CVE-2016-3959
published 2016-05-23CVE-2016-3959: The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which…
PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
4.33%
90.0th percentile
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang | go | <= 1.5 | — |
| golang | go | — | — |
| msrc | azl3_golang_1.23.12-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Denial of service due to unchecked parameters in crypto/dsa
osv·2022-05-24
CVE-2016-3959 Denial of service due to unchecked parameters in crypto/dsa
Denial of service due to unchecked parameters in crypto/dsa
The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.
GHSA
GHSA-w7w7-9368-hffm: The Verify function in crypto/dsa/dsa
ghsa_unreviewed·2022-05-14
CVE-2016-3959 [HIGH] CWE-20 GHSA-w7w7-9368-hffm: The Verify function in crypto/dsa/dsa
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
OSV
CVE-2016-3959: The Verify function in crypto/dsa/dsa
osv·2016-05-23·CVSS 7.5
CVE-2016-3959 [HIGH] CVE-2016-3959: The Verify function in crypto/dsa/dsa
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
Microsoft
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a d
vendor_msrc·2016-05-10·CVSS 7.5
CVE-2016-3959 [HIGH] CWE-20 The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a d
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CS
Red Hat
golang: infinite loop in several big integer routines
vendor_redhat·2016-04-05·CVSS 7.5
CVE-2016-3959 [HIGH] CWE-835 golang: infinite loop in several big integer routines
golang: infinite loop in several big integer routines
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
A denial of service vulnerability was found in Go's verification of DSA public keys. An attacker could provide a crafted key to HTTPS client or SSH server libraries which would cause the application to enter an infinite loop.
Package: golang (Red Hat OpenShift Enterprise 3) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-3959 golang: infinite loop in several big integer routines
bugzilla·2016-04-06·CVSS 7.5
CVE-2016-3959 [HIGH] CVE-2016-3959 golang: infinite loop in several big integer routines
CVE-2016-3959 golang: infinite loop in several big integer routines
Go has an infinite loop in several big integer routines that makes Go
programs vulnerable to remote denial of service attacks. Programs using
HTTPS client authentication or the Go ssh server libraries are both exposed
to this vulnerability.
Upstream fix:
https://go-review.googlesource.com/#/c/21533/
References:
http://seclists.org/oss-sec/2016/q2/11
Discussion:
Created golang tracking bugs for this issue:
Affects: fedora-all [bug 1324344]
Affects: epel-6 [bug 1324345]
---
golang-1.6.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
---
golang-1.5.4-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist
Bugzilla
CVE-2016-3959 golang: infinite loop in several big integer routines [fedora-all]
bugzilla·2016-04-06·CVSS 7.5
CVE-2016-3959 [HIGH] CVE-2016-3959 golang: infinite loop in several big integer routines [fedora-all]
CVE-2016-3959 golang: infinite loop in several big integer routines [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
Bugzilla
CVE-2016-3959 golang: infinite loop in several big integer routines [epel-6]
bugzilla·2016-04-06·CVSS 7.5
CVE-2016-3959 [HIGH] CVE-2016-3959 golang: infinite loop in several big integer routines [epel-6]
CVE-2016-3959 golang: infinite loop in several big integer routines [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182526.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/183106.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/183137.htmlhttp://lists.opensuse.org/opensuse-updates/2016-05/msg00077.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1538.htmlhttp://www.openwall.com/lists/oss-security/2016/04/05/1http://www.openwall.com/lists/oss-security/2016/04/05/2https://go-review.googlesource.com/#/c/21533/https://groups.google.com/forum/#%21topic/golang-announce/9eqIHqaWvckhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/182526.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/183106.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/183137.htmlhttp://lists.opensuse.org/opensuse-updates/2016-05/msg00077.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1538.htmlhttp://www.openwall.com/lists/oss-security/2016/04/05/1http://www.openwall.com/lists/oss-security/2016/04/05/2https://go-review.googlesource.com/#/c/21533/https://groups.google.com/forum/#%21topic/golang-announce/9eqIHqaWvck
2016-05-23
Published