ArchLinux: 201901-11: go: private key recovery

    Date27 Jan 2019
    CategoryArchLinux
    1023
    Posted ByAnthony Pell
    The package go before version 2:1.11.5-1 is vulnerable to private key recovery.
    Arch Linux Security Advisory ASA-201901-11
    ==========================================
    
    Severity: Medium
    Date    : 2019-01-24
    CVE-ID  : CVE-2019-6486
    Package : go
    Type    : private key recovery
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-859
    
    Summary
    =======
    
    The package go before version 2:1.11.5-1 is vulnerable to private key
    recovery.
    
    Resolution
    ==========
    
    Upgrade to 2:1.11.5-1.
    
    # pacman -Syu "go>=2:1.11.5-1"
    
    The problem has been fixed upstream in version 1.11.5.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    Go before versions 1.10.8 and 1.11.5 has a vulnerability in the
    crypto/elliptic implementations of the P-521 and P-384 elliptic curves.
    A remote attacker can exploit this by crafting inputs that consume
    excessive amounts of CPU. These inputs might be delivered via TLS
    handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA
    signatures. In some cases, if an ECDH private key is reused more than
    once, the attack can also lead to key recovery.
    
    Impact
    ======
    
    A remote attacker can crash the system with maliciously crafted input,
    or recover the private key.
    
    References
    ==========
    
    https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
    https://github.com/golang/go/issues/29903
    https://github.com/golang/go/commit/42b42f71
    https://security.archlinux.org/CVE-2019-6486
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.