> + <package> + <name>go</name> + <range><lt>1.16.6,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Go project reports:</p> + <blockquote cite="https://github.com/golang/go/issues/47143">; + <p>crypto/tls clients can panic when provided a certificate of + the wrong type for the negotiated parameters. net/http clients + performing HTTPS requests are also affected. The panic can be + triggered by an attacker in a privileged network position + without access to the server certificate's private key, as + long as a trusted ECDSA or Ed25519 certificate for the server + exists (or can be issued), or the client is configured with + Config.InsecureSkipVerify. Clients that disable all TLS_RSA + cipher suites (that is, TLS 1.0–1.2 cipher suites without + ECDHE), as well as TLS 1.3-only clients, are unaffected.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-34558</cvename> + <url>https://github.com/golang/go/issues/47143</url>; + </references> + <dates> + <discovery>2021-07-07</discovery> + <entry>2021-07-12</entry> + </dates> + </vuln> + <vuln vid="9b1699ff-d84c-11eb-92d6-1b6ff3dfe4d3"> <topic>mantis -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202107131202.16DC2AKw043090>