{"id":"GO-2022-0171","summary":"Mishandled trust preferences for root certificates on Darwin in crypto/x509","details":"On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.","aliases":["CVE-2017-1000097"],"modified":"2024-06-03T20:51:31Z","published":"2022-05-24T20:17:59Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2022-0171"},"references":[{"type":"FIX","url":"https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a"},{"type":"REPORT","url":"https://go.dev/issue/18141"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.6.4"},{"introduced":"1.7.0-0"},{"fixed":"1.7.4"}]}],"ecosystem_specific":{"imports":[{"symbols":["FetchPEMRoots","execSecurityRoots"],"path":"crypto/x509","goos":["darwin"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0171.json"}}],"schema_version":"1.7.3","credits":[{"name":"Xy Ziemba"}]}