CVE-2019-11840

Name of the Vulnerable Software and Affected Versions golang.org/x/crypto versions before v0.0.0-20190320223903-b7391e95e576

Description A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications. The issue might affect uses of golang.org/x/crypto/nacl with extremely large messages.

Recommendations For versions before v0.0.0-20190320223903-b7391e95e576, update to a version after v0.0.0-20190320223903-b7391e95e576 to resolve the issue. As a temporary workaround, consider limiting the keystream generation to less than 256 GiB for a single salsa20.XORKeyStream invocation to minimize the risk of exploitation. Restrict the use of the vulnerable golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages in amd64 implementations until a patch is available.