From ${URL} : >From the Go 1.3.2 release announcement: "The crpyto/tls fix addresses a security bug that affects programs that use crypto/tls to implement a TLS server from Go 1.1 onwards. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes." https://groups.google.com/forum/#!msg/golang-nuts/eeOHNw_shwU/OHALUmroA5kJ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
sorry about the delay on this; go-1.3.3 is now in the tree. Do we need to do a fast stable for this? if so, I can stable for amd64, but we will need to cover arm and x86.
Arches, please test and mark stable: =dev-lang/go-1.3.3 target KEYWORDS="amd64 arm x86"
CVE-2014-7189 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7189): crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors.
amd64 done
x86 stable
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No
(In reply to Yury German from comment #6) > Arches, Thank you for your work > Maintainer(s), please drop the vulnerable version(s). > > GLSA Vote: No ? Arm still in progress but GLSA vote: no. Anyway
(In reply to Yury German from comment #6) > Maintainer(s), please drop the vulnerable version(s). I plan to as soon as this version is stable on arm.
arm stable. Cleanup, please!
Old versions are removed.
(In reply to William Hubbs from comment #10) > Old versions are removed. Thanks! Closed.