svn commit: r406573 - head/security/vuxml
Jason Unovitch
junovitch at FreeBSD.org
Mon Jan 18 14:04:46 UTC 2016
Author: junovitch
Date: Mon Jan 18 14:04:44 2016
New Revision: 406573
URL: https://svnweb.freebsd.org/changeset/ports/406573
Log:
Document go information disclosure vulnerability
Security: CVE-2015-8618
Security: https://vuxml.FreeBSD.org/freebsd/6809c6db-bdeb-11e5-b5fe-002590263bf5.html
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Mon Jan 18 13:30:59 2016 (r406572)
+++ head/security/vuxml/vuln.xml Mon Jan 18 14:04:44 2016 (r406573)
@@ -58,6 +58,55 @@ Notes:
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="6809c6db-bdeb-11e5-b5fe-002590263bf5">
+ <topic>go -- information disclosure vulnerability</topic>
+ <affects>
+ <package>
+ <name>go</name>
+ <range><ge>1.5,1</ge><lt>1.5.3,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jason Buberel reports:</p>
+ <blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/13/7">
+ <p>A security-related issue has been reported in Go's math/big
+ package. The issue was introduced in Go 1.5. We recommend that all
+ users upgrade to Go 1.5.3, which fixes the issue. Go programs must
+ be recompiled with Go 1.5.3 in order to receive the fix.</p>
+ <p>The Go team would like to thank Nick Craig-Wood for identifying the
+ issue.</p>
+ <p>This issue can affect RSA computations in crypto/rsa, which is used
+ by crypto/tls. TLS servers on 32-bit systems could plausibly leak
+ their RSA private key due to this issue. Other protocol
+ implementations that create many RSA signatures could also be
+ impacted in the same way.</p>
+ <p>Specifically, incorrect results in one part of the RSA Chinese
+ Remainder computation can cause the result to be incorrect in such a
+ way that it leaks one of the primes. While RSA blinding should
+ prevent an attacker from crafting specific inputs that trigger the
+ bug, on 32-bit systems the bug can be expected to occur at random
+ around one in 2^26 times. Thus collecting around 64 million
+ signatures (of known data) from an affected server should be enough
+ to extract the private key used.</p>
+ <p>On 64-bit systems, the frequency of the bug is so low (less than
+ one in 2^50) that it would be very difficult to exploit.
+ Nonetheless, everyone is strongly encouraged to upgrade.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-8618</cvename>
+ <url>http://www.openwall.com/lists/oss-security/2016/01/13/7</url>
+ <url>https://go-review.googlesource.com/#/c/17672/</url>
+ <url>https://go-review.googlesource.com/#/c/18491/</url>
+ </references>
+ <dates>
+ <discovery>2016-01-13</discovery>
+ <entry>2016-01-18</entry>
+ </dates>
+ </vuln>
+
<vuln vid="05eeb7e9-b987-11e5-83ef-14dae9d210b8">
<topic>isc-dhcpd -- Denial of Service</topic>
<affects>
More information about the svn-ports-head
mailing list