Date: Mon, 18 Jan 2016 14:04:44 +0000 (UTC) From: Jason Unovitch <junovitch@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r406573 - head/security/vuxml Message-ID: <201601181404.u0IE4iRv076640@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: junovitch Date: Mon Jan 18 14:04:44 2016 New Revision: 406573 URL: https://svnweb.freebsd.org/changeset/ports/406573 Log: Document go information disclosure vulnerability Security: CVE-2015-8618 Security: https://vuxml.FreeBSD.org/freebsd/6809c6db-bdeb-11e5-b5fe-002590263bf5.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Jan 18 13:30:59 2016 (r406572) +++ head/security/vuxml/vuln.xml Mon Jan 18 14:04:44 2016 (r406573) @@ -58,6 +58,55 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="6809c6db-bdeb-11e5-b5fe-002590263bf5"> + <topic>go -- information disclosure vulnerability</topic> + <affects> + <package> + <name>go</name> + <range><ge>1.5,1</ge><lt>1.5.3,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Jason Buberel reports:</p> + <blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/13/7">; + <p>A security-related issue has been reported in Go's math/big + package. The issue was introduced in Go 1.5. We recommend that all + users upgrade to Go 1.5.3, which fixes the issue. Go programs must + be recompiled with Go 1.5.3 in order to receive the fix.</p> + <p>The Go team would like to thank Nick Craig-Wood for identifying the + issue.</p> + <p>This issue can affect RSA computations in crypto/rsa, which is used + by crypto/tls. TLS servers on 32-bit systems could plausibly leak + their RSA private key due to this issue. Other protocol + implementations that create many RSA signatures could also be + impacted in the same way.</p> + <p>Specifically, incorrect results in one part of the RSA Chinese + Remainder computation can cause the result to be incorrect in such a + way that it leaks one of the primes. While RSA blinding should + prevent an attacker from crafting specific inputs that trigger the + bug, on 32-bit systems the bug can be expected to occur at random + around one in 2^26 times. Thus collecting around 64 million + signatures (of known data) from an affected server should be enough + to extract the private key used.</p> + <p>On 64-bit systems, the frequency of the bug is so low (less than + one in 2^50) that it would be very difficult to exploit. + Nonetheless, everyone is strongly encouraged to upgrade.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2015-8618</cvename> + <url>http://www.openwall.com/lists/oss-security/2016/01/13/7</url>; + <url>https://go-review.googlesource.com/#/c/17672/</url>; + <url>https://go-review.googlesource.com/#/c/18491/</url>; + </references> + <dates> + <discovery>2016-01-13</discovery> + <entry>2016-01-18</entry> + </dates> + </vuln> + <vuln vid="05eeb7e9-b987-11e5-83ef-14dae9d210b8"> <topic>isc-dhcpd -- Denial of Service</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601181404.u0IE4iRv076640>