Fluid Attacks Database

Description

Denial of service due to unchecked parameters in crypto/dsa The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=0 <1.5.4	1.5.4
rpm rhel7	golang	<0:1.6.3-1.el7_2.1	0:1.6.3-1.el7_2.1

Aliases

1. CVE-2016-39592. NVD-2016-39593. OSV-GO-2022-01664. OSV-2016-39595. GCVE-2016-3959

References

1. https://go.dev/cl/215332. https://go.googlesource.com/go/+/eb876dd83cb8413335d64e50aae5d38337d1ebb43. https://go.dev/issue/151844. https://groups.google.com/g/golang-announce/c/9eqIHqaWvck5. https://github.com/alexmullins/dsa

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.