Vulnerability Report: GO-2022-0166

standard library

CVE-2016-3959
Affects: crypto/dsa
Published: May 24, 2022
Modified: May 20, 2024

The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.

Affected Packages

Path

Go Versions

Symbols
crypto/dsa

before go1.5.4, from go1.6.0-0 before go1.6.1
- Verify

Aliases

CVE-2016-3959

References

https://go.dev/cl/21533
https://go.googlesource.com/go/+/eb876dd83cb8413335d64e50aae5d38337d1ebb4
https://go.dev/issue/15184
https://groups.google.com/g/golang-announce/c/9eqIHqaWvck
https://vuln.go.dev/ID/GO-2022-0166.json

Credits

David Wong

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL