crypto/dsa: invalid public key causes panic in dsa.Verify #34960
Comments
katiehockman
added
Security
NeedsFix
|
@gopherbot please open backport issues as this is a security issue |
|
Backport issue(s) opened: #34961 (for 1.12), #34962 (for 1.13). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
|
I may be missing something, but I don't see this commit on or near tip of the master branch. Is Go 1.14/master not vulnerable to this issue? |
|
The announcement has more details about the impact: https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ @kevinburkemeter We do the cherry-pick to master last, as we make no security promises about tip, making it low priority. This issue will be closed when that happens. |
|
Ah, okay, thanks for the clarification. I got confused by the bot which says "as soon as the patch is submitted to master" which would seem to imply that's the first thing that happens. |
golang/go#34960 This PR bumps the 0.8 branch. A new release will be cut as soon as this is merged. Signed-off-by: Agustín Martínez Fayó <[email protected]>
golang/go#34960 This PR bumps the 0.8 branch. A new release will be cut as soon as this is merged. Signed-off-by: Agustín Martínez Fayó <[email protected]>
41901: storage/engine: centralize specification of pebble.Options r=petermattis a=petermattis Fixes #41860 Release note: None 41993: build: Upgrade to go 1.12.12 r=bobvawter a=bobvawter This change upgrades the go runtime to 1.12.12 in order to pick up a [security fix](golang/go#34960). Per the [checklist](build/README.md): * [X] Adjust version in Docker image * [X] Rebuild the Docker image and bump the version in builder.sh accordingly * [ ] ~Bump the version in go-version-check.sh~ (Patch release, not necessary) * [X] Bump the default installed version of Go in bootstrap-debian.sh Fixes: #41718 Release note (build change): The go runtime has been upgraded to 1.12.12. Co-authored-by: Peter Mattis <[email protected]> Co-authored-by: Bob Vawter <[email protected]>
add the release note about building Concourse with go 1.13.2 to address golang/go#34960 (CVE-2019-17596). Signed-off-by: Ciro S. Costa <[email protected]>
add the release note about building Concourse with go 1.13.2 to address golang/go#34960 (CVE-2019-17596). Signed-off-by: Ciro S. Costa <[email protected]>
|
Change https://golang.org/cl/205441 mentions this issue: |
add the release note about building Concourse with go 1.13.2 to address golang/go#34960 (CVE-2019-17596). Signed-off-by: Ciro S. Costa <[email protected]>
Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.
Moreover, an application might crash invoking crypto/x509.(*CertificateRequest) CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.
The issue is CVE-2019-17596.
The text was updated successfully, but these errors were encountered: