CVE-2018-16875

NameCVE-2018-16875
DescriptionThe crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-1.11 (PTS)buster, buster (security)1.11.6-1+deb10u4fixed
golang-1.7 (PTS)stretch1.7.4-2+deb9u1vulnerable
stretch (security)1.7.4-2+deb9u3vulnerable
golang-1.8 (PTS)stretch1.8.1-1+deb9u1vulnerable
stretch (security)1.8.1-1+deb9u3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.10source(unstable)1.10.6-1
golang-1.11source(unstable)1.11.3-1
golang-1.7source(unstable)(unfixed)
golang-1.8source(unstable)(unfixed)

Notes

[stretch] - golang-1.8 <ignored> (Minor issue, DoS, requires rebuilding affected go-based packages)
[stretch] - golang-1.7 <ignored> (Minor issue, DoS, requires rebuilding affected go-based packages)
https://github.com/golang/go/issues/29233
https://github.com/golang/go/commit/df523969435b8945d939c7e2a849b50910ef4c25 (1.11.3)
https://github.com/golang/go/commit/0a4a37f1f0a36e55d8ae5c34210a79499f9f2a9d (1.10.6)

Search for package or bug name: Reporting problems