CVE-2024-45341

NameCVE-2024-45341
DescriptionA certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-1.15 (PTS)bullseye1.15.15-1~deb11u4vulnerable
golang-1.19 (PTS)bookworm1.19.8-2vulnerable
golang-1.23 (PTS)sid, trixie1.23.6-4fixed
golang-1.24 (PTS)sid, trixie1.24.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.15source(unstable)(unfixed)
golang-1.19source(unstable)(unfixed)
golang-1.22source(unstable)1.22.11-1
golang-1.23source(unstable)1.23.5-1
golang-1.24source(unstable)1.24~rc2-1

Notes

[bookworm] - golang-1.19 <no-dsa> (Minor issue)
[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
https://groups.google.com/g/golang-announce/c/sSaUhLA-2SI
https://go.dev/issue/71156
Fixed by: https://github.com/golang/go/commit/468fad45a27db0ec1fff4ae397d3670795b3f977 (go1.24rc2)
Fixed by: https://github.com/golang/go/commit/fdb8413fe588ec6dc31f1deaf43eb7202a76bb79 (go1.23.5)
Fixed by: https://github.com/golang/go/commit/19d21034157ba69d0f54318a9867d9b08730efcb (go1.22.11)
Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs
Search for package or bug name: Reporting problems