Note:
This project will be discontinued after December 13, 2021. [more]
2019-01-24
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
Products | Debian_linux, Go, Leap |
Type | Allocation of Resources Without Limits or Throttling (CWE-770) |
First patch |
https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360 |
Relevant file/s | ./src/crypto/elliptic/elliptic.go (modified, +2, -1) |
Links |
• https://github.com/golang/go/issues/29903
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00042.html • https://lists.debian.org/debian-lts-announce/2019/02/msg00009.html • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html • https://www.debian.org/security/2019/dsa-4380
• http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
• https://www.debian.org/security/2019/dsa-4379 • http://www.securityfocus.com/bid/106740 • https://groups.google.com/forum/#%21topic/golang-announce/mVeX35iXuSw • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html • https://github.com/google/wycheproof |
Navigation
Patch data:
Patched area:
(on by default)
Patched area: