Bugzilla – Bug 1123013
VUL-0: CVE-2019-6486: go: DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves
Last modified: 2021-02-24 06:25:07 UTC
CVE-2019-6486 --- This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details. --- References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6486 https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
Assigning to containers team so the bug squad leader can plan for this one. @Florian, is there anything we need to do to have this in our backlog?
Scanning Factory for packages that import this Go packages, yielded the following result: caasp-dex is importing crypto/elliptic chartmuseum is importing crypto/elliptic coredns is importing crypto/elliptic dex-oidc is importing crypto/elliptic etcd is importing crypto/elliptic golang-org-x-crypto is importing crypto/elliptic heapster is importing crypto/elliptic helm is importing crypto/elliptic kbfs is importing crypto/elliptic kubernetes-dashboard is importing crypto/elliptic kubernetes is importing crypto/elliptic kured is importing crypto/elliptic sonobuoy is importing crypto/elliptic syncthing is importing crypto/elliptic We should at least fix/rebuild those packages that are also used in our SLE products.
Adding Jeff to CC, he's the maintainer of Go at SUSE. We can take care of the packages related with CaaSP, but not about the others (for example synchthing)
Announcement: https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw Upstream issue: https://golang.org/issue/29903 Upstream fix: https://github.com/golang/go/commit/42b42f71
This is an autogenerated message for OBS integration: This bug (1123013) was mentioned in https://build.opensuse.org/request/show/679777 Factory / go1.11
SUSE-SU-2019:0651-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1123013 CVE References: CVE-2019-6486 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): go1.11-1.11.5-1.9.1
This is an autogenerated message for OBS integration: This bug (1123013) was mentioned in https://build.opensuse.org/request/show/688187 Factory / go1.12
openSUSE-SU-2019:1164-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1123013 CVE References: CVE-2019-6486 Sources used: openSUSE Leap 15.0 (src): go1.11-1.11.5-lp150.6.4 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1234-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, go-1.12-3.10.1, go1.11-1.11.9-1.12.1, go1.12-1.12.4-1.9.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 SUSE Linux Enterprise Module for Containers 15 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1264-1: An update that solves four vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-6486 Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.2.5-16.17.2, docker-18.09.6_ce-98.37.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-19.1 SUSE CaaS Platform 3.0 (src): containerd-kubic-1.2.5-16.17.2, docker-kubic-18.09.6_ce-98.37.1, docker-runc-kubic-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2726_872f0a83c98a-19.1 OpenStack Cloud Magnum Orchestration 7 (src): containerd-1.2.5-16.17.2, docker-18.09.6_ce-98.37.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1499-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Sources used: openSUSE Leap 15.0 (src): containerd-1.2.5-lp150.4.14.3, docker-18.09.6_ce-lp150.5.17.2, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp150.5.21.2, go-1.12-lp150.2.11.1, go1.11-1.11.9-lp150.9.3, go1.12-1.12.4-lp150.2.2, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp150.3.14.1
SUSE-SU-2019:1234-2: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, go-1.12-3.10.1, go1.11-1.11.9-1.12.1, go1.12-1.12.4-1.9.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 SUSE Linux Enterprise Module for Containers 15-SP1 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I think this can be now closed as fixed.
closed
This is an autogenerated message for OBS integration: This bug (1123013) was mentioned in https://build.opensuse.org/request/show/874754 Factory / go