Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 4 commits
- 6 files changed
- 3 contributors
Commits on Jan 24, 2020
-
[release-branch.go1.12-security] crypto/x509: mitigate CVE-2020-0601 …
…verification bypass on Windows An attacker can trick the Windows system verifier to use a poisoned set of elliptic curve parameters for a trusted root, allowing it to generate spoofed signatures. When this happens, the returned chain will present the unmodified original root, so the actual signatures won't verify (as they are invalid for the correct parameters). Simply double check them as a safety measure and mitigation. Windows users should still install the system security patch ASAP. This is the same mitigation adopted by Chromium: https://chromium-review.googlesource.com/c/chromium/src/+/1994434 Change-Id: I2c734f6fb2cb51d906c7fd77034318ffeeb3e146 Reviewed-on: https://go-review.googlesource.com/c/go/+/215905 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Ryan Sleevi <[email protected]> Reviewed-by: Katie Hockman <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647124 Reviewed-by: Filippo Valsorda <[email protected]>
Commits on Jan 27, 2020
-
[release-branch.go1.12-security] internal/x/crypto/cryptobyte: import…
… security fix for 32-bit archs cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs When int is 32 bits wide (on 32-bit architectures like 386 and arm), an overflow could occur, causing a panic, due to malformed ASN.1 being passed to any of the ASN1 methods of String. Tested on linux/386 and darwin/amd64. This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof test vectors. Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211 Reviewed-by: Katie Hockman <[email protected]> Reviewed-by: Adam Langley <[email protected]> x/crypto/cryptobyte is used in crypto/x509 for parsing certificates. Malformed certificates might cause a panic during parsing on 32-bit architectures (like arm and 386). Change-Id: I3c619af508bacff84023be4d5a7c4992c2f20a56 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647483 Reviewed-by: Dmitri Shuralyov <[email protected]> -
[release-branch.go1.12-security] doc: document Go 1.12.16
Change-Id: Ib8ac9bf5020d9ab126a8069378978d7dce3509dc Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/648870 Reviewed-by: Dmitri Shuralyov <[email protected]>
-
[release-branch.go1.12-security] go1.12.16
Change-Id: Iea658e285670a897a45eca3756004f050763c64d Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/649301 Reviewed-by: Katie Hockman <[email protected]>
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 694e20f...deac322