ArchLinux: 201910-12: go: denial of service

    Date23 Oct 2019
    CategoryArchLinux
    278
    Posted ByLinuxSecurity Advisories
    The package go before version 2:1.13.3-1 is vulnerable to denial of service.
    Arch Linux Security Advisory ASA-201910-12
    ==========================================
    
    Severity: Medium
    Date    : 2019-10-21
    CVE-ID  : CVE-2019-17596
    Package : go
    Type    : denial of service
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1051
    
    Summary
    =======
    
    The package go before version 2:1.13.3-1 is vulnerable to denial of
    service.
    
    Resolution
    ==========
    
    Upgrade to 2:1.13.3-1.
    
    # pacman -Syu "go>=2:1.13.3-1"
    
    The problem has been fixed upstream in version 1.13.3.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    Invalid DSA public keys can cause a panic in dsa.Verify. In particular,
    using crypto/x509.Verify on a crafted X.509 certificate chain can lead
    to a panic, even if the certificates don’t chain to a trusted root. The
    chain can be delivered via a crypto/tls connection to a client, or to a
    server that accepts and verifies client certificates. net/http clients
    can be made to crash by an HTTPS server, while net/http servers that
    accept client certificates will recover the panic and are unaffected.
    
    Moreover, an application might crash invoking
    crypto/x509.(*CertificateRequest) CheckSignature on an X.509
    certificate request, parsing a golang.org/x/crypto/openpgp Entity, or
    during a golang.org/x/crypto/otr conversation. Finally, a
    golang.org/x/crypto/ssh client can panic due to a malformed host key,
    while a server could panic if either PublicKeyCallback accepts a
    malformed public key, or if IsUserAuthority accepts a certificate with
    a malformed public key.
    
    Impact
    ======
    
    A remote attacker can perform a denial of service attack by crafting a
    malicious certificate chain.
    
    References
    ==========
    
    https://github.com/golang/go/issues/34960
    https://security.archlinux.org/CVE-2019-17596
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.