blob: c62513219daabd82f7fbf514d0c8547a1d4f59b9 [file] [log] [blame]
id: GO-2022-0166
modules:
- module: std
versions:
- fixed: 1.5.4
- introduced: 1.6.0-0
- fixed: 1.6.1
vulnerable_at: 1.6.0
packages:
- package: crypto/dsa
symbols:
- Verify
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Denial of service due to unchecked parameters in crypto/dsa
description: |-
The Verify function in crypto/dsa passed certain parameters unchecked to the
underlying big integer library, possibly leading to extremely long-running
computations, which in turn makes Go programs vulnerable to remote denial of
service attacks. Programs using HTTPS client certificates or the Go SSH server
libraries are both exposed to this vulnerability.
published: 2022-05-24T22:06:33Z
cves:
- CVE-2016-3959
credits:
- David Wong
references:
- fix: https://go.dev/cl/21533
- fix: https://go.googlesource.com/go/+/eb876dd83cb8413335d64e50aae5d38337d1ebb4
- report: https://go.dev/issue/15184
- web: https://groups.google.com/g/golang-announce/c/9eqIHqaWvck
review_status: REVIEWED