974232 – (CVE-2016-3959) VUL-0: CVE-2016-3959: go: Infinite loop in several big integer routines

Bug 974232 (CVE-2016-3959) - VUL-0: CVE-2016-3959: go: Infinite loop in several big integer routines

Summary: VUL-0: CVE-2016-3959: go: Infinite loop in several big integer routines

Status:	RESOLVED FIXED

Alias:	CVE-2016-3959

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Jordi Massaguer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/166309/
Whiteboard:	CVSSv2:RedHat:CVE-2016-3959:4.3:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-04-06 09:44 UTC by Johannes Segitz
Modified:	2019-05-07 10:58 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-04-06 09:44:54 UTC

http://seclists.org/oss-sec/2016/q2/12

2. Go has an infinite loop in several big integer routines that makes Go
programs vulnerable to remote denial of service attacks.  Programs using
HTTPS client authentication or the Go ssh server libraries are both exposed
to this vulnerability. This is being addressed in the following CL:
https://golang.org/cl/21533

Use CVE-2016-3959.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1324343
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3959
http://seclists.org/oss-sec/2016/q2/12

Comment 1 Swamp Workflow Management 2016-04-06 22:00:33 UTC

bugbot adjusting priority

Comment 2 Flavio Castelli 2016-04-07 09:11:25 UTC

According to CVE:

"We will release two new versions - Go 1.6.1 and 1.5.4 - both of which will address these two issues"

We will update the packages once they are released.

Comment 3 Marcus Meissner 2016-04-07 09:25:22 UTC

would we not need to rebuild all go built packages?

Comment 4 Flavio Castelli 2016-04-07 13:37:36 UTC

(In reply to Marcus Meissner from comment #3)
> would we not need to rebuild all go built packages?

Yes, OBS is going to take care of that automatically.

Comment 8 Flavio Castelli 2016-04-13 12:22:45 UTC

Patched releases of Go has been released.

Assigning the bug to Jordi, how is already packaging them.

Comment 10 Bernhard Wiedemann 2016-04-13 19:00:12 UTC

This is an autogenerated message for OBS integration:
This bug (974232) was mentioned in
https://build.opensuse.org/request/show/389657 Factory / go

Comment 12 Bernhard Wiedemann 2016-05-04 09:00:39 UTC

This is an autogenerated message for OBS integration:
This bug (974232) was mentioned in
https://build.opensuse.org/request/show/393533 42.1 / go

Comment 13 Swamp Workflow Management 2016-05-18 12:14:13 UTC

openSUSE-SU-2016:1331-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 960151,974232
CVE References: CVE-2015-8618,CVE-2016-3959
Sources used:
openSUSE Leap 42.1 (src):    go-1.6.1-14.1

Comment 14 Jordi Massaguer 2017-07-26 15:46:47 UTC

This had been fixed and we forgot to close the bug. Closing now.

Comment 15 Swamp Workflow Management 2018-05-17 17:01:50 UTC

This is an autogenerated message for OBS integration:
This bug (974232) was mentioned in
https://build.opensuse.org/request/show/610123 Factory / go1.10

Comment 23 Swamp Workflow Management 2018-12-15 08:42:31 UTC

This is an autogenerated message for OBS integration:
This bug (974232) was mentioned in
https://build.opensuse.org/request/show/658307 Factory / go1.10
https://build.opensuse.org/request/show/658308 Factory / go1.11

Comment 25 Swamp Workflow Management 2018-12-17 15:43:55 UTC

This is an autogenerated message for OBS integration:
This bug (974232) was mentioned in
https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11

Comment 26 Swamp Workflow Management 2019-02-27 11:02:54 UTC

This is an autogenerated message for OBS integration:
This bug (974232) was mentioned in
https://build.opensuse.org/request/show/679777 Factory / go1.11

Comment 27 Swamp Workflow Management 2019-03-25 11:13:31 UTC

This is an autogenerated message for OBS integration:
This bug (974232) was mentioned in
https://build.opensuse.org/request/show/688187 Factory / go1.12