CVE-2018-16875: Input Validation
First published: Fri Dec 14 2018(Updated: )
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Go (Golang) language by Google | <1.10.6 | |
| Go (Golang) language by Google | >=1.11.0<1.11.3 | |
| openSUSE | =42.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
- http://www.securityfocus.com/bid/106230
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875
- https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0
- https://security.gentoo.org/glsa/201812-09
- https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/golang
- canonical/go (golang) language by google
- version/go (golang) language by google/1.11.0
- vendor/opensuse
- canonical/opensuse
- version/opensuse/42.3