Corrective issues of the Go 1.11.5 and 1.10.8 programming language are published, in which the vulnerability in the crypto module is fixed. The problem is caused by a flaw in the implementation of elliptic curves, which can be used to trigger a denial of service (creating a heavy load on the CPU). The potential use of the problem to create attacks that recreate the ECDH private key is not excluded if it is reused more than once.
The vulnerability can be exploited in applications that process incoming X.509 certificates, ECDSA digital signatures and JWT tokens. The attack can also be made when processing client-based or server applications of protocols based on ECDH and TLS connections (using the TLS implementation of the Go language). In distributions, the problem still remains uncorrected (Debian, RHEL / EPEL, Fedora, SUSE, Ubuntu, FreeBSD)