PT-2016-5779 · Google+3 · Go+3

Jason Buberel

Published

2015-09-28

Updated

2024-06-15

CVE-2016-3959

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.5.4 Go versions 1.6.x prior to 1.6.1

Description The issue arises from the Verify function in crypto/dsa/dsa.go not properly checking parameters passed to the big integer library. This could allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries. The vulnerability exposes programs using HTTPS client certificates or the Go SSH server libraries to remote denial of service attacks due to potentially extremely long-running computations.

Recommendations For Go versions prior to 1.5.4, update to version 1.5.4 or later. For Go versions 1.6.x prior to 1.6.1, update to version 1.6.1 or later.

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2015-1812

ALT-PU-2016-1849

AZL-79052

CESA-2016_1538

CVE-2016-3959

GO-2022-0166

MGASA-2016-0207

OPENSUSE-SU-2024:10028-1

OPENSUSE-SU-2024:10803-1

OPENSUSE-SU-2024:10804-1

OPENSUSE-SU-2024:10805-1

OPENSUSE-SU-2024:10812-1

RHSA-2016:1538

RHSA-2016_1538

Affected Products

Alt Linux

Centos

Red Hat

PT-2016-5779 · Google+3 · Go+3

CVE-2016-3959

Weakness Enumeration

Related Identifiers

Affected Products

References · 50