CVE-2024-24783

2024-03-0500:00:00

ubuntu.com

certificate chain verification

unknown public key

crypto/tls

config.clientauth

tls servers

rebuilding packages

golang

vulnerability fix

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.4%

JSON

Verifying a certificate chain which contains a certificate with an unknown
public key algorithm will cause Certificate.Verify to panic. This affects
all crypto/tls clients, and servers that set Config.ClientAuth to
VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior
is for TLS servers to not verify client certificates.

Notes

Author	Note
mdeslaur	Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. Warning: do not include nullboot in the list of no-change rebuilds after fixing an issue in golang.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchgolang-1.10< anyUNKNOWN
ubuntu14.04noarchgolang-1.10< anyUNKNOWN
ubuntu16.04noarchgolang-1.10< anyUNKNOWN
ubuntu18.04noarchgolang-1.13< anyUNKNOWN
ubuntu20.04noarchgolang-1.13< anyUNKNOWN
ubuntu22.04noarchgolang-1.13< anyUNKNOWN
ubuntu16.04noarchgolang-1.13< anyUNKNOWN
ubuntu20.04noarchgolang-1.14< anyUNKNOWN
ubuntu18.04noarchgolang-1.16< anyUNKNOWN
ubuntu20.04noarchgolang-1.16< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	golang-1.10	< any	UNKNOWN
ubuntu	14.04	noarch	golang-1.10	< any	UNKNOWN
ubuntu	16.04	noarch	golang-1.10	< any	UNKNOWN
ubuntu	18.04	noarch	golang-1.13	< any	UNKNOWN
ubuntu	20.04	noarch	golang-1.13	< any	UNKNOWN
ubuntu	22.04	noarch	golang-1.13	< any	UNKNOWN
ubuntu	16.04	noarch	golang-1.13	< any	UNKNOWN
ubuntu	20.04	noarch	golang-1.14	< any	UNKNOWN
ubuntu	18.04	noarch	golang-1.16	< any	UNKNOWN
ubuntu	20.04	noarch	golang-1.16	< any	UNKNOWN