Improper Input Validation The advisory has been revoked - it doesn't affect any version of package golang-src Open this link in a new tab
Threat Intelligence
EPSS
0.47% (76th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RHEL7-GOLANGSRC-4406854
- published 26 Jul 2021
- disclosed 13 Dec 2018
Introduced: 13 Dec 2018
CVE-2018-16875 Open this link in a new tabAmendment
The Red Hat security team deemed this advisory irrelevant for RHEL:7.
NVD Description
Note: Versions mentioned in the description apply only to the upstream golang-src package and not the golang-src package as distributed by RHEL.
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
References
- http://www.securityfocus.com/bid/106230
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875
- https://access.redhat.com/security/cve/CVE-2018-16875
- https://security.gentoo.org/glsa/201812-09
- https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
- https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0