https://bugzilla.redhat.com/show_bug.cgi?id=1404636
Bug ID: 1404636 Summary: golang: User's trust preferences for root certificates were not honored Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: admiller@redhat.com, amurdaca@redhat.com, aortega@redhat.com, apevec@redhat.com, ayoung@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, chrisw@redhat.com, cvsbot-xmlrpc@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, golang-updates@lists.fedoraproject.org, jcajka@redhat.com, jgoulding@redhat.com, jialiu@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, jokerman@redhat.com, jschluet@redhat.com, kbasil@redhat.com, kseifried@redhat.com, lemenkov@gmail.com, lhh@redhat.com, lmeyer@redhat.com, lpeer@redhat.com, markmc@redhat.com, mmccomas@redhat.com, rbryant@redhat.com, renich@woralelandia.com, sclewis@redhat.com, srevivo@redhat.com, s@shk.io, tdawson@redhat.com, tdecacqu@redhat.com, vbatts@redhat.com
It was found that user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.
Upstream bug:
https://github.com/golang/go/issues/18141
Upstream patch:
https://go-review.googlesource.com/#/c/33721/
External Reference:
https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ
https://bugzilla.redhat.com/show_bug.cgi?id=1404636
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1404638 Depends On| |1404639
--- Comment #1 from Adam Mariš amaris@redhat.com ---
Created golang tracking bugs for this issue:
Affects: fedora-all [bug 1404638] Affects: epel-all [bug 1404639]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1404638 [Bug 1404638] golang: User's trust preferences for root certificates were not honored [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1404639 [Bug 1404639] golang: User's trust preferences for root certificates were not honored [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1404636
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1404641
https://bugzilla.redhat.com/show_bug.cgi?id=1404636
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20161201, |impact=low,public=20161201, |reported=20161205,source=re |reported=20161205,source=re |dhat,cvss2=2.6/AV:N/AC:H/Au |dhat,cvss2=2.6/AV:N/AC:H/Au |:N/C:N/I:P/A:N,cvss3=4.3/CV |:N/C:N/I:P/A:N,cvss3=4.3/CV |SS:3.0/AV:N/AC:L/PR:N/UI:R/ |SS:3.0/AV:N/AC:L/PR:N/UI:R/ |S:U/C:N/I:L/A:N,cwe=CWE-295 |S:U/C:N/I:L/A:N,cwe=CWE-295 |,rhel-7/golang=new,openshif |,rhel-7/golang=new,openshif |t-enterprise-3/golang=new,o |t-enterprise-3/golang=new,o |penstack-8-optools/golang=n |penstack-8-optools/golang=w |ew,openstack-9-optools/gola |ontfix,openstack-9-optools/ |ng=new,openstack-10-optools |golang=wontfix,openstack-10 |/golang=new,fedora-all/gola |-optools/golang=new,fedora- |ng=affected,epel-all/golang |all/golang=affected,epel-al |=affected |l/golang=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1404636
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20161201, |impact=low,public=20161201, |reported=20161205,source=re |reported=20161205,source=re |dhat,cvss2=2.6/AV:N/AC:H/Au |dhat,cvss2=2.6/AV:N/AC:H/Au |:N/C:N/I:P/A:N,cvss3=4.3/CV |:N/C:N/I:P/A:N,cvss3=4.3/CV |SS:3.0/AV:N/AC:L/PR:N/UI:R/ |SS:3.0/AV:N/AC:L/PR:N/UI:R/ |S:U/C:N/I:L/A:N,cwe=CWE-295 |S:U/C:N/I:L/A:N,cwe=CWE-295 |,rhel-7/golang=new,openshif |,rhel-7/golang=new,openshif |t-enterprise-3/golang=new,o |t-enterprise-3/golang=new,o |penstack-8-optools/golang=w |penstack-8-optools/golang=w |ontfix,openstack-9-optools/ |ontfix,openstack-9-optools/ |golang=wontfix,openstack-10 |golang=wontfix,openstack-10 |-optools/golang=new,fedora- |-optools/golang=notaffected |all/golang=affected,epel-al |,fedora-all/golang=affected |l/golang=affected |,epel-all/golang=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1404636 Bug 1404636 depends on bug 1404638, which changed state.
Bug 1404638 Summary: golang: User's trust preferences for root certificates were not honored [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1404638
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1404636 Bug 1404636 depends on bug 1404639, which changed state.
Bug 1404639 Summary: golang: User's trust preferences for root certificates were not honored [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1404639
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1404636
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20161201, |impact=low,public=20161201, |reported=20161205,source=re |reported=20161205,source=re |dhat,cvss2=2.6/AV:N/AC:H/Au |dhat,cvss2=2.6/AV:N/AC:H/Au |:N/C:N/I:P/A:N,cvss3=4.3/CV |:N/C:N/I:P/A:N,cvss3=4.3/CV |SS:3.0/AV:N/AC:L/PR:N/UI:R/ |SS:3.0/AV:N/AC:L/PR:N/UI:R/ |S:U/C:N/I:L/A:N,cwe=CWE-295 |S:U/C:N/I:L/A:N,cwe=CWE-295 |,rhel-7/golang=new,openshif |,rhel-7/golang=wontfix,open |t-enterprise-3/golang=new,o |shift-enterprise-3/golang=n |penstack-8-optools/golang=w |ew,openstack-8-optools/gola |ontfix,openstack-9-optools/ |ng=wontfix,openstack-9-opto |golang=wontfix,openstack-10 |ols/golang=wontfix,openstac |-optools/golang=notaffected |k-10-optools/golang=notaffe |,fedora-all/golang=affected |cted,fedora-all/golang=affe |,epel-all/golang=affected |cted,epel-all/golang=affect | |ed
https://bugzilla.redhat.com/show_bug.cgi?id=1404636
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20161201, |impact=low,public=20161201, |reported=20161205,source=re |reported=20161205,source=re |dhat,cvss2=2.6/AV:N/AC:H/Au |dhat,cvss2=2.6/AV:N/AC:H/Au |:N/C:N/I:P/A:N,cvss3=4.3/CV |:N/C:N/I:P/A:N,cvss3=4.3/CV |SS:3.0/AV:N/AC:L/PR:N/UI:R/ |SS:3.0/AV:N/AC:L/PR:N/UI:R/ |S:U/C:N/I:L/A:N,cwe=CWE-295 |S:U/C:N/I:L/A:N,cwe=CWE-295 |,rhel-7/golang=wontfix,open |,rhel-7/golang=wontfix,open |shift-enterprise-3/golang=n |shift-enterprise-3/golang=a |ew,openstack-8-optools/gola |ffected,openstack-8-optools |ng=wontfix,openstack-9-opto |/golang=wontfix,openstack-9 |ols/golang=wontfix,openstac |-optools/golang=wontfix,ope |k-10-optools/golang=notaffe |nstack-10-optools/golang=no |cted,fedora-all/golang=affe |taffected,fedora-all/golang |cted,epel-all/golang=affect |=affected,epel-all/golang=a |ed |ffected
https://bugzilla.redhat.com/show_bug.cgi?id=1404636
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1418029 Depends On| |1418030
https://bugzilla.redhat.com/show_bug.cgi?id=1404636
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1470270, 1470272, 1470271, | |1470269
https://bugzilla.redhat.com/show_bug.cgi?id=1404636
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|golang: User's trust |CVE-2017-1000097 golang: |preferences for root |User's trust preferences |certificates were not |for root certificates were |honored |not honored Alias| |CVE-2017-1000097
golang-updates@lists.stg.fedoraproject.org