blob: 291bfae0190b6752abcde37cae6b5bfe12c24983 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0166",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-05-24T22:06:33Z",
"aliases": [
"CVE-2016-3959"
],
"summary": "Denial of service due to unchecked parameters in crypto/dsa",
"details": "The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.4"
},
{
"introduced": "1.6.0-0"
},
{
"fixed": "1.6.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "crypto/dsa",
"symbols": [
"Verify"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/21533"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/eb876dd83cb8413335d64e50aae5d38337d1ebb4"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/15184"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/9eqIHqaWvck"
}
],
"credits": [
{
"name": "David Wong"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0166",
"review_status": "REVIEWED"
}
}