CVE-2021-3114 log

Source
Severity Low
Remote No
Type Incorrect calculation
Description
A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.
Group Package Affected Fixed Severity Status Ticket
AVG-1481 go 2:1.15.6-1 2:1.15.7-1 Medium Fixed
Date Advisory Group Package Severity Type
20 Jan 2021 ASA-202101-27 AVG-1481 go Medium multiple issues
References
https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ
https://github.com/golang/go/issues/43788
https://github.com/golang/go/commit/5c8fd727c41e31273923c32b33d4f25855f4e123