gostls13.git log

commit deac3221fc4cd365fb40d269dd56551e9d354356 [browse]
Author: Dmitri Shuralyov
Date: 2020-01-27 16:36:40 -05:00

[release-branch.go1.12-security] go1.12.16

Change-Id: Iea658e285670a897a45eca3756004f050763c64d
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/649301
Reviewed-by: Katie Hockman <katiehockman@google.com>

commit e60fc07b54375c9dcc5d6e28c9376926c450fd57 [browse]
Author: Katie Hockman
Date: 2020-01-27 14:11:04 -05:00

[release-branch.go1.12-security] doc: document Go 1.12.16

Change-Id: Ib8ac9bf5020d9ab126a8069378978d7dce3509dc
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/648870
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit 44bb3b4b5341f5bb373acb0b8130795f888c9ace [browse]
Author: Katie Hockman
Date: 2020-01-24 15:29:12 -05:00

[release-branch.go1.12-security] internal/x/crypto/cryptobyte: import security fix for 32-bit archs

    cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs

    When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
    overflow could occur, causing a panic, due to malformed ASN.1 being
    passed to any of the ASN1 methods of String.

    Tested on linux/386 and darwin/amd64.

    This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
    test vectors.

    Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211
    Reviewed-by: Katie Hockman <katiehockman@google.com>
    Reviewed-by: Adam Langley <agl@google.com>

x/crypto/cryptobyte is used in crypto/x509 for parsing certificates.
Malformed certificates might cause a panic during parsing on 32-bit
architectures (like arm and 386).

Change-Id: I3c619af508bacff84023be4d5a7c4992c2f20a56
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647483
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit a8b372fb365f4b69f0b06aa9c3e642e6aa022840 [browse]
Author: Filippo Valsorda
Date: 2020-01-21 14:45:15 -05:00

[release-branch.go1.12-security] crypto/x509: mitigate CVE-2020-0601 verification bypass on Windows

An attacker can trick the Windows system verifier to use a poisoned set
of elliptic curve parameters for a trusted root, allowing it to generate
spoofed signatures. When this happens, the returned chain will present
the unmodified original root, so the actual signatures won't verify (as
they are invalid for the correct parameters). Simply double check them
as a safety measure and mitigation.

Windows users should still install the system security patch ASAP.

This is the same mitigation adopted by Chromium:

https://chromium-review.googlesource.com/c/chromium/src/+/1994434

Change-Id: I2c734f6fb2cb51d906c7fd77034318ffeeb3e146
Reviewed-on: https://go-review.googlesource.com/c/go/+/215905
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ryan Sleevi <sleevi@google.com>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647124
Reviewed-by: Filippo Valsorda <valsorda@google.com>

commit 694e20f4e08af7e7669c9652424d0df9b0b83f00 [browse]
Author: Carlos Amedee
Date: 2020-01-09 11:24:31 -05:00

[release-branch.go1.12] go1.12.15

Change-Id: I6e47da51c3687ae9590554d003d803270f50911e
Reviewed-on: https://go-review.googlesource.com/c/go/+/214082
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>

clone the repository to get more history