CVE-2019-11840
Description
An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/cryptoGo | < 0.0.0-20190320223903-b7391e95e576 | 0.0.0-20190320223903-b7391e95e576 |
Affected products
13- golang.org/x/cryptodescription
- osv-coords8 versionspkg:apk/chainguard/dex-k8s-authenticatorpkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:golang/golang.org/x/crypto
< 0+ 7 more
- (no CPE)range: < 0
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0.0.0-20190320223903-b7391e95e576
Patches
Vulnerability mechanics
References
17- go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113dnvdMailing ListPatchThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-r5c5-pr8j-pfp7ghsaADVISORY
- github.com/golang/go/issues/30965nvdThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2019/06/msg00029.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2020/10/msg00014.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2020/11/msg00016.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2020/11/msg00030.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2021/01/msg00015.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2023/06/msg00017.htmlnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2019-11840ghsaADVISORY
- pkg.go.dev/vuln/GO-2022-0209nvdThird Party AdvisoryWEB
- go.dev/cl/168406ghsaWEB
- go.dev/issue/30965ghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/nvdPermissions Required
- groups.google.com/g/golang-announce/c/tjyNcJxb2vQ/m/n0NRBziSCAAJghsaWEB
News mentions
0No linked articles in our index yet.