The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "22"
},
{
"last_affected": "22"
},
{
"introduced": "23"
},
{
"last_affected": "23"
},
{
"introduced": "24"
},
{
"last_affected": "24"
}
],
"vendor_product": "fedoraproject:fedora",
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*"
],
"vendor_product": "opensuse:leap",
"extracted_events": [
{
"introduced": "42.1"
},
{
"last_affected": "42.1"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": [
"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"cpe:2.3:a:golang:go:1.6:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "1.5"
},
{
"introduced": "1.6"
},
{
"last_affected": "1.6"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING"
]
}