CVE-2019-6486
golang - security update
EPSS 0.60%
Description
A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
How to fix CVE-2019-6486
To remediate CVE-2019-6486, upgrade the affected package to a fixed version below.
- Debian/golang—upgrade to 2:1.3.3-1+deb8u1 or later
- —upgrade to 1.10.8 or later
Is CVE-2019-6486 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2:1.3.3-1+deb8u1
- from 0, < 1.10.8, >= 1.11.0-0, < 1.11.5