Subject: [ASA-201901-11] go: private key recovery Arch Linux Security Advisory ASA-201901-11 ========================================== Severity: Medium Date : 2019-01-24 CVE-ID : CVE-2019-6486 Package : go Type : private key recovery Remote : Yes Link : https://security.archlinux.org/AVG-859 Summary ======= The package go before version 2:1.11.5-1 is vulnerable to private key recovery. Resolution ========== Upgrade to 2:1.11.5-1. # pacman -Syu "go>=2:1.11.5-1" The problem has been fixed upstream in version 1.11.5. Workaround ========== None. Description =========== Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker can exploit this by crafting inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. Impact ====== A remote attacker can crash the system with maliciously crafted input, or recover the private key. References ========== https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw https://github.com/golang/go/issues/29903 https://github.com/golang/go/commit/42b42f71 https://security.archlinux.org/CVE-2019-6486