x/vulndb: add GO-2022-0166 for CVE-2016-3959
Fixes golang/vulndb#166
Change-Id: I25ae0c999d76722ad93586cc633c086d61ea379f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/408274
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/reports/GO-2022-0166.yaml b/reports/GO-2022-0166.yaml
new file mode 100644
index 0000000..7d3a8f0
--- /dev/null
+++ b/reports/GO-2022-0166.yaml
@@ -0,0 +1,24 @@
+packages:
+ - module: std
+ package: crypto/dsa
+ symbols:
+ - Verify
+ versions:
+ - fixed: 1.5.4
+ - introduced: 1.6.0
+ fixed: 1.6.1
+description: |
+ The Verify function in crypto/dsa passed certain parameters unchecked to
+ the underlying big integer library, possibly leading to extremely
+ long-running computations, which in turn makes Go programs vulnerable to
+ remote denial of service attacks. Programs using HTTPS client certificates
+ or the Go SSH server libraries are both exposed to this vulnerability.
+cves:
+ - CVE-2016-3959
+credit: David Wong
+links:
+ pr: https://go.dev/cl/21533
+ commit: https://go.googlesource.com/go/+/eb876dd83cb8413335d64e50aae5d38337d1ebb4
+ context:
+ - https://go.dev/issue/15184
+ - https://groups.google.com/g/golang-announce/c/9eqIHqaWvck