ArchLinux: 201910-12: go: denial of service

    Date 23 Oct 2019
    481
    Posted By LinuxSecurity Advisories
    The package go before version 2:1.13.3-1 is vulnerable to denial of service.
    Arch Linux Security Advisory ASA-201910-12
    ==========================================
    
    Severity: Medium
    Date    : 2019-10-21
    CVE-ID  : CVE-2019-17596
    Package : go
    Type    : denial of service
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1051
    
    Summary
    =======
    
    The package go before version 2:1.13.3-1 is vulnerable to denial of
    service.
    
    Resolution
    ==========
    
    Upgrade to 2:1.13.3-1.
    
    # pacman -Syu "go>=2:1.13.3-1"
    
    The problem has been fixed upstream in version 1.13.3.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    Invalid DSA public keys can cause a panic in dsa.Verify. In particular,
    using crypto/x509.Verify on a crafted X.509 certificate chain can lead
    to a panic, even if the certificates don’t chain to a trusted root. The
    chain can be delivered via a crypto/tls connection to a client, or to a
    server that accepts and verifies client certificates. net/http clients
    can be made to crash by an HTTPS server, while net/http servers that
    accept client certificates will recover the panic and are unaffected.
    
    Moreover, an application might crash invoking
    crypto/x509.(*CertificateRequest) CheckSignature on an X.509
    certificate request, parsing a golang.org/x/crypto/openpgp Entity, or
    during a golang.org/x/crypto/otr conversation. Finally, a
    golang.org/x/crypto/ssh client can panic due to a malformed host key,
    while a server could panic if either PublicKeyCallback accepts a
    malformed public key, or if IsUserAuthority accepts a certificate with
    a malformed public key.
    
    Impact
    ======
    
    A remote attacker can perform a denial of service attack by crafting a
    malicious certificate chain.
    
    References
    ==========
    
    https://github.com/golang/go/issues/34960
    https://security.archlinux.org/CVE-2019-17596
    

    LinuxSecurity Poll

    Are you considering making the switch to Purism's new Librem 14 Linux laptop to improve your security and privacy online?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/31-are-you-considering-making-the-switch-to-purism-s-new-librem-14-linux-laptop-to-improve-your-security-and-privacy-online?task=poll.vote&format=json
    31
    radio
    [{"id":"109","title":"Yes - the hardware kill switches and default ad blocking\/tracking protection sold me on it.","votes":"2","type":"x","order":"1","pct":40,"resources":[]},{"id":"110","title":"Not sure yet - I need to do more research.","votes":"2","type":"x","order":"2","pct":40,"resources":[]},{"id":"111","title":"No - I'm satisfied with my current laptop and have no security\/privacy concerns.","votes":"1","type":"x","order":"3","pct":20,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.