CVE-2024-24783
Published: 5 March 2024
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.
Notes
| Author | Note |
|---|---|
| mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. Warning: do not include nullboot in the list of no-change rebuilds after fixing an issue in golang. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
golang Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
golang-1.10 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
golang-1.13 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
golang-1.14 Launchpad, Ubuntu, Debian |
focal |
Needs triage
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
golang-1.16 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
golang-1.17 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Needs triage
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
golang-1.18 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
golang-1.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
golang-1.20 Launchpad, Ubuntu, Debian |
focal |
Needs triage
|
| jammy |
Needs triage
|
|
| mantic |
Needs triage
|
|
| upstream |
Needs triage
|
|
|
golang-1.21 Launchpad, Ubuntu, Debian |
focal |
Needs triage
|
| jammy |
Needs triage
|
|
| mantic |
Needs triage
|
|
| upstream |
Needs triage
|
|
|
golang-1.22 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
golang-1.6 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
golang-1.8 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
golang-1.9 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| upstream |
Needs triage
|
References
- https://github.com/golang/go/issues/65390
- https://github.com/golang/go/commit/337b8e9cbfa749d9d5c899e0dc358e2208d5e54f (go1.22.1)
- https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0 (go1.21.8)
- https://go.dev/issue/65390
- https://go.dev/cl/569339
- https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
- https://pkg.go.dev/vuln/GO-2024-2598
- https://www.cve.org/CVERecord?id=CVE-2024-24783
- NVD
- Launchpad
- Debian