Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 649
    • Issues 649
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 207
    • Merge Requests 207
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #9937

Closed
Open
Opened Jan 29, 2019 by Alicha CH@alichaReporter

[3.9] go: crypto/elliptic implementations of P-521 and P-384 elliptic curves allow for denial of service (CVE-2019-6486)

Go before versions 1.10.8 and 1.11.5 has a vulnerability in the
crypto/elliptic implementations of the P-521 and P-384 elliptic curves.
A remote attacker can exploit this by crafting inputs that consume
excessive amounts of CPU. These inputs might be delivered via TLS
handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA
signatures. In some cases, if an ECDH private key is reused more than
once, the attack can also lead to key recovery.

Fixed In Version:

golang 1.10.8, golang 1.11.5

References:

https://groups.google.com/forum/m/\#!topic/golang-announce/mVeX35iXuSw
https://github.com/golang/go/issues/29903

Patch:

https://github.com/golang/go/commit/42b42f71

(from redmine: issue id 9937, created on 2019-01-29, closed on 2019-02-14)

  • Relations:
    • parent #9936 (closed)
  • Changesets:
    • Revision d37614ce by Natanael Copa on 2019-01-29T16:31:53Z:
community/go: security upgrade to 1.11.5 (CVE-2019-6486)

fixes #9937
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.9.1
Milestone
3.9.1 (Past due)
Assign milestone
Time tracking
Jan 29, 2019
Due date
Jan 29, 2019
Reference: alpine/aports#9937