Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Golang CVE-2019-6486 #10438

Closed
knisbet opened this issue Jan 29, 2019 · 7 comments
Closed

Golang CVE-2019-6486 #10438

knisbet opened this issue Jan 29, 2019 · 7 comments
Labels
area/security

Comments

@knisbet
Copy link

knisbet commented Jan 29, 2019

Hi All,

I'm just opening this, as upstream golang 1.11.5/1.10.8 was released with a fix for cve CVE-2019-6486, which I believe affects etcd.

https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw

This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details.
@hexfusion
Copy link
Contributor

@knisbet thanks for the report

@gyuho
Copy link
Contributor

gyuho commented Jan 31, 2019

@hexfusion @jpbetz We need a patch release with the new Go runtime.

@hexfusion
Copy link
Contributor

I will work on scheduling for next week, this should only affect release-3.3 so Joe is off the hook.

@jpbetz
Copy link
Contributor

jpbetz commented Feb 1, 2019

@hexfusion That's convenient! Ping me if you need any help.

@gyuho
Copy link
Contributor

gyuho commented Feb 1, 2019

@hexfusion @jpbetz We only need v3.3 patch release with 1.10.8.
@hexfusion will help us with the signing.

@gyuho gyuho mentioned this issue Feb 1, 2019
Closed
@gyuho
Copy link
Contributor

gyuho commented Feb 7, 2019

Released v3.3.12 with Go 1.10.8.

https://github.com/etcd-io/etcd/releases/tag/v3.3.12

@gyuho gyuho closed this as completed Feb 7, 2019
@hexfusion
Copy link
Contributor

Signing will be completed within the hour

spzala pushed a commit to spzala/etcd that referenced this issue Apr 11, 2019
@gyuho @spzala
*: update to Go 1.12.2 and make related changes
fc16b98 
Update to Go 1.12.2 testing. Remove deprecated unused and gosimple
pacakges, and mask staticcheck 1006.

Related etcd-io#10528 etcd-io#10438

Co-Authored-By: Gyuho Lee <[email protected]>
@spzala spzala mentioned this issue Apr 11, 2019
Merged
spzala pushed a commit to spzala/etcd that referenced this issue Apr 25, 2019
@gyuho @spzala
*: update to Go 1.12.2 and make related changes
4e90968 
Update to Go 1.12.2 testing. Remove deprecated unused and gosimple
pacakges, and mask staticcheck 1006.

Related etcd-io#10528 etcd-io#10438

Co-Authored-By: Gyuho Lee <[email protected]>
spzala pushed a commit to spzala/etcd that referenced this issue May 2, 2019
@gyuho @spzala
*: update to Go 1.12.2 and make related changes
bda5702 
Update to Go 1.12.2 testing. Remove deprecated unused and gosimple
pacakges, and mask staticcheck 1006.

Related etcd-io#10528 etcd-io#10438

Co-Authored-By: Gyuho Lee <[email protected]>
spzala pushed a commit to spzala/etcd that referenced this issue Jun 4, 2019
@gyuho @spzala
*: update to Go 1.12.2 and make related changes
4f5e0d4 
Update to Go 1.12.2 testing. Remove deprecated unused and gosimple
pacakges, and mask staticcheck 1006.

Related etcd-io#10528 etcd-io#10438

Co-Authored-By: Gyuho Lee <[email protected]>
spzala pushed a commit to spzala/etcd that referenced this issue Jun 5, 2019
@gyuho @spzala
test: test update for Go 1.12.5 and related changes
1caaa9e 
Update to Go 1.12.5 testing. Remove deprecated unused and gosimple
pacakges, and mask staticcheck 1006. Also, fix unconvert errors related
to unnecessary type conversions and following staticcheck errors:
- remove redundant return statements
- use for range instead of for select
- use time.Since instead of time.Now().Sub
- omit comparison to bool constant
- replace T.Fatal and T.Fatalf in tests with T.Error and T.Fatalf respectively because the goroutine calls T.Fatal must be called in the same goroutine as the test
- fix error strings that should not be capitalized
- use sort.Strings(...) instead of sort.Sort(sort.StringSlice(...))
- use he status code of Canceled instead of grpc.ErrClientConnClosing which is deprecated
- use use status.Errorf instead of grpc.Errorf which is deprecated

Related etcd-io#10528 etcd-io#10438
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jpbetz @hexfusion @gyuho @knisbet