Debian Stretch DLA-2485-1 Critical: golang-golang-x-net-dev DoS Threat
debian lts
December 9, 2020
The http2 server support in this package was vulnerable to certain types of DOS attacks
Topics Covered
Summary
CVE-2019-9512
This code was vulnerable to ping floods, potentially leading to a denial of
service. The attacker sends continual pings to an HTTP/2 peer, causing the peer
to build an internal queue of responses. Depending on how efficiently this data
is queued, this can consume excess CPU, memory, or both.
CVE-2019-9514
This code was vulnerable to a reset flood, potentially leading to a denial
of service. The attacker opens a number of streams and sends an invalid request
over each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can consume
excess memory, CPU, or both.
For Debian 9 stretch, these problems have been fixed in version
1:0.0+git20161013.8b4af36+dfsg-3+deb9u1.
We recommend that you upgrade your golang-golang-x-net-dev packages.
For the detailed security status of golang-golang-x-net-dev please refer to
its security tracker page at:
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: golang-golang-x-net-dev
Version: 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1
CVE ID: CVE-2019-9512 CVE-2019-9514
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!