data/reports/GO-2022-0191.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.10.6
       - introduced: 1.11.0
         fixed: 1.11.3
     vulnerable_at: 1.11.2
     packages:
       - package: crypto/x509
         symbols:
           - CertPool.findVerifiedParents
           - Certificate.buildChains
 description: |
     The crypto/x509 package does not limit the amount of work
     performed for each chain verification, which might allow attackers
     to craft pathological inputs leading to a CPU denial of service.
     Go TLS servers accepting client certificates and TLS clients
     verifying certificates are affected.
 published: 2022-07-15T23:03:26Z
 cves:
   - CVE-2018-16875
 credit: Netflix
 references:
   - fix: https://go.dev/cl/154105
   - fix: https://go.googlesource.com/go/+/770130659b6fb2acf271476579a3644e093dda7f
   - report: https://go.dev/issue/29233
   - web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0
	modules:
	- module: std
	versions:
	- fixed: 1.10.6
	- introduced: 1.11.0
	fixed: 1.11.3
	vulnerable_at: 1.11.2
	packages:
	- package: crypto/x509
	symbols:
	- CertPool.findVerifiedParents
	- Certificate.buildChains
	description: \|
	The crypto/x509 package does not limit the amount of work
	performed for each chain verification, which might allow attackers
	to craft pathological inputs leading to a CPU denial of service.
	Go TLS servers accepting client certificates and TLS clients
	verifying certificates are affected.
	published: 2022-07-15T23:03:26Z
	cves:
	- CVE-2018-16875
	credit: Netflix
	references:
	- fix: https://go.dev/cl/154105
	- fix: https://go.googlesource.com/go/+/770130659b6fb2acf271476579a3644e093dda7f
	- report: https://go.dev/issue/29233
	- web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0