git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Soumya Sambu <soumya.sambu@windriver.com>
	Fri, 25 Aug 2023 07:41:38 +0000 (07:41 +0000)
committer	Steve Sakoman <steve@sakoman.com>
	Sun, 27 Aug 2023 14:03:37 +0000 (04:03 -1000)
commit	51c2fee0e4bb4b3131c61d91510394cd4b4f9eb9
tree	305fe3751360186819cc6768a48c9fd13f9cc335	tree
parent	e787e364efbba372675081aadd802b43274097f0	commit \| diff

go: Fix CVE-2023-29409

Extremely large RSA keys in certificate chains can cause a
client/server to expend significant CPU time verifying
signatures. With fix, the size of RSA keys transmitted
during handshakes is restricted to <= 8192 bits. Based on
a survey of publicly trusted RSA keys, there are currently
only three certificates in circulation with keys larger than
this, and all three appear to be test certificates that are
not actively deployed. It is possible there are larger keys
in use in private PKIs, but we target the web PKI, so causing
breakage here in the interests of increasing the default
safety of users of crypto/tls seems reasonable.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29409

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-devtools/go/go-1.17.13.inc		diff \| blob \| blame \| history
meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch	[new file with mode: 0644]	blob