Vulnerability CVE-2019-6486: Information
Description
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
Severity: HIGH (8.2) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| golang | sisyphus | 1.11-alt1 | 1.22.4-alt1 | ALT-PU-2018-2289-1 | 212745 | Fixed |
| golang | p10 | 1.11-alt1 | 1.21.11-alt1 | ALT-PU-2018-2289-1 | 212745 | Fixed |
| golang | p9 | 1.11-alt1 | 1.15.15-alt1 | ALT-PU-2018-2289-1 | 212745 | Fixed |
| golang | p8 | 1.10.8-alt1 | 1.12.17-alt1 | ALT-PU-2019-1152-1 | 219621 | Fixed |
| golang | c10f1 | 1.11-alt1 | 1.21.10-alt1 | ALT-PU-2018-2289-1 | 212745 | Fixed |
| golang | c9f2 | 1.11-alt1 | 1.20.13-alt1 | ALT-PU-2018-2289-1 | 212745 | Fixed |
| golang | p11 | 1.11-alt1 | 1.22.4-alt1 | ALT-PU-2018-2289-1 | 212745 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://github.com/golang/go/issues/29903 |
|
| https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360 |
|
| 106740 |
|
| DSA-4380 |
|
| DSA-4379 |
|
| [debian-lts-announce] 20190206 [SECURITY] [DLA 1664-1] golang security update |
|
| https://github.com/google/wycheproof |
|
| openSUSE-SU-2019:1164 |
|
| openSUSE-SU-2019:1444 | |
| openSUSE-SU-2019:1499 | |
| openSUSE-SU-2019:1506 | |
| https://groups.google.com/forum/#%21topic/golang-announce/mVeX35iXuSw |