crypto/x509: Verify panics on certificates with an unknown public key algorithm [CVE-2024-24783]

Question

crypto/x509: Verify panics on certificates with an unknown public key algorithm [CVE-2024-24783]

eks-distro-pr-bot opened this issue 6 months ago · comments

EKS Distro PR Bot commented 6 months ago

Verifying a certificate chain which contains a certificate with an unknown public
key algorithm will cause Certificate.Verify to panic.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to
VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is
for TLS servers to not verify client certificates.

Thanks to John Howard (Google) for reporting this issue. This is CVE-2024-24783.

/cc @golang/security and @golang/release

Cameron Rozean · Answer 1 · Tue Mar 12 2024 05:53:32 GMT+0800 (China Standard Time)

Fixed in 1.20: #1367