CVE-2018-16875

CVE-2018-16875

Name

CVE-2018-16875

Description

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Third Party Advisory	https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0
Issue Tracking	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875
Third Party Advisory	http://www.securityfocus.com/bid/106230
Mitigation	https://security.gentoo.org/glsa/201812-09
Third Party Advisory	http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html

Type

URI

Third Party Advisory

https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875

Third Party Advisory

http://www.securityfocus.com/bid/106230

Mitigation

https://security.gentoo.org/glsa/201812-09

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html