CVE-2019-17596

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.12.11 Go versions 1.3.x prior to 1.13.2

Description The issue is related to an error in the DSA public key verification function, which can cause a panic when processing network traffic containing an invalid DSA public key. This can be exploited by an attacker to cause a denial of service. There are several attack scenarios, including traffic from a client to a server that verifies client certificates. The vulnerability can also be triggered by using crypto/x509.Verify on a crafted X.509 certificate chain, or by invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request.

Recommendations For Go versions prior to 1.12.11, update to version 1.12.11 or later to resolve the issue. For Go versions 1.3.x prior to 1.13.2, update to version 1.13.2 or later to resolve the issue. As a temporary workaround, consider disabling the dsa.Verify() function until a patch is available. Restrict access to the vulnerable crypto/x509 module to minimize the risk of exploitation. Avoid using the crypto/x509.Verify function on untrusted X.509 certificate chains until the issue is resolved.