Advisories » MGASA-2014-0410

Updated golang packages fix CVE-2014-7189

Publication date: 09 Oct 2014
Modification date: 09 Oct 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-7189

Description

Updated golang packages fix security vulnerability:

Go 1.1 through 1.3.2 has an issue that affects programs that use crypto/tls
to implement a TLS server. If the server enables TLS client authentication
using certificates and explicitly sets SessionTicketsDisabled to true in the
tls.Config, then a malicious client can falsely assert ownership of any
client certificate it wishes (CVE-2014-7189).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=14181
• http://openwall.com/lists/oss-security/2014/09/26/28
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7189

SRPMS

4/core

• golang-1.1.2-3.1.mga4