CVE-2017-1000097

Description

On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.

How to fix CVE-2017-1000097

To remediate CVE-2017-1000097, upgrade the affected package to a fixed version below.

• Go/stdlib—upgrade to 1.6.4 or later

Is CVE-2017-1000097 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.6.4, >= 1.7.0-0, < 1.7.4

References (3)

• PATCHgo.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a
• REPORTgo.dev/issue/18141
• WEBgroups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ