Advisories » MGASA-2020-0468

Updated golang-googlecode-net package fixes security vulnerabilities

Publication date: 21 Dec 2020
Modification date: 21 Dec 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-9512 , CVE-2019-9514

Description

This code was vulnerable to ping floods, potentially leading to a denial of
service. The attacker sends continual pings to an HTTP/2 peer, causing the peer
to build an internal queue of responses. Depending on how efficiently this data
is queued, this can consume excess CPU, memory, or both (CVE-2019-9512).

This code was vulnerable to a reset flood, potentially leading to a denial of
service. The attacker opens a number of streams and sends an invalid request
over each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can consume
excess memory, CPU, or both (CVE-2019-9514).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=27792
• https://www.debian.org/lts/security/2020/dla-2485
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514

SRPMS

7/core

• golang-googlecode-net-0-0.3.mga7