Advisories » MGASA-2019-0251

Updated golang packages fix security vulnerabilities

Publication date: 06 Sep 2019
Modification date: 06 Sep 2019
Type: security
Affected Mageia releases : 6 , 7
CVE: CVE-2019-9512 , CVE-2019-9514 , CVE-2019-14809

Description

Updated golang packages fix security vulnerabilities:

Some HTTP/2 implementations are vulnerable to ping floods, potentially
leading to a denial of service. The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume excess
CPU, memory, or both (CVE-2019-9512)

Some HTTP/2 implementations are vulnerable to a reset flood, potentially
leading to a denial of service. The attacker opens a number of streams and
sends an invalid request over each stream that should solicit a stream of
RST_STREAM frames from the peer. Depending on how the peer queues the
RST_STREAM frames, this can consume excess memory, CPU, or both
(CVE-2019-9514).

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed
hosts in URLs, leading to an authorization bypass in some applications.
This is related to a Host field with a suffix appearing in neither
Hostname() nor Port(), and is related to a non-numeric port number.
(CVE-2019-14809)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=25372
• https://www.debian.org/security/2019/dsa-4503
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809

SRPMS

6/core

• golang-1.11.13-1.mga6

7/core

• golang-1.12.8-1.mga7