Skip to content

crypto/x509: Verify panics on certificates with an unknown public key algorithm [CVE-2024-24783] #65390

New issue
New issue
Closed
Closed
crypto/x509: Verify panics on certificates with an unknown public key algorithm [CVE-2024-24783]#65390
Assignees
neild
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.23
@neild

Description

@neild
neild
opened on Jan 30, 2024

Verifying a certificate chain which contains a certificate with an unknown public
key algorithm will cause Certificate.Verify to panic.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to
VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is
for TLS servers to not verify client certificates.

Thanks to John Howard (Google) for reporting this issue. This is CVE-2024-24783.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

Labels

FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

Type

No type

Projects

Release Blockers

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions