We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Go's crypto libraries passed certain parameters unchecked to math/big.Int.Exp (https://golang.org/pkg/math/big/#Int.Exp), possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates (a non-zero tls.Config.ClientAuth value of https://golang.org/pkg/crypto/tls/#ClientAuthType) or the Go SSH server libraries are both exposed to this vulnerability.
math/big.Int.Exp
tls.Config.ClientAuth
This is CVE-2016-3959 and was addressed by https://golang.org/cl/21533 for crypto/dsa (the reported problem) and https://golang.org/cl/21560 (similar change to crypto/rsa and crypto/ecdsa, despite no known path to make those go into the slow path).
crypto/dsa
crypto/rsa
crypto/ecdsa
Thanks to David Wong for identifying this issue.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Go's crypto libraries passed certain parameters unchecked to
math/big.Int.Exp(https://golang.org/pkg/math/big/#Int.Exp), possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates (a non-zerotls.Config.ClientAuthvalue of https://golang.org/pkg/crypto/tls/#ClientAuthType) or the Go SSH server libraries are both exposed to this vulnerability.This is CVE-2016-3959 and was addressed by https://golang.org/cl/21533 for
crypto/dsa(the reported problem) and https://golang.org/cl/21560 (similar change tocrypto/rsaandcrypto/ecdsa, despite no known path to make those go into the slow path).Thanks to David Wong for identifying this issue.
The text was updated successfully, but these errors were encountered: