[ASA-201901-10] go-pie: private key recovery
foxboron at archlinux.org
Mon Jan 28 21:30:25 UTC 2019
Arch Linux Security Advisory ASA-201901-10
Date : 2019-01-24
CVE-ID : CVE-2019-6486
Package : go-pie
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-859
The package go-pie before version 2:1.11.5-1 is vulnerable to private
Upgrade to 2:1.11.5-1.
# pacman -Syu "go-pie>=2:1.11.5-1"
The problem has been fixed upstream in version 1.11.5.
Go before versions 1.10.8 and 1.11.5 has a vulnerability in the
crypto/elliptic implementations of the P-521 and P-384 elliptic curves.
A remote attacker can exploit this by crafting inputs that consume
excessive amounts of CPU. These inputs might be delivered via TLS
handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA
signatures. In some cases, if an ECDH private key is reused more than
once, the attack can also lead to key recovery.
A remote attacker can crash the system with maliciously crafted input,
or recover the private key.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security