Bugzilla – Bug 960151
VUL-1: CVE-2015-8618: go: Carry propagation in Int.Exp Montgomery code in math/big library
Last modified: 2019-05-07 10:57:59 UTC
via rh#1293448 Carry propagation in Int.Exp Montgomery function was found in golang's math/big library, similar to CVE-2015-3193. This issue was introduced in the 1.5 release and remains present in 1.5.1 and 1.5.2. https://github.com/golang/go/commit/4306352182bf94f86f0cfc6a8b0ed461cbf1d82c CVE request: http://seclists.org/oss-sec/2015/q4/550 References: https://bugzilla.redhat.com/show_bug.cgi?id=1293448 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8618 http://seclists.org/oss-sec/2015/q4/564
go 1.5 (1.5.1, 1.5.2) Affects openSUSE Tumbleweed only. Does not affect SLE. Does not affect openSUSE stable releases. Assign to community maintainer.
https://groups.google.com/forum/#!topic/golang-announce/MEATuOi_ei4 "TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue." "On 64-bit systems, the frequency of the bug is so low (less than one in 2^50) that it would be very difficult to exploit. Nonetheless, everyone is strongly encouraged to upgrade."
Reassigning the bug to Jordi, who is working on pushing out the update. @Jordi can you close the bug as soon as all our packages have been released by maintenance?
There is another bug for updating go to 1.5, which will update to the latest version (1.5.3), which includes this fix. I am marking it as a duplicate of this one. *** This bug has been marked as a duplicate of bug 968949 ***
This is an autogenerated message for OBS integration: This bug (960151) was mentioned in https://build.opensuse.org/request/show/393533 42.1 / go
openSUSE-SU-2016:1331-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 960151,974232 CVE References: CVE-2015-8618,CVE-2016-3959 Sources used: openSUSE Leap 42.1 (src): go-1.6.1-14.1
This is an autogenerated message for OBS integration: This bug (960151) was mentioned in https://build.opensuse.org/request/show/610123 Factory / go1.10
This is an autogenerated message for OBS integration: This bug (960151) was mentioned in https://build.opensuse.org/request/show/658307 Factory / go1.10 https://build.opensuse.org/request/show/658308 Factory / go1.11
This is an autogenerated message for OBS integration: This bug (960151) was mentioned in https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11
This is an autogenerated message for OBS integration: This bug (960151) was mentioned in https://build.opensuse.org/request/show/679777 Factory / go1.11
This is an autogenerated message for OBS integration: This bug (960151) was mentioned in https://build.opensuse.org/request/show/688187 Factory / go1.12