Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-16875

Опубликовано: 14 дек. 2018
Источник: debian

Описание

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
golang-1.11fixed1.11.3-1package
golang-1.10fixed1.10.6-1package
golang-1.8removedpackage
golang-1.8ignoredstretchpackage
golang-1.7removedpackage
golang-1.7ignoredstretchpackage

Примечания

  • https://github.com/golang/go/issues/29233

  • https://github.com/golang/go/commit/df523969435b8945d939c7e2a849b50910ef4c25 (1.11.3)

  • https://github.com/golang/go/commit/0a4a37f1f0a36e55d8ae5c34210a79499f9f2a9d (1.10.6)

Связанные уязвимости

ubuntu логотип

CVE-2018-16875

CVSS3: 5.9
ubuntu
около 7 лет назад

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

redhat логотип

CVE-2018-16875

CVSS3: 7.5
redhat
около 7 лет назад

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

nvd логотип

CVE-2018-16875

CVSS3: 5.9
nvd
около 7 лет назад

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

github логотип

GHSA-8gx8-4ch8-vgp8

CVSS3: 7.5
github
больше 3 лет назад

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

fstec логотип

BDU:2020-01889

CVSS3: 7.5
fstec
около 7 лет назад

Уязвимость пакета crypto/x509 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании