x509: CPU denial of service in chain validation[CVE-2018-16875]

[zouyee]

From golang/go#29233

Package crypto/x509 parses and validates X.509-encoded keys and certificates. It's supposed to handle certificate chains provided by an attacker with reasonable resource use.

The crypto/x509 package does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients verifying certificates are affected.

Go 1.11.3 and 1.10.6 have been released with this fixed.

[zouyee]

/assign @mattmoor

[mattmoor]

/lgtm
/approve

[mattmoor]

/ok-to-test
/assign @adrcunha

[adrcunha]

/hold

Thanks, @zouyee. We don't have any running go server in test-infra so we're good. The only tools built are for testing, and #317 is a superset of this change (only changing the go version won't work, that's why the build tests are failing for this PR).

[knative-prow-robot]

New changes are detected. LGTM label has been removed.

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mattmoor, zouyee
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: adrcunha

If they are not already assigned, you can assign the PR to them by writing /assign @adrcunha in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zouyee]

/ok-to-test

[zouyee]

@adrcunha @mattmoor PTAL

[adrcunha]

I still prefer #319 over this one, because that also keeps the external repository definitions in sync with the kubernetes/test-infra repo (from where the config checkers are built).