CVE-2019-6486 log

Source
Severity Medium
Remote Yes
Type Private key recovery
Description
Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker can exploit this by crafting inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
Group Package Affected Fixed Severity Status Ticket
AVG-859 go, go-pie 2:1.11.4-1 2:1.11.5-1 Medium Fixed
Date Advisory Group Package Severity Description
24 Jan 2019 ASA-201901-11 AVG-859 go Medium private key recovery
24 Jan 2019 ASA-201901-10 AVG-859 go-pie Medium private key recovery
References
https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
https://github.com/golang/go/issues/29903
https://github.com/golang/go/commit/42b42f71