CVE-2018-16875

NameCVE-2018-16875
DescriptionThe crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.10source(unstable)1.10.6-1
golang-1.11source(unstable)1.11.3-1
golang-1.7source(unstable)(unfixed)
golang-1.8source(unstable)(unfixed)

Notes

[stretch] - golang-1.8 <ignored> (Minor issue, DoS, requires rebuilding affected go-based packages)
[stretch] - golang-1.7 <ignored> (Minor issue, DoS, requires rebuilding affected go-based packages)
https://github.com/golang/go/issues/29233
https://github.com/golang/go/commit/df523969435b8945d939c7e2a849b50910ef4c25 (1.11.3)
https://github.com/golang/go/commit/0a4a37f1f0a36e55d8ae5c34210a79499f9f2a9d (1.10.6)
Search for package or bug name: Reporting problems