Skip to content

security: fix CVE-2021-34558 [1.15 backport] #47144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Jul 12, 2021 · 2 comments
Closed

security: fix CVE-2021-34558 [1.15 backport] #47144

gopherbot opened this issue Jul 12, 2021 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.15.14

Comments

@gopherbot
Copy link
Contributor

@FiloSottile requested issue #47143 to be considered for backport to the next 1.15 minor release.

@gopherbot please file backport issues for this security fix.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Jul 12, 2021
@gopherbot gopherbot mentioned this issue Jul 12, 2021
Closed
@gopherbot gopherbot added this to the Go1.15.14 milestone Jul 12, 2021
@FiloSottile FiloSottile added CherryPickApproved Used during the release process for point releases release-blocker Security and removed CherryPickCandidate Used during the release process for point releases labels Jul 12, 2021
@gopherbot
Copy link
Contributor Author

Change https://golang.org/cl/334030 mentions this issue: [release-branch.go1.15] crypto/tls: test key type when casting

gopherbot pushed a commit that referenced this issue Jul 12, 2021
@rolandshoemaker @dmitshur
[release-branch.go1.15] crypto/tls: test key type when casting
c77980b 
When casting the certificate public key in generateClientKeyExchange,
check the type is appropriate. This prevents a panic when a server
agrees to a RSA based key exchange, but then sends an ECDSA (or
other) certificate.

Updates #47143
Fixes #47144
Fixes CVE-2021-34558

Thanks to Imre Rad for reporting this issue.

Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723
Reviewed-by: Filippo Valsorda <[email protected]>
Reviewed-by: Katie Hockman <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/334030
Trust: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
@gopherbot
Copy link
Contributor Author

Closed by merging c77980b to release-branch.go1.15.

@golang golang locked and limited conversation to collaborators Jul 12, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.15.14
Development

No branches or pull requests
2 participants
@FiloSottile @gopherbot