CVE-2018-16875
14.12.2018, 14:29
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.Enginsight
| Vendor | Product | Version |
|---|---|---|
| golang | go | 𝑥 < 1.10.6 |
| golang | go | 1.11.0 ≤ 𝑥 < 1.11.3 |
| opensuse | leap | 42.3 |
𝑥
= Vulnerable software versions
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| golang |
| ||||||||||||||||||||||||||||||
| golang-1.10 |
| ||||||||||||||||||||||||||||||
| golang-1.11 |
| ||||||||||||||||||||||||||||||
| golang-1.6 |
| ||||||||||||||||||||||||||||||
| golang-1.7 |
| ||||||||||||||||||||||||||||||
| golang-1.8 |
| ||||||||||||||||||||||||||||||
| golang-1.9 |
|
Common Weakness Enumeration
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-295 - Improper Certificate ValidationThe software does not validate, or incorrectly validates, a certificate.
References