CVE-2018-16875 log

Source
Severity Medium
Remote Yes
Type Denial of service
Description
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
Group Package Affected Fixed Severity Status Ticket
AVG-835 go, go-pie 2:1.11.2-2 2:1.11.3-1 High Fixed
Date Advisory Group Package Severity Description
18 Dec 2018 ASA-201812-12 AVG-835 go-pie High multiple issues
18 Dec 2018 ASA-201812-11 AVG-835 go High multiple issues
References
https://github.com/golang/go/issues/29233
https://github.com/golang/go/commit/df523969435b8945d939c7e2a849b50910ef4c25