ASA-201901-10 log generated external raw
[ASA-201901-10] go-pie: private key recovery |
---|
Arch Linux Security Advisory ASA-201901-10
==========================================
Severity: Medium
Date : 2019-01-24
CVE-ID : CVE-2019-6486
Package : go-pie
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-859
Summary
=======
The package go-pie before version 2:1.11.5-1 is vulnerable to private
key recovery.
Resolution
==========
Upgrade to 2:1.11.5-1.
# pacman -Syu "go-pie>=2:1.11.5-1"
The problem has been fixed upstream in version 1.11.5.
Workaround
==========
None.
Description
===========
Go before versions 1.10.8 and 1.11.5 has a vulnerability in the
crypto/elliptic implementations of the P-521 and P-384 elliptic curves.
A remote attacker can exploit this by crafting inputs that consume
excessive amounts of CPU. These inputs might be delivered via TLS
handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA
signatures. In some cases, if an ECDH private key is reused more than
once, the attack can also lead to key recovery.
Impact
======
A remote attacker can crash the system with maliciously crafted input,
or recover the private key.
References
==========
https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
https://github.com/golang/go/issues/29903
https://github.com/golang/go/commit/42b42f71
https://security.archlinux.org/CVE-2019-6486
|