[3.3] go: security issues (CVE-2016-3958, CVE-2016-3959)
On Windows, Go loads system DLLs by name with LoadLibrary, making it
vulnerable to DLL preloading attacks. For instance,
if a user runs a Go executable from a Downloads folder, malicious DLL
files also downloaded to that folder could be loaded into that
executable.
This is CVE-2016-3958 and was addressed by this change:
https://golang.org/cl/21428
Go’s crypto libraries passed certain parameters unchecked to the
underlying big integer library, possibly leading to extremely
long-running computations,
which in turn makes Go programs vulnerable to remote denial of service
attacks. Programs using HTTPS client certificates or the Go SSH server
libraries are both exposed to this vulnerability.
This is CVE-2016-3959 and was addressed by this change:
https://golang.org/cl/21533
References:
http://www.openwall.com/lists/oss-security/2016/04/05/2
https://groups.google.com/forum/\#!topic/golang-announce/9eqIHqaWvck
(from redmine: issue id 5434, created on 2016-04-18, closed on 2016-04-27)
- Relations:
- parent #5433 (closed)
- Changesets:
- Revision d4025e60 by Natanael Copa on 2016-04-26T17:36:52Z:
community/go: security upgrade to 1.5.4 (CVE-2016-3958,CVE-2016-3959)
fixes #5434