oss-sec mailing list archives
CVE request for math/big.Exp
From: Jason Buberel <jbuberel () google com>
Date: Mon, 21 Dec 2015 16:07:45 +0000
OSS-Security, The Go open source project has received notification of an error in the math/big library (https://golang.org/pkg/math/big/). The problem that was identified is similar to CVE-2015-3193 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193>. The vulnerability was introduced in the 1.5 release, and remains present in Go 1.5.1 and 1.5.2. A fix for the issue has been applied to the master branch of the Go repo under CL 17672 <https://go-review.googlesource.com/#/c/17672/>. We will also be releasing Go 1.5.3 to fix this vulnerability. We are requesting a CVE ID in order to coordinate updates with distributions that include binary packages for the Go programming language. We will also announce and request that all Go programs using the math/big package that were compiled with version 1.5, 1.5.1, or 1.5.2 be recompiled with 1.5.3 (when released) due to the static linking nature of the Go toolchain. Regards, jason
Current thread:
- CVE request for math/big.Exp Jason Buberel (Dec 21)
- Re: CVE request for math/big.Exp Florian Weimer (Dec 21)
- Re: CVE request for math/big.Exp cve-assign (Dec 22)
- Re: CVE request for math/big.Exp Jason Buberel (Dec 22)
- Re: Re: CVE request for math/big.Exp Jessie Frazelle (Dec 22)
- Re: CVE request for math/big.Exp Jason Buberel (Dec 22)